MIIT NVDB: backdoor Claude Code (2.1.91–2.1.196) — steganography, timeline, remediation
8 июля 2026 — MIIT NVDB (National Vulnerability Database, cybersecurity threat sharing platform) опубликовал risk alert: Claude Code v2.1.91–2.1.196 содержит security backdoor risk, severe threat. Built-in monitoring mechanism передаёт geography, identity markers на remote servers без user consent. Немедленно: claude --version → если в диапазоне, upgrade до v2.1.197+.
Статья для devs, enterprise IT, security: полный story chain (Anthropic deploy → reverse-engineering → rollback → Alibaba ban → MIIT classification), tech breakdown steganography channel, proxy-only trigger, actionable remediation. Без hype про confirmed data breach — фокус на verifiable reverse-engineering evidence и compliance risk.
01 TL;DR: MIIT backdoor alert
- Regulatory classification: NVDB, 2026-07-08 — security backdoor risk, severe threat.
- Mechanism: Built-in monitoring, undisclosed exfil geography + identity signals.
- Affected builds: v2.1.91 (2026-04-02) — v2.1.196 (2026-06-29), ~3 months, zero changelog disclosure.
- NVDB guidance: Uninstall/upgrade, tighten dev endpoint egress + traffic monitoring.
- Enterprise: Alibaba restricted Claude Code + Anthropic models; Qoder mandatory с 2026-07-10.
- Vendor: Thariq Shihipar (Claude Code engineer) — March «experiment», anti-reselling/anti-distillation; rolled back в 2.1.197.
| Параметр | Значение |
|---|---|
| Risk type | Built-in monitoring, undisclosed sensitive data relay |
| Exfil scope | Geography, identity markers |
| Affected versions | v2.1.91 – v2.1.196 |
| Release window | 2026-04-02 — 2026-06-29 |
| Fix | v2.1.197 (alt. v2.1.198, 2026-07-01/02) |
02 Timeline: deploy → reverse → rollback → ban → MIIT
Story chain: Anthropic covert deploy → community reverse-engineering → vendor apology/rollback → Alibaba ban → MIIT backdoor classification.
| Date | Event |
|---|---|
| 2026-02 | Anthropic public statement: investment в anti-distillation (classifiers, behavioral fingerprints, intel sharing) |
| 2026-03 | Covert detection logic deployed в Claude Code без public disclosure |
| 2026-04-02 | v2.1.91 release — detection code enters distribution |
| 2026-04 — 06 | ~20 version iterations, logic intact, changelog silent |
| 2026-06-29 | v2.1.196 — last affected build |
| 2026-06-30 | Reddit LegitMichel777 disclosure; Thereallo tech writeup; Adnane Khan GitHub RE report — confirms v2.1.193/195/196 |
| 2026-07-01 | Thariq Shihipar on X: March experiment, anti-abuse/anti-distillation; promises next-day rollback |
| 2026-07-02 | v2.1.197 — steganography code removed; changelog omits change |
| 2026-07-03/04 | Reuters, TechCrunch: Alibaba internal notice — Claude Code + Anthropic models banned from 07-10, switch to Qoder |
| 2026-07-08 | MIIT NVDB formal alert — security backdoor risk, severe |
| 2026-07-10 | Alibaba internal ban effective |
Deep dive по steganography mechanism: Claude Code steganography — полный разбор.
03 Trigger conditions: proxy-only scope
Не все users в scope. Covert logic активируется только при ANTHROPIC_BASE_URL → non-official endpoint (enterprise gateway, third-party proxy, API reseller/relay). Official api.anthropic.com — path не triggered.
- Misreport: «Claude Code monitors everyone» — technically false; undermines E-E-A-T у informed readers.
- Primary downstream: account ban risk (unauthorized reselling/distillation), не confirmed mass data leak с financial harm.
- Privilege context: Claude Code = filesystem R/W + shell exec; hidden upstream signals — unacceptable tolerance floor.
- Disclosure gap: ~3 months, zero changelog, fingerprinting China geography + competitor infra.
Risk segmentation: official API devs vs proxy/gateway users vs compliance-bound enterprise — три разных exposure profiles.
04 Steganography pipeline: 3-step tech breakdown
Step 1: Environment recon
Upon trigger (ANTHROPIC_BASE_URL ≠ official):
- Timezone check:
Asia/Shanghai|Asia/Urumqi - Domain blacklist match: hostname
ANTHROPIC_BASE_URLvs embedded list
Blacklist: 147 entries (per RE: LegitMichel777, Thereallo, Adnane Khan, Vincent Schmalbach) — Alibaba, Alipay, Ant, Baidu, ByteDance domains; China AI lab keywords (DeepSeek, Moonshot AI, Zhipu, MiniMax, Baichuan, StepFun, 01.AI); known proxy/reseller gateways. Storage: XOR(key=91) + Base64 — intentional obfuscation.
Step 2: Steganographic encode в system prompt
Не separate telemetry channel — mutation system prompt sent to model:
- Date separator: China TZ hit →
2026-06-30(hyphen) →2026/06/30(slash) - Unicode apostrophe swap:
Today's date is— standard'(U+0027) replaced визually identical variants для 3 boolean flags (TZ hit / domain hit / AI lab keyword hit)
Adnane Khan definition: «a covert information channel embedded in system prompts». Capacity: 1 date-format bit + 3 apostrophe variants ≈ 3 bit environmental classification в innocuous English sentence.
| Condition | Date format | Apostrophe |
|---|---|---|
| Default | 2026-06-30 | U+0027 |
| China org/reseller domain | 2026-06-30 | U+2019 |
| China AI lab keyword | 2026-06-30 | U+02BC |
| Domain + lab both | 2026-06-30 | U+02B9 |
| + China timezone | 2026/06/30 | (same rules) |
Step 3: Boundary vs normal telemetry
Claude Code имеет conventional telemetry (event logs, Datadog, OpenTelemetry) — industry norm для CLI/IDE agents. Controversy targets: ① steganography vs disclosed channel; ② ~3 months zero changelog; ③ geo/competitor-specific fingerprinting; ④ high local privileges amplify hidden-behavior risk.
claude --version
echo $ANTHROPIC_BASE_URL
npm install -g @anthropic-ai/claude-code@latest
claude update
Full uninstall paths: macOS/Linux: ~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code; Windows: %USERPROFILE%\.claude + cache dirs. Enterprise: post-uninstall egress audit на dev endpoints.
05 NVDB vs Anthropic vs Alibaba: framing matrix
MIIT / NVDB
- Classification: security backdoor risk, severe threat
- Description: built-in monitoring, undisclosed relay geography + identity data
- Action: audit dev terminals → uninstall/upgrade → egress filtering + traffic monitoring
Anthropic / Thariq Shihipar
"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release."
Framing: experiment, not backdoor — anti-reselling + anti-distillation. Anthropic letter to U.S. Senate Banking Committee: Alibaba Qwen ~25K fraudulent accounts, 28.8M interactions для model capability extraction.
Alibaba
- Internal notice (SCMP, Ars Technica): "As Claude Code was recently discovered to carry back-door risks... added to a list of high-risk software with security vulnerabilities."
- Effective: 2026-07-10
- Scope: Claude Code + Anthropic models (Sonnet, Opus, Fable)
- Replacement: internal platform Qoder
| Source | Terms | Angle |
|---|---|---|
| MIIT / NVDB | backdoor code / security backdoor risk / severe threat | Compliance + undisclosed exfil |
| CNBC / Reuters / CBS | security backdoor / built-in monitoring | Neutral regulatory relay + enterprise fallout |
| The Register | covert code / secret steganography | Tech accountability, undisclosed updates |
| Ars Technica | spyware-like tracking / secret tracker | Trust crisis + policy |
| Cybernews | "a nothing burger" | Overreaction; standard anti-distill engineering |
| Anthropic | experiment / anti-abuse / anti-distillation | Legitimate defensive purpose |
06 Context: U.S.–China AI distillation war
Не isolated incident — snapshot 2026 U.S.–China AI competition:
- Anthropic blocks China + «hostile region» direct access; bypass via VPN, foreign phone/card, third-party proxy persists
- 2026-02: PKU + CAS paper — distillation traces в majority Chinese LLMs
- Anthropic prior accusations: DeepSeek, Moonshot AI, MiniMax, Alibaba unauthorized Claude output training
- Claude Opus 4.8 test behavior — self-identify as Qwen/DeepSeek; cited as double-standard evidence
- Chinese enterprises pivot domestic/open-source stacks (DeepSeek, Qwen, Kimi/Moonshot, Zhipu, MiniMax); Alibaba Qoder = concrete manifestation
Objective eval: motive (anti-distillation) и method (covert steg, zero disclosure) — separate axes. Backdoor vs experiment debate имеет merit на обеих сторонах.
07 Remediation: personal + enterprise checklists
Individual dev checklist
- Version:
claude --version— if v2.1.91–2.1.196, affected. - Proxy config:
echo $ANTHROPIC_BASE_URL— non-official endpoint = in fingerprinting scope. - Upgrade:
npm install -g @anthropic-ai/claude-code@latestorclaude update→ v2.1.197+. - Timezone audit:
Asia/Shanghai/Asia/Urumqi— relevant with proxy routing. - Full uninstall: purge
~/.claude,~/.claude.json, cache dirs; reinstall latest. - Alternatives: weigh telemetry transparency в tool selection (Cursor, Qoder, domestic assistants).
Enterprise IT checklist
- Inventory: all workstations + CI nodes with Claude Code.
- Force upgrade or block: mandate v2.1.197+ or Alibaba-style ban.
- Egress audit: persistent connections to unauthorized AI endpoints.
- Egress filtering: core business network segments.
- Migration plan: Qoder or approved domestic AI coding assistants.
- Policy update: third-party AI tools → allowlist/blocklist workflow.
08 Citable technical data
- Affected range: v2.1.91 (2026-04-02) — v2.1.196 (2026-06-29), ~20 releases.
- Fix: v2.1.197 (alt. v2.1.198, 2026-07-01/02); changelog silent on removal.
- Blacklist: ~147 entries, XOR(91) + Base64 obfuscation.
- Channel capacity: 1 date bit + 3 apostrophe variants ≈ 3 bit signal.
- Anthropic distillation allegation: ~25K fraudulent accounts, 28.8M interactions (Senate Banking Committee letter, Alibaba Qwen).
- Alibaba ban: 2026-07-10; Claude Code + full Anthropic model line.
Sources: IT Home, Beijing News, CNBC, The Register, Thereallo, TechCrunch (Alibaba ban), Ars Technica.
Disclaimer: synthesis MIIT NVDB alerts + open reporting; not legal advice or formal security audit. Assess actions against org policy.
09 FAQ: backdoor + MIIT alert
Q: Backdoor в Claude Code?
A: v2.1.91–2.1.196 — undeclared steganographic fingerprint. MIIT NVDB: severe backdoor risk. Anthropic: anti-distillation experiment, removed в 2.1.197.
Q: Какие версии?
A: v2.1.91 (2026-04-02) — v2.1.196 (2026-06-29). Upgrade v2.1.197+.
Q: Official Anthropic API affected?
A: No. Trigger only при ANTHROPIC_BASE_URL → non-official proxy/gateway.
Q: Как проверить version?
A: claude --version or npm list -g @anthropic-ai/claude-code.
Q: Claude Code ещё usable?
A: v2.1.197+ — tech fix shipped. Compliance-bound orgs: optional uninstall + egress audit. Official API + unaffected version — continue OK.
Q: Steganography technique?
A: System prompt date separator mutation + Unicode apostrophe variants в Today's для encode TZ/proxy signals.
Q: Почему Alibaba ban?
A: Backdoor risk reports → high-risk software list → Qoder mandatory с 2026-07-10.
Q: Anthropic disclosed в release notes?
A: No. All affected version changelogs omitted mechanism.
Q: Claude Code safe now?
A: Code removed в 2.1.197+. Ongoing trust = org policy + risk tolerance.
Q: Distillation connection?
A: Training model B on model A outputs. Anthropic: mechanism targets unauthorized resellers + distillation pipelines — defensive move в U.S.–China AI war; covert implementation drew criticism regardless of intent.
10 Вывод: backdoor, experiment, nothing burger — и JEXCLOUD
Blog value = три нити: MIIT backdoor classification + verifiable RE evidence (covert channel в system prompt) + distillation war context. Regulators: backdoor. Engineers: steganography / covert channel. Anthropic: experiment. Cybernews segment: «nothing burger» — overreaction на standard anti-distill engineering.
Balanced read: mechanism real, obfuscated, undisclosed ~3 months; proxy-only trigger limits blast radius; likely downstream = account enforcement, не confirmed mass exfil; но shell-access CLI + hidden upstream signals = trust violation независимо от stated intent. Purpose и method — separate eval.
Production teams с isolated Claude Code / AI agent workloads на local laptops: home broadband drops kill long SSH/API sessions, lid-close suspends agent jobs, shared dev env weak permission boundaries. JEXCLOUD multi-region bare-metal Mac: dedicated Apple Silicon, 24/7, elastic monthly scale, 120s provision — heavy AI coding в cloud, local = interaction only; independent network/TZ для compliance isolation. Nodes + pricing: JEXCLOUD pricing.