Sunday, July 5, 2026

News

Alibaba Bans Employees From Using Claude Code After Discovering Hidden Tracking Mechanism

CodingPatryk RabaJuly 4, 2026

Alibaba has banned its employees from using Claude Code since July 10, labeling the tool a security risk after discovering hidden code that detected users based in China. Anthropic says the mechanism was an experiment against account abuse, but the dispute is unfolding amid accusations that Alibaba's Qwen lab mass-copied Claude models.

Contents
  1. What researchers found
  2. Anthropic's explanation
  3. The model distillation war
  4. Export restrictions context

Alibaba is imposing a complete ban on Claude Code, Anthropic's agentic coding tool, across all its offices starting July 10. In an internal memo, the company said that after a thorough review, Claude Code had been placed on a list of high-risk software with security vulnerabilities, because the tool allegedly contained a mechanism with backdoor-like characteristics. Employees are being told to uninstall all Claude products and switch to Qoder, Alibaba's own coding platform.

What researchers found

The case began with reverse engineering carried out in late June by a Reddit user going by LegitMichel777, who found code present in Claude Code since version 2.1.91 from April. The program checked whether a user's time zone was Asia/Shanghai or Asia/Urumqi, and compared proxy addresses against a hardcoded list of Chinese domains.

Rather than logging this information in the open, the tool relied on steganography: it hid signals inside system prompts sent to Anthropic's servers, swapping hyphens for slashes in dates and replacing ordinary apostrophes with visually identical Unicode characters. The domain list was further encrypted with an XOR cipher using key 91 and encoded in base64, making the mechanism harder to catch during a standard code audit.

Anthropic's explanation

Thariq Shihipar, an engineer on Anthropic's Claude Code team, wrote on X that the mechanism was an experiment launched in March meant to prevent account abuse by unauthorized resellers and to guard against model distillation. He acknowledged the team had already been planning to remove the code for some time, and that the relevant pull request was merged on July 1, meaning the mechanism is set to disappear in the next update.

Critics, including security analysts quoted by media outlets, note that hiding user-identifying logic behind steganography and encryption is a hallmark of malware, not of standard anti-abuse safeguards, whatever the stated purpose.

The model distillation war

Alibaba's ban lands against the backdrop of a far broader dispute. In June, Anthropic accused entities linked to Alibaba's Qwen lab of running the largest known campaign of illegally extracting capabilities from Claude models. According to Anthropic, the operators used roughly 25,000 fake accounts that generated 28.8 million queries between April and June, building training data to distill their own competing models.

Anthropic laid out these findings in a letter to the Senate Banking Committee on June 10, pulling US senators and White House officials into the dispute. Alibaba denies the distillation accusations, and in response to the internal ban has focused on a counterattack, pointing to the tracking mechanism as evidence that it is Anthropic engaging in unsafe practices toward its users.

Export restrictions context

The case coincides with turmoil over the availability of Anthropic's models outside the US. In mid-June, the US Department of Commerce ordered Anthropic to disable the Fable 5 and Mythos 5 models for users abroad after Amazon researchers found a flaw enabling a jailbreak. The export restrictions were lifted on June 30, and Anthropic restored full worldwide access to Fable 5 on July 2, covering Claude.ai, the Claude Platform API, Claude Code and Claude Cowork.

For companies using AI coding tools, including in Poland, the episode shows that even leading vendors can build covert data-collection mechanisms into their products without clearly disclosing them to customers. Technical teams responsible for software supply chain security should treat this kind of hidden telemetry as a real risk when evaluating AI tools cleared to work with company code, regardless of the vendor's stated good intentions.

Alibaba's ban currently applies only to its own employees, but given the scale of the dispute and the involvement of politicians from both countries, tensions are unlikely to ease quickly. Anthropic has said it will remove the disputed code in the next Claude Code update, which may partly ease enterprise customers' concerns, but the underlying dispute over model distillation between Anthropic and Alibaba remains open and will likely keep escalating in the coming weeks.

Sources: Alibaba bans staff from using Claude Code over Anthropic spyware concerns (scmp.com), Alibaba bans Claude Code over hidden Chinese user tracking (thenextweb.com), Alibaba bans Claude Code over security concerns (cybernews.com), Flourish 500M Bezos brain AI research and Alibaba bans Claude Code security risks (cryptobriefing.com), Anthropic is removing its covert code for catching Chinese competitors (theregister.com)

Share: