In a statement shared on its WeChat account, the National Vulnerability Database (NVDB) highlighted that Claude Code includes a built-in monitoring feature that can send sensitive data, such as users’ geographic locations and identity-related details, to remote servers without user consent.
This alert concerns Claude Code versions 2.1.91 to 2.1.196.
NVDB recommended that organizations and users promptly assess affected systems and either uninstall the compromised versions or upgrade to the latest secure release where the suspected backdoor code has been eliminated.
It also urged organizations to enforce stricter controls over external network access for development tools and enhance traffic monitoring on core business networks to avert unauthorized transmission of sensitive information.
According to a report by Reuters last week, China’s Alibaba has prohibited employees from using Claude Code at work following concerns regarding its capabilities to identify users linked to China.
Anthropic has not yet responded to a request for comment from Reuters.