Alibaba will prohibit employees from using Anthropic’s Claude Code in company work environments starting July 10, over what a person familiar with the decision described to Reuters as security risks tied to alleged embedded backdoors.
The Chinese tech giant has placed the AI coding assistant on a high-risk software list and is directing staff to its own tools, the Qoder and Tongyi Lingma platforms. Neither Alibaba nor Anthropic commented to Reuters. The ban was first reported by Chinese outlets, with the financial publication Yicai describing the concern as embedded “backdoor” risks. The move deepens a spat between the two companies and reflects the broader US-China contest over AI.
The dispute traces to a technical finding developers surfaced days earlier. According to a Reddit post and subsequent reporting, Claude Code from version 2.1.91, released on April 2, checked whether a user’s computer was set to the Asia/Shanghai or Asia/Urumqi time zone, or whether a proxy address matched a decoded list of roughly 147 Chinese technology sites, cloud regions and AI labs, including Alibaba, Baidu, ByteDance and Moonshot.
Rather than sending explicit telemetry, the mechanism reportedly altered subtle, machine-readable parameters in the system prompt sent to Anthropic’s servers, such as a date format or a punctuation mark. That quiet, obfuscated behavior is what prompted the backdoor characterization, though it is important to note that no independent security firm has published a full audit, and whether this amounts to a genuine backdoor or a crude anti-fraud filter remains disputed.
Anthropic has offered a different account. Thariq Shihipar, a member of the Claude Code team, said on X that the feature was an experiment launched in March, intended to combat the unauthorized reselling of accounts and to protect against distillation, the copying of a model’s capabilities.
Hi, this is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation.
The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while. We merged the…
— Thariq (@trq212) June 30, 2026
He said it was not designed to spy on users and would be removed in the next release, and multiple outlets reported the rollback was already underway as of July 1, after the code had been active for about three months.
The context matters here: Anthropic bars access from China for legal and security reasons, so the mechanism appears aimed at detecting attempts to evade those restrictions rather than at surveilling ordinary work.
Why the Tension Is Rising
The ban is best understood as retaliation in an escalating feud. In a June 10 letter to US senators, Anthropic accused operators tied to Alibaba’s Qwen AI unit of running roughly 25,000 fraudulent accounts to conduct 28.8 million interactions with Claude, calling it the largest distillation attack it had seen.
Chinese media reported that letter was a trigger for Alibaba’s internal ban, making this a clear tit-for-tat: Anthropic accuses Alibaba of stealing model capabilities, and Alibaba accuses Anthropic of covertly tracking Chinese users. The episode also lands amid other losses of access, as JPMorgan and Goldman Sachs recently restricted Claude in Hong Kong over Anthropic’s licensing terms. Each side’s action reinforces the other’s distrust.
The Bigger Picture
The standoff illustrates how thoroughly AI has become entangled in geopolitics. Despite Anthropic’s China restrictions, Claude Code has been popular among Chinese developers, sustained by a gray market of resold accounts routed through supported countries, which is exactly the abuse the disputed mechanism sought to detect.
One researcher told WIRED that Chinese developers still prefer Claude Code and OpenAI’s Codex because domestic models trail American ones by six to nine months on coding, though that gap is narrowing as firms like Zhipu and Alibaba push their own tools.
For enterprises, the practical lesson is stark: when a coding assistant can inspect a user’s environment and geopolitics can sever access overnight, trust and control over the software supply chain become security concerns in their own right. The commercial loser, at least inside Alibaba, is Anthropic, which cedes a foothold to homegrown alternatives.