Technology

Alibaba Bans Claude Code, Citing Backdoor Risks and Steganographic Tracking

Martin HollowayPublished 14h ago4 min readBased on 9 sources
Reading level
Alibaba Bans Claude Code, Citing Backdoor Risks and Steganographic Tracking

Alibaba will ban employees from using Anthropic's Claude Code starting July 10, 2026, directing staff to remove all Claude models from work computers and switch to the company's own Qoder tool, Reuters first reported on July 3.

The company has classified Claude Code as high-risk software, TechCrunch reported. The ban's scope extends beyond the agentic coding assistant itself: The Information reported that employees were instructed to scrub all Claude models from their machines, not just the Code product.

What triggered the ban

The proximate concern, according to Reuters, was alleged backdoor risks — specifically, capabilities in Claude Code that can help identify China-linked users. Security researchers subsequently found that Anthropic had embedded steganographic tracking code in Claude Code designed to do exactly that, The Next Web reported on July 3.

Thariq Shihipar, an Anthropic employee, addressed the issue publicly on X, confirming that a March 2026 experiment in Claude Code was intentional — designed to prevent account abuse by unauthorized resellers and to protect against model distillation. Shihipar added that the team had since "landed stronger mitigations" and had been meaning to take the steganographic approach down, per TechCrunch.

Steganographic watermarking in AI tooling is not, in isolation, novel. Embedding hidden signals in model outputs or tool behavior to detect unauthorized redistribution is a known anti-piracy technique. What makes this case distinct is the specificity of the targeting: the tracking was reportedly calibrated to identify users in China, in a context where Anthropic's own usage policy already prohibits Chinese companies and Chinese-owned foreign entities from accessing its models.

Anthropic publicly confirmed that policy as far back as September 2025, stating it was blocking AI services for Chinese-controlled companies to prevent a U.S. adversary from advancing. The March 2026 experiment, then, was an enforcement mechanism — albeit one the company has now acknowledged was not handled cleanly and is being replaced.

The broader access landscape

Alibaba's ban is the most operationally explicit action yet by a major Chinese tech company against a U.S. AI provider's tooling, but the access friction runs in both directions. Goldman Sachs restricted Claude access for its Hong Kong-based bankers in late April 2026 — a Western firm limiting exposure to the same tool, for its own compliance and regulatory reasons.

Anthropic itself has been navigating political turbulence domestically. In March 2026, the company won a court order blocking a Trump administration ban on government use of its AI technology, Bloomberg reported. A company simultaneously fighting off a U.S. government restriction on one flank while enforcing its own China-access embargo on the other is operating in genuinely constrained terrain.

For Alibaba's engineering workforce, the practical shift is to Qoder, the company's in-house AI coding assistant. Qoder competes in a market segment — agentic, context-aware coding tools — that has become operationally critical for large software organizations. Whether Qoder's capabilities match Claude Code's in areas like multi-file reasoning, long-context handling, and autonomous task execution will determine how disruptive the transition actually is for day-to-day developer workflows.

Worth flagging: the framing of this episode as a "backdoor" deserves scrutiny. Shihipar's public statement frames the steganographic code as anti-abuse infrastructure, not surveillance. Those are technically different things, but the distinction collapses quickly in a geopolitical context where the entity doing the identification and the entity being identified are on opposite sides of an export-control and national-security divide. From Alibaba's security team's perspective, the mechanism's intent is less relevant than its capability — and its capability was to fingerprint their users.

The episode also puts a spotlight on supply-chain trust in AI developer tooling specifically. Claude Code operates with substantial system-level access: it reads and writes files, executes shell commands, and interacts with version control. That attack surface is meaningfully larger than a chatbot interface. Security teams at any large organization using agentic coding tools — regardless of geography — have reasonable grounds to scrutinize what those tools are sending, and where.

Anthropic has not issued a formal public statement on the ban as of July 4, 2026.