Alibaba bans employees from Claude Code after hidden China-detection code surfaces in version 2.1.91
Alibaba gave its employees a hard deadline: uninstall Claude Code and all Anthropic models by July 10. The ban followed a Reddit-sourced reverse-engineering disclosure that showed Claude Code version 2.1.91 had been quietly checking whether users were located in China, then embedding those findings in system prompts using steganography.
What happened
A user posting to the Claude subreddit on July 1 published an analysis of Claude Code version 2.1.91, released April 2, 2026. The code checked device timezones against Asia/Shanghai and Asia/Urumqi, scanned active proxy URLs for Chinese domain patterns, and encoded the results by altering date formatting and apostrophe characters in the phrase "Today's date is." Anthropic used XOR encryption with key 91 to obfuscate the check, according to the Reddit post. The release notes for 2.1.91 did not mention it.
Thariq Shihipar, an engineer on the Claude Code team at Anthropic, addressed the disclosure on X. Per Shihipar, the mechanism was "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation." He said stronger protections had since been shipped and the team had been planning to remove the feature. A pull request was merged and the change went live in the following release, per The Decoder.
Alibaba classified Claude Code as high-risk software and instructed staff to migrate to Qoder, its in-house coding assistant. The company set July 10 as the removal deadline, according to TechCrunch.
Why it matters
The incident has two separate problems running in parallel, and they do not cancel each other out.
Anthropic's existing terms of service already block Chinese companies and foreign entities they control from using Claude. But enforcement through undisclosed detection code is a different matter. The method described, reading device timezone and proxy data then encoding results via steganography without user disclosure, runs well outside standard product behavior. The researcher who found it called it a "fundamental violation of user trust," noting that Claude Code's full filesystem and shell access made any undisclosed exfiltration path a serious concern. Anthropic has not disputed the technical description.
On the other side of the dispute, Anthropic had previously accused Alibaba, DeepSeek, Moonshot AI, and MiniMax of using Claude outputs to train competing models, a practice called distillation. Shihipar's public statement frames the detection experiment as a response to that pattern, not as general surveillance. But the covert nature of the implementation, no disclosure, no release notes, obfuscated code, gave affected parties no ability to evaluate or contest the monitoring.
For teams running Claude Code in enterprise settings, the most direct takeaway is that tool-level monitoring can exist beneath what release notes or changelogs surface. If your organization operates in a regulated environment or with contractors in multiple regions, that is worth factoring into toolchain risk assessments. Cursor, which does not carry this particular controversy, is the nearest direct alternative in the AI code editor space.
Context
Anthropic's terms of service prohibit use by companies majority-controlled by China, Russia, Iran, or North Korea. Chinese developers have continued to access Claude through overseas subsidiaries, cloud services, and VPNs, per a Financial Times report cited by The Decoder. Anthropic had been working to close those access paths before this incident surfaced.
In February 2026, Anthropic filed accusations against DeepSeek, Moonshot AI, and MiniMax, saying more than 24,000 fake accounts ran over 16 million queries against Claude in a coordinated distillation effort, per The Decoder. Alibaba was named in that broader group of accused labs.
The Alibaba ban is the first public case of a major Chinese enterprise formally prohibiting a Western AI coding tool in direct response to a specific security disclosure.
What to watch next
Anthropic has not said whether any detection data collected during the March-July period was retained, what it was used for, or how many users were affected. A disclosure addressing those questions would let enterprise buyers make an informed assessment. Separately, congressional interest in Chinese model distillation attacks on U.S. AI labs has been growing; whether this incident accelerates any formal inquiry is a near-term signal worth tracking.
Sources
- Alibaba reportedly bans employees from using Claude Code - TechCrunch, July 4, 2026
- Claude Code's complicated China problem involves bans on both sides of the Pacific - The Decoder, July 3, 2026
- Hidden code in Claude Code secretly flagged Chinese users - The Decoder, July 1, 2026
- Anthropic accuses Deepseek, Moonshot, and MiniMax of stealing Claude's AI data through 16 million queries - The Decoder, February 23, 2026