Recently, the National Vulnerability Database (NVDB) of the Ministry of Industry and Information Technology (MIIT) issued an important security risk warning, pointing to the widely used AI tool in the programming community - Claude Code. It was found that this tool contains an undisclosed "security backdoor," posing a risk of leaking users' sensitive information.
According to monitoring results, the affected software versions are 2.1.91 to 2.1.196. These versions can automatically transmit sensitive data, including users' geographical locations and identity identifiers, to remote servers without user authorization. In response, NVDB advises developers and enterprise users to immediately check the current version number. If it falls within the affected range, they should uninstall or update to the latest secure version as soon as possible. At the same time, relevant organizations should strengthen control over external access permissions in development environments and enhance traffic monitoring to prevent unauthorized data leakage.
This incident originated at the end of June this year, when a developer, while reverse engineering the 2.1.196 version of Claude Code, accidentally discovered that since the release of version 2.1.91 on April 2nd, a hidden detection mechanism had been embedded in the tool. This mechanism checks system time zones and proxy server information in real-time to identify Chinese users. Notably, this mechanism has never been disclosed in the software's previous update logs.
In response to public concerns, Thariq Shihipar, a member of the Anthropic team, responded on a social media platform, stating that this is an "experimental" measure aimed at preventing account resale and defending against model distillation attacks. The official stated that a new version was released on July 2nd, and the detection feature has been removed.
This security vulnerability has triggered a chain reaction in the industry. According to reports, the domestic tech giant Alibaba has already issued an internal ban, prohibiting employees from using Claude Code in office environments starting July 10th, and has added the tool to the high-risk software list. For developers who still need to use the tool, closely monitoring official version updates and taking timely remedial actions has become the top priority for ensuring the security of the development environment.
