Anthropic has removed a hidden tracking system from its AI coding assistant, Claude Code, following a security researcher’s discovery that the tool embedded undisclosed markers to identify certain users. The situation escalated when China’s National Vulnerability Database (NVDB) formally warned developers to uninstall or upgrade affected versions, labeling the mechanism a backdoor.
The tracking feature, introduced in March, used Unicode signals and encoded domain lists inside Claude Code’s system prompts to flag users believed to be bypassing restrictions or attempting to extract model capabilities. Developer “Thereallo” revealed in June that the markers could catch API resellers, unauthorized gateways, and potential distillation attack pipelines by checking custom base URLs and hostnames containing references to Chinese AI labs like DeepSeek or Zhipu.
Anthropic engineer Thariq Shihipar confirmed the tracker was an experiment to prevent account abuse and protect against distillation, but said stronger mitigations had landed since then, and the team had already been planning to remove it. The rollback was completed shortly after the public disclosure.
China’s NVDB advisory affected versions 2.1.91 through 2.1.196, citing unauthorized data transmission of user region and identity identifiers to remote servers. The alert came just days after Alibaba barred staff from using Claude Code over security concerns. These developments unfold as Anthropic intensifies its push against foreign AI model distillation, accusing Chinese labs of using fraudulent accounts to extract millions of responses for training rival systems.