Alibaba bans Claude Code as high-risk software
TECH

Alibaba bans Claude Code as high-risk software

30+
Signals

Strategic Overview

  • 01.
    Alibaba issued an internal notice classifying Claude Code as high-risk software and banning all employees from using it in the office starting July 10, 2026.
  • 02.
    The notice ordered staff to delete all of Anthropic's AI model series - including Sonnet, Opus and Fable - and to switch to Alibaba's own coding agent, Qoder.
  • 03.
    Security researchers found that Claude Code had silently carried obfuscated code since version 2.1.91 that fingerprinted China-linked users and encoded the result into the system prompt using invisible Unicode characters.
  • 04.
    Anthropic removed the tracking code in Claude Code version 2.1.197 published on July 1, 2026, without noting the change in the release notes, and separately blocks Claude access from unsupported regions including China.

Deep Analysis

The Backdoor Was Written in Plain English - and Hidden in Plain Sight

The mechanism at the center of this fight is unusually elegant, and that is exactly what alarmed the researchers who found it. Starting with Claude Code version 2.1.91, released April 2, 2026, the tool silently checked the machine it was running on - reading the system timezone for values like Asia/Shanghai or Asia/Urumqi, and scanning the user's proxy and base-URL configuration against a hardcoded list of Chinese entities that was hidden behind XOR and base64 encoding [1]. That much is standard obfuscation. The clever, and to critics disturbing, part is what happened next.

Rather than phone home over a network call that a firewall could catch, the code encoded its classification of the user directly into Claude Code's system prompt using invisible Unicode characters - markers that render as ordinary, unremarkable English to a human reading the text. The security researcher who documented it, Thereallo, described it bluntly: the tool silently alters the system prompt using invisible-ish Unicode markers and encodes proxy and gateway classification into a sentence that looks like plain English [1]. In effect, the user's own AI session became the covert channel. Anthropic quietly removed the code in version 2.1.197 on July 1, 2026, again with no mention in the changelog [1]. It is the silence in the release notes, on both the way in and the way out, that turned a security experiment into a trust story.

Tit-for-Tat: A Distillation Accusation Meets a Backdoor Counter-Charge

Read in isolation, the fingerprinting looks like paranoia. Read against the backdrop of what Anthropic says Alibaba did, it looks like a countermeasure. On June 10, 2026, Anthropic sent a letter to the U.S. Senate Banking Committee accusing Alibaba of running one of the largest known model-distillation attacks - allegedly using roughly 25,000 fraudulent accounts to pull more than 28.8 million Claude interactions during a window running from April 22 to June 5, 2026 [2]. Distillation, in plain terms, is training your own cheaper model on another model's outputs, effectively copying its behavior without copying its weights. Anthropic's engineer Thariq Shihipar framed the covert code as the defensive half of that same posture: an anti-abuse and anti-distillation experiment launched in March, meant to catch unauthorized resellers, that the team had been meaning to take down for a while [1].

Alibaba's ban is the mirror image of that letter. Where Anthropic alleges an industrial-scale theft of its model, Alibaba answers by classifying Claude Code as a back-door risk and expelling it from the building [3]. Each side now casts the other as the aggressor, and the two charges - distillation and surveillance - are not actually in tension. Both can be true at once, which is precisely why the standoff is hard to defuse.

Why Was Alibaba Using Claude Code at All?

The most revealing question in the developer community was not whether the ban was justified but why Alibaba engineers were running an American coding tool when their own employer builds Qwen and Qoder. On Reddit, the dominant answer cut to a distinction that most headlines missed: Claude Code is the harness, not the model. It is the agent that plans, edits files, and runs commands with deep access to the machine, and it had become a de-facto standard for developers - so Alibaba engineers adopted it bottom-up for productivity even though the company already shipped its own stack, until security and compliance mandated the in-house alternative.

That framing reshapes the whole story. Practitioners pointed out that Qwen can run as the model inside the Claude Code harness, and that open-source harness alternatives already exist, which makes the ban a swap of the wrapper rather than the brain. The community read skewed cynical, treating a security headline as a competitive-moat story dressed up in compliance language - Alibaba consolidating onto its own Qwen and Qoder stack, Anthropic defending its IP. A recurring counter-argument noted that paying for API access does not, by itself, grant rights against a provider's terms of service, which is why paid usage and an alleged attack are not mutually exclusive.

The Real Casualty Is Trust in Tools That Hold the Keys

Strip away the geopolitics and a narrower, more durable worry remains: an agentic coding tool runs with sweeping access to a developer's environment, and this one used that access to profile the user and hide the result inside the user's own session. LegitMichel777, one of the reverse-engineers, drew the line that reasonable people are now asking about out loud - today it is a timezone check, tomorrow it could be system sabotage or data exfiltration [2]. The concern is not that this specific code did those things; it is that the same silent, invisible-Unicode delivery channel could.

That is why the fallout runs past one company's HR memo. The dispute pushes further US-China AI decoupling into the developer toolchain itself: Anthropic blocks Chinese access, Alibaba bans Anthropic, and the tooling bifurcates across the two markets [4]. Chinese-language commentary treated the ban as an inevitable, already-underway trend rather than a shock, while Western reaction fixated on the spyware framing and the mutual-espionage narrative. For everyone else - the enterprises weighing whether to hand root-level access to any agent - the takeaway is uncomfortable and portable: verify what your dev tools do on your machine, because the changelog will not always tell you.

Historical Context

2026-04-02
Claude Code version 2.1.91 shipped the covert fingerprinting code with no mention in the release notes.
2026-06-10
Anthropic sent a letter to the U.S. Senate Banking Committee accusing Alibaba of orchestrating a large-scale model-extraction (distillation) attack.
2026-06-30
Reverse-engineers publicly documented the hidden China-fingerprinting steganography in Claude Code across Reddit, GitHub, and blogs.
2026-07-01
Anthropic published Claude Code 2.1.197 removing the covert tracking code, without noting the removal in the changelog.
2026-07-10
Effective date of Alibaba's internal ban on Claude Code and mandated deletion of Anthropic models.

Power Map

Key Players
Subject

Alibaba bans Claude Code as high-risk software

AL

Alibaba

Chinese tech giant that issued the ban, classified Claude Code as high-risk, ordered deletion of Anthropic models, and is pushing its own Qoder tool as the internal replacement. It is also the party Anthropic accuses of a model-distillation attack.

AN

Anthropic

Maker of Claude Code that embedded the covert fingerprinting experiment, blocks Chinese access, and accused Alibaba of an industrial-scale model-distillation attack in a Senate letter.

TH

Thariq Shihipar

Anthropic engineer who publicly acknowledged the fingerprinting code on X, framing it as a March anti-distillation experiment that was already being removed.

QO

Qoder (Alibaba)

Alibaba's in-house coding agent mandated as the replacement for Claude Code, making it the direct beneficiary of the ban.

TH

Thereallo

Security researcher who reverse-engineered and documented the steganographic tracking code, exposing the covert mechanism to the public.

U.

U.S. Senate Banking Committee

Recipient of Anthropic's June 10 letter alleging the Alibaba-linked distillation attack, giving the dispute a policy and regulatory dimension.

Fact Check

4 cited
  1. [1] Anthropic is removing its covert code for catching Chinese competitors
  2. [2] Alibaba bans Claude Code after Anthropic caught tracking Chinese users
  3. [3] Alibaba bans staff from using Claude Code over Anthropic spyware concerns
  4. [4] Alibaba Bans Claude Code as Anthropic Blocks Chinese Access

Source Articles

Top 5

THE SIGNAL.

Analysts

"Framed the covert code as a legitimate anti-abuse and anti-distillation experiment launched in March that was already slated for removal."

Thariq Shihipar
Engineer, Anthropic

"Criticized the mechanism as covert steganographic surveillance, noting that Claude Code silently alters the system prompt using invisible-ish Unicode markers and encodes proxy and gateway classification into a sentence that looks like plain English."

Thereallo
Security researcher, thereallo.dev

"Warned the tracking capability sets a dangerous precedent, arguing that today it is a timezone check, but tomorrow it could be system sabotage or data exfiltration."

LegitMichel777
Independent reverse-engineer
The Crowd

"已经听闻多个大厂全面禁用Claude Code和Codex,不用等有关部门出手,已经是大势所趋 (Already heard that multiple major tech firms have fully banned Claude Code and Codex — no need to wait for authorities to step in, it's already the prevailing trend)"

@@baoshu88554

"🚨 BREAKING: ALIBABA BANS ANTHROPIC'S CLAUDE CODE Alibaba has reportedly banned employees from using Anthropic's Claude Code on company devices, citing security concerns and potential spyware risks. Staff have been instructed to remove the software and switch to Alibaba's"

@@thedailyblock285

"Alibaba reportedly bans employees from using Claude Code"

@@TechCrunch65

"Alibaba bans employees from using Anthropic's Claude Code in workplace environments from July 10, citing alleged embedded "backdoor" risks raised after recent binary reverse-engineering."

@u/Current-Guide5944379
Broadcast
US: Anthropic Accuses Alibaba Of Massive AI 'Theft' Campaign | Firstpost Live | N18G

US: Anthropic Accuses Alibaba Of Massive AI 'Theft' Campaign | Firstpost Live | N18G

Anthropic claims Alibaba unlawfully copied Claude's capabilities

Anthropic claims Alibaba unlawfully copied Claude's capabilities

Anthropic's Bombshell Letter To U.S. Officials Claims Alibaba 'Illicitly' Accessed Claude AI Model

Anthropic's Bombshell Letter To U.S. Officials Claims Alibaba 'Illicitly' Accessed Claude AI Model