Skip to content

— Writing · July 7, 2026

Your AI coding tool phones home. Alibaba just proved it.

authorityai-vendor-trustclaude-codevendor-auditsmb-security

Alibaba banned Claude Code company-wide starting July 10. Not over a data breach. Over a chunk of obfuscated code that had been quietly checking a user's timezone since April.

Here's who this matters to: any SMB operator who's approved an AI coding tool, an AI agent, or an "AI-powered" anything for their team without asking what it actually sends back to the vendor. That's most of you. I don't say that to shame anyone — I say it because I run the audit that would've caught this, and until last week I'd have bet most operators skip it too. Alibaba's own security team apparently did. A Reddit user found the problem before they did.

What a Reddit sleuth found that Alibaba's security team missed

On June 30, a user going by LegitMichel777 was reverse-engineering Claude Code to restore a remote-control feature Anthropic had disabled. Digging through the binary, they found obfuscated detection logic that had shipped silently in version 2.1.91 — released April 2, with zero mention in the release notes.

What it did: checked whether the system timezone matched Asia/Shanghai or Asia/Urumqi, scanned proxy configuration against a list of Chinese domains, and — if it found a match — embedded the result as a hidden signal inside prompts sent back to Anthropic's servers. Steganography, in a coding assistant, shipped to production for three months before anyone outside Anthropic noticed.

Alibaba's response was blunt. Internally, the company added Claude Code to "a list of high-risk software with security vulnerabilities" and told staff to switch to its own tool, Qoder, by July 10 [1].

Anthropic's defense is honest. It's also not the point.

Thariq Shihipar, an engineer on the Claude Code team, addressed it on X directly: the feature was "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation." He said the team had built stronger mitigations since and had meant to pull the old code for a while — the pull request removing it merged July 1, one day after the Reddit post went up [2].

I believe him. Anti-abuse and anti-distillation are real problems, and I don't think Anthropic built a surveillance backdoor on purpose. But "it was an experiment for a good reason" answers a different question than the one an operator actually needs answered:

"An experiment we launched in March" is not the same answer as "here's exactly what we log, and here's how you'd have found it yourself."

One of those is a vendor explaining itself after getting caught. The other is a vendor you don't have to audit blind. Right now, every AI tool your team runs is closer to the first than the second — and you don't find out which side of that line you're on until someone reverse-engineers the binary.

This isn't the first fight this year

Alibaba's headquarters campus, the company that banned Claude Code company-wide starting July 10 Story: TechCrunch — Alibaba reportedly bans employees from using Claude Code. Image via Gigazine.

Context matters here. Three weeks earlier, Anthropic told the Senate Banking Committee that operators linked to Alibaba's Qwen lab had run roughly 25,000 fraudulent Claude accounts through 28.8 million exchanges between April 22 and June 5 — a distillation campaign aimed at Claude's coding and agentic-reasoning capabilities, and the largest such campaign Anthropic says it's ever documented [3]. Alibaba has denied directing it.

So read the timezone-check story next to that letter and the picture changes. This isn't one company quietly overreaching. It's two companies in an active fight over who's stealing what from whom, and an SMB running Claude Code for client work is standing in the blast radius of a fight it has no part in and no visibility into.

The audit I run before I let a client roll out any AI tool company-wide

None of this required Anthropic's source code to catch. It required someone actually looking. Here's the five-check pass I run before I tell a client to approve an AI tool past a single test seat — the same audit-to-engagement work that's most of what a fractional digital operator actually does for a living:

| Check | What it catches | Time to run | |---|---|---| | Diff the last 3 release notes against the actual changelog/binary | Undisclosed behavior changes shipped without a mention | ~30 min | | Capture network traffic on a sacrificial account for one real session | Telemetry the docs never described | ~1 hour | | Read the DPA / privacy addendum, not the marketing page | "May share with sub-processors" language before it's your client's compliance problem | ~20 min | | Ask the vendor point-blank about regional access controls | Export-control and data-residency exposure before legal finds it later | One email | | Check for a security changelog separate from the feature changelog | The "we meant to remove it" gap, before it becomes your gap | ~10 min |

Every one of those checks would have surfaced the Claude Code timezone logic without touching a disassembler. Most operators skip all five because the tool works, the demo was clean, and asking feels like distrust. It isn't distrust. It's the difference between adopting a tool and inheriting its blind spots.

Where this leaves Claude Code for your team

Here's the decision flow I actually run when a client asks if a new AI tool is safe to approve past one test seat:

flowchart TD Start([New AI tool a client wants<br/>to roll out company-wide]) --> Q1{Sends any data to a<br/>third-party model provider?} Q1 -->|No — fully local| Approve[Approve —<br/>no vendor-trust question exists] Q1 -->|Yes| Q2{Vendor documents exactly<br/>what telemetry it collects?} Q2 -->|No documentation found| Escalate[Run the 5-check audit<br/>before any rollout] Q2 -->|Documented| Q3{Have you actually verified it —<br/>network capture, not just the docs?} Q3 -->|Not yet| Verify[Verify first.<br/>Trust is not the default.] Q3 -->|Verified| Q4{Data residency + access controls<br/>match the client's compliance need?} Q4 -->|No| Restrict[Restrict scope, or reject] Q4 -->|Yes| Ship[Approve for company-wide use]

My actual verdict on Claude Code: I still recommend it. The behavior was real, it was wrong to ship undisclosed, and Anthropic pulled it within 24 hours of getting caught rather than stonewalling — that's a materially better response than most vendors manage. I'm not pulling it from client stacks over a resolved issue. What I am doing is running the five-check pass on every AI tool I recommend from here forward, Anthropic's included, because the lesson isn't "don't trust Claude Code." It's "don't trust any vendor's telemetry claims you haven't independently verified" — the same discipline I already apply when choosing between automation platforms for a client build.

Sources

[1] TechCrunch — Alibaba reportedly bans employees from using Claude Code — https://techcrunch.com/2026/07/04/alibaba-reportedly-bans-employees-from-using-claude-code/ [2] Reuters via Investing.com — Alibaba to ban Claude Code in workplace over alleged backdoor risks, source says — https://www.investing.com/news/stock-market-news/alibaba-to-ban-claude-code-in-workplace-over-alleged-backdoor-risks-source-says-4775035 [3] Forbes — Distillation: The New U.S.–China AI Fight — https://www.forbes.com/sites/craigsmith/2026/06/25/distillation-the-new-uschina-ai-fight/

So what do you do with this

If your team already runs Claude Code, Cursor, or any AI agent with production access, don't wait for a Reddit post to tell you what it's actually doing. Run the five checks above this week — it's a half-day of work, not a security engagement. If you don't have anyone who'd know how to read a network capture or a DPA, that's exactly the audit-to-engagement work I do before recommending anything to a client — the same gap-finding that cut The Hub's software cost 60% started as a trust audit, not a cost audit. Book a 15-minute call if you want a second set of eyes on your stack before you find out the hard way what it's been sending home.


The short version

  • Alibaba banned Claude Code company-wide effective July 10, after a Reddit user found code silently checking user timezones and proxy data since April — undisclosed in release notes for three months.
  • Anthropic says it was an anti-abuse/anti-distillation experiment, not a backdoor, and pulled it within 24 hours of being caught.
  • The same week, Anthropic told the Senate that Alibaba-linked accounts ran a 28.8-million-exchange distillation campaign against Claude — this is two vendors fighting, and your stack is standing in the blast radius.
  • None of this required a disassembler to catch — a basic release-note diff, a network capture, and reading the actual DPA would have surfaced it.
  • I still recommend Claude Code. What changed is that I now run a five-check vendor-trust audit on every AI tool before a client rolls it out past one seat, not just the ones with a scandal attached.

— Drafted with Claude, reviewed and edited by Bryan before publish.

tactic