← All PostsClaude Code Had Hidden Tracking Code. Alibaba Banned It
AI toolsDeveloper toolsCybersecurity

Claude Code Had Hidden Tracking Code. Alibaba Banned It

July 4, 2026

Claude Code had hidden code checking if you were connected to a Chinese AI lab. It hashed your timezone, checked your proxy settings, and matched your hostname against a list of 147 domains — then buried the result inside a normal-looking sentence in the system prompt. Alibaba found out and banned the tool company-wide.

Anthropic is rolling the code back. Here's what actually happened.

What the Code Did

A Reddit user going by LegitMichel777 reverse-engineered Claude Code and found that, since version 2.1.91 (released April 2), the tool checked your API base URL. If it detected a custom proxy, it went further: checking your system timezone and matching your hostname against a hidden list of 147 domains tied to Chinese AI labs and resellers — Baidu, Alibaba, Ant Group, and ByteDance among them.

The result got encoded into a plain-looking string in the system prompt — something like "Today's date is..." — using invisible Unicode markers and the domain list hidden behind XOR and base64 encoding. A developer named Thereallo who documented the mechanism put it simply: "This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust."

Anthropic's Explanation

Thariq Shihipar, an Anthropic engineer on the Claude Code team, said on X it was "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation" — the practice of using a model's outputs to train a competing model.

He said the team had "landed stronger mitigations since then" and had been meaning to remove the code for a while. The rollback PR merged July 1.

The context: Anthropic told the US Senate Banking Committee that Alibaba-affiliated entities ran roughly 25,000 fraudulent accounts between April 22 and June 5, generating 28.8 million interactions with Claude in what it called the largest known distillation attack against its models.

Alibaba's Response

Alibaba isn't buying the explanation. The company added Claude Code to its internal high-risk software list — the category normally reserved for tools with known security vulnerabilities — and ordered staff to stop using it by July 10, switching instead to Qoder, its in-house coding platform. Employees were also told to delete Anthropic's model apps entirely.

Alibaba's security team called it a "back-door risk," language usually reserved for compromised software, not a competitor's product.

Why Every Developer Should Care

Claude Code needs deep filesystem access to read, modify, and execute your code. That means any hidden functionality in the tool has access to everything on your machine — which is exactly why the method mattered more than the intent here.

Checking a hostname against a known-competitor list isn't inherently outrageous. Doing it silently, encoded to survive casual inspection, in a tool that runs with your credentials, is a different thing entirely. One Reddit comment on the thread put the risk plainly: "Today it's a timezone check. Tomorrow, it could be system sabotage or data exfiltration."

This lands right after Anthropic restored Fable 5 and Mythos 5 access following the export control reversal — a reminder that trust in AI dev tools is being tested on multiple fronts at once, from government restrictions to what the tools themselves quietly do in the background.

If you run Claude Code, update to the latest release to get the rollback. If you're auditing what dev tools phone home and why, this is a good week to check.

Sources: The Register, TNW

Frequently Asked Questions

What did the hidden Claude Code tracking code do?

Since version 2.1.91, Claude Code checked users' proxy settings, system timezone, and hostname against a hidden list of 147 domains tied to Chinese AI labs and resellers, encoding the result inside an ordinary-looking system prompt string using invisible Unicode markers.

Why did Anthropic add the tracking code to Claude Code?

Anthropic says it was an anti-fraud experiment launched in March 2026 to prevent account abuse by unauthorized resellers and protect against distillation — the practice of training a competing model on Claude's outputs.

Why did Alibaba ban Claude Code?

Alibaba added Claude Code to its internal high-risk software list, calling it a security 'back-door risk,' and ordered employees to stop using it by July 10, 2026, switching to its own Qoder coding platform instead.

Has Anthropic removed the tracking code from Claude Code?

Yes. The pull request removing the tracking code merged on July 1, 2026, and Anthropic says it should be fully rolled back in the latest Claude Code release.