Regulatory  ·  2026-07-10

China MIIT/NVDB Issues Binding 'Backdoor' Security Directive on Anthropic's Claude Code

RegulatoryHigh impactChina
On July 8, 2026, China's Ministry of Industry and Information Technology (MIIT), via its National Vulnerability Database (NVDB) cybersecurity threat platform, issued an official risk advisory classifying Anthropic's Claude Code (versions 2.1.91–2.1.196, released April 2–June 29, 2026) as containing a 'security backdoor vulnerability posing a serious threat.' The advisory alleges the tool used steganographic techniques (altering punctuation/date formats in prompts) to covertly transmit user location and identity data to Anthropic's servers without consent when a China-region timezone or proxy was detected. MIIT issued a binding directive requiring all entities and users with affected versions installed to immediately conduct a comprehensive investigation, uninstall or upgrade the software, and strengthen network-level controls over external connections in core business network segments. The advisory landed two days before Alibaba's internal ban on Anthropic tools (effective July 10) and follows Anthropic's prior public accusation that Alibaba attempted to extract/distill its AI capabilities. Anthropic acknowledged the code was an anti-abuse/anti-distillation experiment begun in March 2026 and said it would remove it in upcoming releases.
This is a binding national cybersecurity directive from a Chinese industry regulator mandating uninstallation/remediation of a specific US frontier AI lab's flagship coding-agent product across Chinese enterprises and development environments — a national-security-flavored action that materially restricts how a named AI lab's tool may be run within a major jurisdiction. It escalates the US-China AI decoupling dynamic (following the earlier Commerce Dept./BIS export restriction on Anthropic's Fable/Mythos models) and sets a precedent for state cybersecurity platforms being used to gate foreign AI tool adoption. Enterprises with China operations must treat this as a mandatory compliance action, not mere guidance.
Organizations operating in China (or with China-based development teams) using Claude Code versions 2.1.91–2.1.196 must immediately audit installations, uninstall or upgrade to a patched version, and restrict/monitor outbound network connections from developer tooling per MIIT's directive.
ReutersCNBCCBS News/AFP
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →