Security Регуляторный alert 2026.07.09

MIIT NVDB: backdoor Claude Code (2.1.91–2.1.196) — steganography, timeline, remediation

8 июля 2026 — MIIT NVDB (National Vulnerability Database, cybersecurity threat sharing platform) опубликовал risk alert: Claude Code v2.1.91–2.1.196 содержит security backdoor risk, severe threat. Built-in monitoring mechanism передаёт geography, identity markers на remote servers без user consent. Немедленно: claude --version → если в диапазоне, upgrade до v2.1.197+.

Статья для devs, enterprise IT, security: полный story chain (Anthropic deploy → reverse-engineering → rollback → Alibaba ban → MIIT classification), tech breakdown steganography channel, proxy-only trigger, actionable remediation. Без hype про confirmed data breach — фокус на verifiable reverse-engineering evidence и compliance risk.

01 TL;DR: MIIT backdoor alert

  • Regulatory classification: NVDB, 2026-07-08 — security backdoor risk, severe threat.
  • Mechanism: Built-in monitoring, undisclosed exfil geography + identity signals.
  • Affected builds: v2.1.91 (2026-04-02) — v2.1.196 (2026-06-29), ~3 months, zero changelog disclosure.
  • NVDB guidance: Uninstall/upgrade, tighten dev endpoint egress + traffic monitoring.
  • Enterprise: Alibaba restricted Claude Code + Anthropic models; Qoder mandatory с 2026-07-10.
  • Vendor: Thariq Shihipar (Claude Code engineer) — March «experiment», anti-reselling/anti-distillation; rolled back в 2.1.197.
NVDB alert — core facts
Параметр Значение
Risk typeBuilt-in monitoring, undisclosed sensitive data relay
Exfil scopeGeography, identity markers
Affected versionsv2.1.91 – v2.1.196
Release window2026-04-02 — 2026-06-29
Fixv2.1.197 (alt. v2.1.198, 2026-07-01/02)

02 Timeline: deploy → reverse → rollback → ban → MIIT

Story chain: Anthropic covert deploy → community reverse-engineering → vendor apology/rollback → Alibaba ban → MIIT backdoor classification.

2026 Claude Code backdoor — key nodes
Date Event
2026-02Anthropic public statement: investment в anti-distillation (classifiers, behavioral fingerprints, intel sharing)
2026-03Covert detection logic deployed в Claude Code без public disclosure
2026-04-02v2.1.91 release — detection code enters distribution
2026-04 — 06~20 version iterations, logic intact, changelog silent
2026-06-29v2.1.196 — last affected build
2026-06-30Reddit LegitMichel777 disclosure; Thereallo tech writeup; Adnane Khan GitHub RE report — confirms v2.1.193/195/196
2026-07-01Thariq Shihipar on X: March experiment, anti-abuse/anti-distillation; promises next-day rollback
2026-07-02v2.1.197 — steganography code removed; changelog omits change
2026-07-03/04Reuters, TechCrunch: Alibaba internal notice — Claude Code + Anthropic models banned from 07-10, switch to Qoder
2026-07-08MIIT NVDB formal alert — security backdoor risk, severe
2026-07-10Alibaba internal ban effective

Deep dive по steganography mechanism: Claude Code steganography — полный разбор.

03 Trigger conditions: proxy-only scope

Не все users в scope. Covert logic активируется только при ANTHROPIC_BASE_URLnon-official endpoint (enterprise gateway, third-party proxy, API reseller/relay). Official api.anthropic.compath не triggered.

  • Misreport: «Claude Code monitors everyone» — technically false; undermines E-E-A-T у informed readers.
  • Primary downstream: account ban risk (unauthorized reselling/distillation), не confirmed mass data leak с financial harm.
  • Privilege context: Claude Code = filesystem R/W + shell exec; hidden upstream signals — unacceptable tolerance floor.
  • Disclosure gap: ~3 months, zero changelog, fingerprinting China geography + competitor infra.

Risk segmentation: official API devs vs proxy/gateway users vs compliance-bound enterprise — три разных exposure profiles.

04 Steganography pipeline: 3-step tech breakdown

Step 1: Environment recon

Upon trigger (ANTHROPIC_BASE_URL ≠ official):

  1. Timezone check: Asia/Shanghai | Asia/Urumqi
  2. Domain blacklist match: hostname ANTHROPIC_BASE_URL vs embedded list

Blacklist: 147 entries (per RE: LegitMichel777, Thereallo, Adnane Khan, Vincent Schmalbach) — Alibaba, Alipay, Ant, Baidu, ByteDance domains; China AI lab keywords (DeepSeek, Moonshot AI, Zhipu, MiniMax, Baichuan, StepFun, 01.AI); known proxy/reseller gateways. Storage: XOR(key=91) + Base64 — intentional obfuscation.

Step 2: Steganographic encode в system prompt

Не separate telemetry channel — mutation system prompt sent to model:

  • Date separator: China TZ hit → 2026-06-30 (hyphen) → 2026/06/30 (slash)
  • Unicode apostrophe swap: Today's date is — standard ' (U+0027) replaced визually identical variants для 3 boolean flags (TZ hit / domain hit / AI lab keyword hit)

Adnane Khan definition: «a covert information channel embedded in system prompts». Capacity: 1 date-format bit + 3 apostrophe variants ≈ 3 bit environmental classification в innocuous English sentence.

Unicode apostrophe + date format encoding map
Condition Date format Apostrophe
Default2026-06-30U+0027
China org/reseller domain2026-06-30U+2019
China AI lab keyword2026-06-30U+02BC
Domain + lab both2026-06-30U+02B9
+ China timezone2026/06/30(same rules)

Step 3: Boundary vs normal telemetry

Claude Code имеет conventional telemetry (event logs, Datadog, OpenTelemetry) — industry norm для CLI/IDE agents. Controversy targets: ① steganography vs disclosed channel; ② ~3 months zero changelog; ③ geo/competitor-specific fingerprinting; ④ high local privileges amplify hidden-behavior risk.

version-check.sh
claude --version
echo $ANTHROPIC_BASE_URL
npm install -g @anthropic-ai/claude-code@latest
claude update

Full uninstall paths: macOS/Linux: ~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code; Windows: %USERPROFILE%\.claude + cache dirs. Enterprise: post-uninstall egress audit на dev endpoints.

05 NVDB vs Anthropic vs Alibaba: framing matrix

MIIT / NVDB

  • Classification: security backdoor risk, severe threat
  • Description: built-in monitoring, undisclosed relay geography + identity data
  • Action: audit dev terminals → uninstall/upgrade → egress filtering + traffic monitoring

Anthropic / Thariq Shihipar

"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release."

Framing: experiment, not backdoor — anti-reselling + anti-distillation. Anthropic letter to U.S. Senate Banking Committee: Alibaba Qwen ~25K fraudulent accounts, 28.8M interactions для model capability extraction.

Alibaba

  • Internal notice (SCMP, Ars Technica): "As Claude Code was recently discovered to carry back-door risks... added to a list of high-risk software with security vulnerabilities."
  • Effective: 2026-07-10
  • Scope: Claude Code + Anthropic models (Sonnet, Opus, Fable)
  • Replacement: internal platform Qoder
Media/community framing comparison
Source Terms Angle
MIIT / NVDBbackdoor code / security backdoor risk / severe threatCompliance + undisclosed exfil
CNBC / Reuters / CBSsecurity backdoor / built-in monitoringNeutral regulatory relay + enterprise fallout
The Registercovert code / secret steganographyTech accountability, undisclosed updates
Ars Technicaspyware-like tracking / secret trackerTrust crisis + policy
Cybernews"a nothing burger"Overreaction; standard anti-distill engineering
Anthropicexperiment / anti-abuse / anti-distillationLegitimate defensive purpose

06 Context: U.S.–China AI distillation war

Не isolated incident — snapshot 2026 U.S.–China AI competition:

  • Anthropic blocks China + «hostile region» direct access; bypass via VPN, foreign phone/card, third-party proxy persists
  • 2026-02: PKU + CAS paper — distillation traces в majority Chinese LLMs
  • Anthropic prior accusations: DeepSeek, Moonshot AI, MiniMax, Alibaba unauthorized Claude output training
  • Claude Opus 4.8 test behavior — self-identify as Qwen/DeepSeek; cited as double-standard evidence
  • Chinese enterprises pivot domestic/open-source stacks (DeepSeek, Qwen, Kimi/Moonshot, Zhipu, MiniMax); Alibaba Qoder = concrete manifestation

Objective eval: motive (anti-distillation) и method (covert steg, zero disclosure) — separate axes. Backdoor vs experiment debate имеет merit на обеих сторонах.

07 Remediation: personal + enterprise checklists

Individual dev checklist

  1. Version: claude --version — if v2.1.91–2.1.196, affected.
  2. Proxy config: echo $ANTHROPIC_BASE_URL — non-official endpoint = in fingerprinting scope.
  3. Upgrade: npm install -g @anthropic-ai/claude-code@latest or claude update → v2.1.197+.
  4. Timezone audit: Asia/Shanghai / Asia/Urumqi — relevant with proxy routing.
  5. Full uninstall: purge ~/.claude, ~/.claude.json, cache dirs; reinstall latest.
  6. Alternatives: weigh telemetry transparency в tool selection (Cursor, Qoder, domestic assistants).

Enterprise IT checklist

  1. Inventory: all workstations + CI nodes with Claude Code.
  2. Force upgrade or block: mandate v2.1.197+ or Alibaba-style ban.
  3. Egress audit: persistent connections to unauthorized AI endpoints.
  4. Egress filtering: core business network segments.
  5. Migration plan: Qoder or approved domestic AI coding assistants.
  6. Policy update: third-party AI tools → allowlist/blocklist workflow.

08 Citable technical data

  • Affected range: v2.1.91 (2026-04-02) — v2.1.196 (2026-06-29), ~20 releases.
  • Fix: v2.1.197 (alt. v2.1.198, 2026-07-01/02); changelog silent on removal.
  • Blacklist: ~147 entries, XOR(91) + Base64 obfuscation.
  • Channel capacity: 1 date bit + 3 apostrophe variants ≈ 3 bit signal.
  • Anthropic distillation allegation: ~25K fraudulent accounts, 28.8M interactions (Senate Banking Committee letter, Alibaba Qwen).
  • Alibaba ban: 2026-07-10; Claude Code + full Anthropic model line.

Sources: IT Home, Beijing News, CNBC, The Register, Thereallo, TechCrunch (Alibaba ban), Ars Technica.

Disclaimer: synthesis MIIT NVDB alerts + open reporting; not legal advice or formal security audit. Assess actions against org policy.

09 FAQ: backdoor + MIIT alert

Q: Backdoor в Claude Code?
A: v2.1.91–2.1.196 — undeclared steganographic fingerprint. MIIT NVDB: severe backdoor risk. Anthropic: anti-distillation experiment, removed в 2.1.197.

Q: Какие версии?
A: v2.1.91 (2026-04-02) — v2.1.196 (2026-06-29). Upgrade v2.1.197+.

Q: Official Anthropic API affected?
A: No. Trigger only при ANTHROPIC_BASE_URL → non-official proxy/gateway.

Q: Как проверить version?
A: claude --version or npm list -g @anthropic-ai/claude-code.

Q: Claude Code ещё usable?
A: v2.1.197+ — tech fix shipped. Compliance-bound orgs: optional uninstall + egress audit. Official API + unaffected version — continue OK.

Q: Steganography technique?
A: System prompt date separator mutation + Unicode apostrophe variants в Today's для encode TZ/proxy signals.

Q: Почему Alibaba ban?
A: Backdoor risk reports → high-risk software list → Qoder mandatory с 2026-07-10.

Q: Anthropic disclosed в release notes?
A: No. All affected version changelogs omitted mechanism.

Q: Claude Code safe now?
A: Code removed в 2.1.197+. Ongoing trust = org policy + risk tolerance.

Q: Distillation connection?
A: Training model B on model A outputs. Anthropic: mechanism targets unauthorized resellers + distillation pipelines — defensive move в U.S.–China AI war; covert implementation drew criticism regardless of intent.

10 Вывод: backdoor, experiment, nothing burger — и JEXCLOUD

Blog value = три нити: MIIT backdoor classification + verifiable RE evidence (covert channel в system prompt) + distillation war context. Regulators: backdoor. Engineers: steganography / covert channel. Anthropic: experiment. Cybernews segment: «nothing burger» — overreaction на standard anti-distill engineering.

Balanced read: mechanism real, obfuscated, undisclosed ~3 months; proxy-only trigger limits blast radius; likely downstream = account enforcement, не confirmed mass exfil; но shell-access CLI + hidden upstream signals = trust violation независимо от stated intent. Purpose и method — separate eval.

Production teams с isolated Claude Code / AI agent workloads на local laptops: home broadband drops kill long SSH/API sessions, lid-close suspends agent jobs, shared dev env weak permission boundaries. JEXCLOUD multi-region bare-metal Mac: dedicated Apple Silicon, 24/7, elastic monthly scale, 120s provision — heavy AI coding в cloud, local = interaction only; independent network/TZ для compliance isolation. Nodes + pricing: JEXCLOUD pricing.