Artificial Intelligence & Machine Learning,
Next-Generation Technologies & Secure Development
Supply-Chain Risks Cited After Hidden Code Checked for China-Related Indicators

In a significant shift, Alibaba announced a ban on its employees’ use of Anthropic’s Claude Code, effective from July 10. This decision arises from concerns over supply-chain risks, following the discovery of surveillance code embedded within the AI coding assistant’s release in April. The technology giant cited these risks as pivotal in the move to protect both their operational integrity and employee data.
Amidst growing privacy concerns, the code in question was revealed to check whether a user’s system was based in China, whether a proxy was being used, and if the connection originated from a Chinese AI lab’s domain. This revelation triggered widespread criticism and a prompt response from Claude Code, indicating that the questionable feature would be removed in the near future.
The controversy erupted when a researcher disclosed the surveillance function in a Reddit post, prompting Claude Code engineer Thariq Shihipar to respond. Shihipar clarified that the tracking feature was designed as a preventive measure against account abuse by unauthorized resellers and not as a malicious tool aimed at users. He assured users that the function would be eliminated in the subsequent software release, reinforcing the company’s commitment to user privacy.
In an internal communication reported by media outlets in China, Alibaba classified Claude Code as a high-risk software due to its security vulnerabilities. Therefore, the company has advised its employees to transition to its own AI coding assistant, Qoder, as a more secure alternative. This decision indicates the company’s effort to bolster their security posture in the face of emerging technologies and potential threats posed by external software.
The embedded code, which surfaced in the production version 2.1.91 launched in April, was intended to discern whether the system time zone aligned with China’s two official time zones, namely Asia/Shanghai and Asia/Urumqi. In addition, it monitored whether the user was accessing a Chinese URL from the domain of a Chinese AI laboratory. Upon detection of a match, the code cryptically altered the punctuation in the date section of the system prompt, raising further concerns about privacy and data security.
The ongoing situation underscores the mounting tensions in the global AI landscape, particularly between U.S. and Chinese tech firms. American companies have lodged complaints against their Chinese counterparts for alleged practices of intellectual property theft, which they claim allow Chinese firms to develop competitive AI models at substantially lower costs. This backdrop of rivalry complicates the context in which these technological developments are unfolding.
Earlier in February, Anthropic had identified three leading Chinese AI laboratories—DeepSeek, MiniMax, and Moonshot AI—accusing them of distilling Claude’s capabilities to enhance their own models. Distillation, a process where new models learn from the outputs of existing “teacher models,” raises further concerns about unauthorized access and intellectual property theft. According to Anthropic, these labs managed to generate over 16 million interactions with Claude through nearly 24,000 fraudulent accounts, which was a violation of the company’s service terms and regional access guidelines.
A recent letter from Anthropic addressed to two U.S. senators alleged that Alibaba had executed “the largest known distillation attack on Anthropic to date.” This concerning assertion came ahead of an important congressional hearing focused on AI and its implications for national security. According to the letter, Alibaba’s Qwen AI lab alone amassed millions of exchanges with Claude through tens of thousands of dubious accounts in a brief time frame.
In the context of these allegations, U.S. Senator Tim Scott emphasized the importance of maintaining a competitive advantage in AI technology, warning against complacency in the face of aggressive pursuits by China and other adversaries. He highlighted the necessity for vigilance in global markets to prevent any technological advantage from slipping away to competing nations.
The implications of the White House’s temporary suspension of Anthropic’s frontier models due to national security concerns have further raised alarm. Observers fear that Chinese laboratories could gain market dominance with their open-weight alternatives, leading to broader ramifications for the competitive landscape in AI.
Yasir Atalan, deputy director at the Center for Strategic and International Studies, acknowledged that emerging Chinese AI models are performing increasingly well on various benchmarks. The Z.ai lab’s GLM-5.2 model, for instance, exhibits performance comparable to leading U.S. models in coding and agent tasks. Such developments challenge the narrative of U.S. superiority in the AI domain, suggesting that American firms must continually innovate to retain their competitive edge.
Anthropic points to the narrowing gap in AI capabilities as a result of Chinese firms engaging in distillation, bolstered by a strong domestic talent pool and a propensity for exploiting existing loopholes in the system. They suggest that if distillation practices are curtailed and export controls on semiconductor technologies are strengthened, the U.S. could potentially maintain a technological lead for the next 12 to 24 months. This situation raises pressing questions about the future of AI development and the strategies that must be employed to safeguard national interests.
As concerns about privacy implications continue to escalate, the inserted surveillance code raises critical questions about the responsibility of AI developers. Some experts warn that if Anthropic can programmatically extract sensitive information merely based on a user’s geographical location, there is no guarantee that they won’t manipulate the model to respond adversely based on location as well. Moreover, the ease with which the code could be evaded underscores the privacy risks associated with such technologies, potentially outweighing their intended benefits.