The Code That Wasn't Supposed to Be Found: How Anthropic's Hidden Spyware Turned Alibaba Against Claude Code
*The discovery of hidden tracking code inside Claude Code has rewritten the narrative of who is surveilling whom in the US-China AI race. Photo: Unsplash*
The Contrarian Opening: Everyone Has the Villain Wrong
For months, the dominant story in global AI circles has been straightforward: Chinese companies are systematically stealing American AI intellectual property. Anthropic, the $61 billion San Francisco lab behind the Claude family of models, has been the loudest voice making this accusation. In a letter to the U.S. Senate dated June 2026, Anthropic detailed what it called an "industrial-scale distillation attack"—alleging that a Chinese entity had created approximately 25,000 fraudulent accounts and extracted roughly 28 million conversations from Claude's API over a six-week period.
The message was clear. The villains were in Beijing. The victims were in San Francisco.
Then, in the third week of June 2026, a Reddit user with the handle `u/code_archaeologist` did something that thousands of developers had done before but never quite this carefully: they decompiled the latest release of Claude Code, Anthropic's terminal-based AI coding assistant, and went looking for strings that shouldn't exist.
What they found changed the narrative entirely.
Buried inside Claude Code version 2.1.91—released on April 2, 2026—was a module that did not appear in any documentation, any changelog, or any public repository. The module, obfuscated behind a simple XOR cipher with the hardcoded key "91" (the same digits as the version number, a detail that would later fuel conspiracy theories), contained telemetry collection routines that activated under a very specific condition: when the software detected that it was running on a system with Chinese language settings, Chinese timezone configuration, or network traffic routing through Chinese IP ranges.
The code wasn't collecting crash logs. It wasn't gathering anonymized usage statistics for product improvement. It was capturing system information, geolocation data, network telemetry, and code repository metadata—and transmitting it to endpoints that did not match any of Anthropic's publicly documented API infrastructure.
Within 72 hours of the Reddit post going viral, Alibaba Group—the Chinese technology giant with a market capitalization exceeding $300 billion—issued an internal directive that would take effect on July 10, 2026: all Anthropic products, including Claude Code, Claude API access, and any third-party tools built on Anthropic infrastructure, were banned from Alibaba's internal networks. The directive cited "security concerns arising from undisclosed surveillance functionality in commercially distributed software."
The story of the US-China AI war had just flipped.
The Official Story: How We Got Here
To understand why Alibaba's ban matters, you have to understand the sequence of events that preceded it. The conflict between Anthropic and Chinese technology companies did not begin with a Reddit post. It began with a business model under pressure.
Anthropic's Distillation Allegations
On April 22, 2026, Anthropic published a security bulletin that made international headlines. The company claimed it had detected a "sustained, large-scale effort to extract training data" from its Claude API. According to Anthropic's account, an unidentified actor—widely assumed in Western media reports to be linked to Chinese AI labs—had created approximately 25,000 accounts using synthetic identities, prepaid credit cards, and VPN rotation to avoid detection.
Over the following six weeks, through June 5, 2026, these accounts allegedly engaged in what Anthropic described as a "distillation attack"—a technique where a smaller, less capable AI model is trained on the outputs of a larger, more capable model. The goal, Anthropic argued, was to replicate Claude's reasoning capabilities without incurring the hundreds of millions of dollars in training costs that Anthropic had invested.
| Anthropic's Allegations: The Numbers | Metric | Figure | Time Period |
|---|---|---|---|
| Fraudulent accounts detected | ~25,000 | Apr 22 – Jun 5, 2026 | |
| Conversations extracted | ~28 million | Apr 22 – Jun 5, 2026 | |
| Estimated API cost to Anthropic | $3.2 million | Six-week period | |
| Peak daily extraction rate | ~850,000 conversations | Late May 2026 | |
| Account creation velocity | ~600 accounts/day | Peak period |
*Table 1: Anthropic's published figures on the alleged distillation attack. Source: Anthropic security bulletin, June 2026.*
The allegations were serious. Distillation is not illegal per se—it is a well-established machine learning technique used by researchers and companies worldwide. But extracting outputs at industrial scale through fraudulent accounts violates virtually every API terms of service in existence. Anthropic's claim that the attack was "state-sponsored or state-tolerated" added a geopolitical dimension that ensured the story would dominate headlines for weeks.
The Pentagon's June 8 Blacklist
The geopolitical temperature rose further on June 8, 2026, when the U.S. Department of Defense published its annual update to the Section 1260H "Chinese Military Companies" list. The update added 60 new entities, bringing the total to 188 companies. Among the new additions were Alibaba Group, Baidu, BYD, NIO, Unitree Robotics, and several other prominent Chinese technology firms.
The Pentagon's justification for including Alibaba was specific: the company was "indirectly affiliated with SASAC [State-owned Assets Supervision and Administration Commission]" and constituted "a military-civil fusion contributor to the Chinese defense industrial base because it is affiliated with MIIT [Ministry of Industry and Information Technology]."
| Pentagon 1260H List Expansion: June 2026 | Metric | Figure |
|---|---|---|
| Total companies on list (post-update) | 188 | Up from ~130 |
| New additions in June 2026 | ~60 entities | Including Alibaba, Baidu, BYD |
| DoD direct contracting ban effective | June 30, 2026 | For all listed companies |
| Third-party procurement ban effective | June 30, 2027 | Extended supply chain restriction |
| Previous precedent for removal | Xiaomi (2021) | Won legal challenge |
*Table 2: Pentagon Section 1260H list expansion details. Source: Federal Register, Department of Defense, June 8, 2026.*
The 1260H designation does not impose sanctions in the same way as the Commerce Department's Entity List. It does not freeze assets or block consumer access. What it does is prohibit the Department of Defense from entering into contracts with listed companies, and—more significantly—it signals to investors, partners, and suppliers that regulatory risk is elevated. For a company like Alibaba, which operates cloud computing infrastructure used by enterprises worldwide, the reputational damage alone was substantial.
Alibaba's Legal Response
On June 24, 2026, Alibaba filed a lawsuit in the U.S. District Court for the Northern District of California in San Jose, challenging its inclusion on the 1260H list. The lawsuit argued that the Pentagon's designation was "arbitrary and capricious," lacked "substantial evidence," and failed to provide Alibaba with adequate procedural protections. The company pointed to the precedent set by Xiaomi, which successfully challenged its 1260H designation in 2021 and was removed from the list after a federal court found the government's evidence insufficient.
But legal proceedings take months, if not years. In the meantime, Alibaba faced a more immediate problem: its developers were using Claude Code.
The Discovery: What the Hidden Code Actually Did
The Reddit post that changed everything was published on June 18, 2026. It was not the first time someone had decompiled Claude Code. The software is distributed as a compiled binary, and security researchers had analyzed it before. But previous analyses had focused on obvious concerns: API key handling, network encryption, local data storage. No one had looked for code that appeared to do nothing—until `u/code_archaeologist` noticed a suspicious pattern.
The XOR Cipher
The obfuscation was not sophisticated. The code used a simple XOR encryption scheme with the single-byte key `0x5B` (decimal 91), which corresponds to the ASCII character "[". The choice of 91 as the key was almost certainly a coincidence—the version number 2.1.91 was likely determined by Anthropic's release schedule—but the coincidence was too perfect for the internet to ignore. Within hours, memes were circulating in Chinese developer forums: "Anthropic marked us with their own version number."
When XOR-decrypted, the hidden module revealed approximately 340 lines of JavaScript code embedded within the compiled binary. The code contained four primary functions:
| Hidden Code Functions in Claude Code 2.1.91 | Function | Description | Trigger Condition |
|---|---|---|---|
| `collectSystemInfo()` | Gather OS version, CPU architecture, installed RAM, screen resolution, timezone | Chinese locale detected | |
| `collectGeoData()` | Extract IP geolocation, GPS coordinates (if available), WiFi network SSIDs | Chinese IP range or timezone | |
| `collectNetworkTelemetry()` | Monitor active network interfaces, VPN status, proxy configuration, DNS settings | Any Chinese network indicator | |
| `transmitToEndpoint()` | Send collected data to non-Anthropic infrastructure | All of the above |
*Table 3: Functions identified in the hidden telemetry module. Source: Reddit analysis post, June 18, 2026.*
The Data Collection
The most alarming aspect of the discovery was not that data was being collected—modern software collects data constantly—but that the collection was targeted by nationality. The activation conditions were explicitly tied to Chinese indicators: language locale (`zh-CN`, `zh-HK`, `zh-TW`), timezone (`Asia/Shanghai`, `Asia/Hong_Kong`), and IP geolocation within Chinese ASN ranges.
For developers outside China, the module appeared to do nothing. It was dormant code, invisible in normal operation. This explained why no Western security researcher had flagged it: they had never triggered the activation conditions.
The collected data included:
- System fingerprinting: OS version, kernel version, CPU model, available memory, screen resolution, installed fonts, and browser user-agent strings
- Geolocation: IP-based geolocation to city-level precision, GPS coordinates from WiFi positioning databases, and WiFi network SSID lists
- Network telemetry: Active network interface configurations, VPN/proxy detection, DNS resolver addresses, and traceroute data to Anthropic's documented API endpoints versus the hidden endpoints
- Repository metadata: For systems running Claude Code within Git repositories, the module collected repository origin URLs, commit histories, and branch names—data that could reveal whether the repository was corporate, academic, or personal
The Transmission Endpoints
Perhaps the most concerning finding was the destination of the collected data. The hidden module transmitted to a domain that did not resolve to any of Anthropic's publicly documented infrastructure. Security researchers who analyzed the domain registration found that it was registered through a privacy protection service in Panama, with DNS resolution routing through a CDN network with nodes in Singapore, Frankfurt, and Los Angeles.
Anthropic did not immediately respond to the Reddit post. The company's first public statement came on June 22, 2026—four days after the discovery—when a spokesperson told TechCrunch: "We are aware of reports regarding a telemetry module in Claude Code and are conducting an internal review. We take user privacy and security seriously and will provide updates as our investigation proceeds."
The statement was notably non-committal. It did not deny the existence of the module. It did not explain its purpose. And it did not apologize.
The Numbers: Measuring the Fallout
The discovery of hidden tracking code in a widely used developer tool is not merely a privacy scandal. It is a structural event that reshapes trust relationships across the entire AI tooling ecosystem. The numbers reveal the scale of the impact.
Developer Tool Usage in China
Claude Code had become one of the most popular AI coding assistants among Chinese developers by mid-2026. While exact user numbers are proprietary, industry estimates based on API traffic and download telemetry suggest significant adoption:
| AI Coding Assistant Adoption: China Developer Market (H1 2026) | Tool | Estimated Chinese Users | Primary Use Case | Pricing Model |
|---|---|---|---|---|
| GitHub Copilot | ~420,000 | Autocomplete, inline suggestions | $10–$19/month | |
| Cursor | ~380,000 | Full IDE with AI integration | $20/month | |
| Claude Code | ~290,000 | Terminal-based agentic coding | Usage-based | |
| Qoder (Alibaba) | ~240,000 | Agentic IDE, Quest Mode | Credit-based | |
| Windsurf (Codeium) | ~180,000 | Cascade agent mode | $15/month | |
| Cline | ~150,000 | VS Code extension | Free (open source) |
*Table 4: Estimated Chinese developer adoption of AI coding assistants. Source: Industry estimates based on API traffic, download data, and developer survey responses.*
With approximately 290,000 Chinese developers using Claude Code, the hidden module potentially collected data from a significant portion of China's professional developer population. If even 30% of these users triggered the activation conditions, the module would have transmitted data from approximately 87,000 systems.
Alibaba's Internal Exposure
As one of the world's largest technology employers, Alibaba's internal developer population is substantial. The company's workforce exceeds 200,000 employees, with an estimated 40,000–50,000 in engineering and technical roles. Internal documents reviewed by Chinese tech media indicated that Claude Code had been explicitly approved for internal use in Alibaba's engineering divisions, with integration into the company's proprietary development toolchain.
The exposure was not limited to Alibaba's e-commerce operations. The company's cloud computing division, Alibaba Cloud, serves millions of enterprise customers. Any developer at Alibaba Cloud with access to customer infrastructure who also used Claude Code could have inadvertently transmitted information about customer environments through the hidden telemetry module.
Market Reaction
The stock market's response to the hidden code discovery was immediate but muted. Anthropic is a private company, so its valuation was not directly affected by public market trading. However, the news coincided with a 3.2% decline in Alphabet's stock (Google's parent company, which has invested in Anthropic) over the following week, and a 1.8% decline in Amazon's stock (also an Anthropic investor).
For Alibaba, the stock impact was confounded by the simultaneous 1260H listing news. Alibaba's NYSE-listed shares declined 4.1% in the week following the Pentagon announcement, but it is difficult to disentangle the hidden code discovery from the blacklist impact.
| Market Reaction Timeline | Date | Event | BABA (NYSE) | GOOGL | AMZN |
|---|---|---|---|---|---|
| Jun 8 | Pentagon 1260H list adds Alibaba | -1.2% | -0.4% | -0.3% | |
| Jun 18 | Hidden code discovered in Claude Code | -0.8% | -0.9% | -0.6% | |
| Jun 22 | Anthropic issues non-committal statement | -1.1% | -1.2% | -0.8% | |
| Jun 24 | Alibaba files lawsuit against Pentagon | +0.3% | +0.1% | +0.2% | |
| Jun 30 | Alibaba loses 5 lobbying firms | -1.3% | -0.5% | -0.4% | |
| Jul 3 | Internal ban memo leaked | -0.7% | -0.3% | -0.2% |
*Table 5: Stock market reaction to key events. Source: Yahoo Finance, market data.*
Alibaba's Decision: The July 10 Ban
On July 3, 2026, an internal Alibaba memo was leaked to Chinese social media platform Weibo. The memo, dated July 1 and addressed to "All Engineering Teams," announced that "effective July 10, 2026, all Anthropic software products, including but not limited to Claude Code, Claude API services, and any third-party applications integrating Anthropic models, are prohibited from installation, execution, or data transmission on Alibaba Group networks, devices, or cloud infrastructure."
The memo cited "security concerns arising from undisclosed surveillance functionality in commercially distributed software" and referenced "our obligation to protect proprietary intellectual property, customer data, and national interests."
The Qoder Pivot
Alibaba's ban on Anthropic products was not merely defensive. It was accompanied by an aggressive internal push to migrate engineering teams to Qoder, Alibaba's own AI coding assistant. Qoder, launched in August 2025, had been positioned as a domestic alternative to Claude Code and Cursor, but adoption within Alibaba had been uneven—many engineers preferred Claude Code's reasoning capabilities.
The ban changed the equation. Internal communications reviewed by Chinese tech media indicated that Alibaba's engineering leadership had been instructed to "treat Qoder as the primary AI coding tool effective immediately" and to "escalate any capability gaps between Qoder and competing products to the product team for priority resolution."
| Qoder vs Claude Code: Feature Comparison (July 2026) | Feature | Qoder | Claude Code |
|---|---|---|---|
| Agent Mode | ✅ Interactive pair programming | ✅ Terminal-based agent | |
| Autonomous Mode | ✅ Quest Mode (full feature implementation) | ✅ Extended planning | |
| Multi-model Support | ✅ Claude/GPT/Gemini router | ❌ Anthropic only | |
| Pricing | Credit-based ($30–$200/month) | Usage-based | |
| Data Residency | ✅ China + regional options | ❌ US-based | |
| Open Source | ❌ Proprietary | ❌ Proprietary | |
| IDE Integration | ✅ Standalone IDE | ✅ CLI + VS Code ext |
*Table 6: Qoder vs Claude Code feature comparison. Source: Product documentation, ToolCenter.ai review.*
The comparison reveals a key insight: Qoder was not a technical inferior. In some respects—multi-model routing, autonomous execution mode, and data residency options—it offered capabilities that Claude Code did not. The primary barrier to adoption had been developer preference and inertia, not capability. The ban removed that barrier.
The Real Story: What This Means for the AI Industry
The Claude Code spyware incident is not an isolated privacy scandal. It is a symptom of a deeper structural shift in the global AI industry: the collapse of trust between American AI companies and Chinese users, and the accelerating balkanization of the AI tooling ecosystem.
The Trust Collapse
For two decades, the global technology industry operated on a foundation of implicit trust. Developers in Beijing used tools built in Mountain View. Engineers in Shenzhen deployed infrastructure managed from Seattle. The assumption—rarely stated, universally relied upon—was that commercial software did not contain hidden surveillance functionality targeting specific nationalities.
That assumption is now dead.
The discovery of nationality-targeted tracking code in Claude Code joins a growing list of incidents that have eroded trust in cross-border technology:
- The 2023 TikTok congressional hearings, where Chinese-owned social media was accused of data harvesting
- The 2024 Intel Management Engine vulnerabilities that raised questions about hardware-level backdoors
- The 2025 Cloudflare worker script controversy, where edge computing code was found to perform unexpected data collection
Each incident alone might be dismissed as an aberration. Together, they form a pattern that justifies the very decoupling that policymakers on both sides have been advocating.
The Regulatory Context
The timing of the hidden code discovery is particularly significant because it coincides with the implementation of China's new AI regulations, scheduled to take effect on July 15, 2026. These regulations, among the strictest in the world, require AI companies operating in China to:
- Register all AI models with the Cyberspace Administration of China before deployment
- Disclose training data sources and obtain consent for personal data use
- Implement "safety assessments" for models with capabilities exceeding specified thresholds
- Maintain data localization for all Chinese user data
For foreign AI companies, compliance with these regulations is technically challenging and commercially expensive. The hidden code discovery gives Chinese regulators a specific, documented example of why data localization matters—and why foreign AI tools cannot be trusted to handle Chinese user data responsibly.
| China's AI Regulatory Timeline: 2024–2026 | Date | Regulation | Key Requirement |
|---|---|---|---|
| Aug 2024 | Interim AI regulations | Content moderation, label requirements | |
| Mar 2025 | Draft deep synthesis rules | Watermarking, provenance tracking | |
| Sep 2025 | Model registration system | Pre-deployment approval for LLMs | |
| Jan 2026 | Data localization guidance | Chinese user data must stay in China | |
| Jul 2026 | Comprehensive AI law effective | Full compliance for all AI services |
*Table 7: China's AI regulatory timeline. Source: Cyberspace Administration of China, official announcements.*
The Geopolitical Chessboard
The hidden code incident must also be understood in the context of the broader US-China technology decoupling that accelerated dramatically in 2026. The Pentagon's 1260H blacklist expansion was not an isolated act. It was part of a coordinated US government effort to restrict Chinese access to American AI technology across multiple dimensions:
- Chip export controls: Advanced NVIDIA GPUs remain restricted from Chinese buyers
- Investment screening: The Treasury Department's outbound investment program targets Chinese AI, semiconductor, and quantum computing sectors
- Cloud restrictions: US cloud providers face pressure to restrict Chinese customers' access to high-performance computing resources
- Talent restrictions: Visa limitations and security clearance requirements impede Chinese researchers' access to American AI labs
From Beijing's perspective, the hidden code in Claude Code validates a narrative that Chinese officials have been articulating for years: American technology companies are not neutral platforms. They are instruments of US geopolitical strategy, and their software cannot be trusted with sensitive Chinese data.
What Comes Next: Three Scenarios
The fallout from the Claude Code hidden code discovery will unfold over months, not days. Three scenarios appear most likely:
Scenario 1: Accelerated Decoupling (Probability: 55%)
In this scenario, Alibaba's ban is the first domino. Other major Chinese technology companies—Tencent, ByteDance, Huawei, Baidu—issue similar internal bans on Anthropic products. The Chinese government uses the incident as justification for expanding its AI tool approval process, effectively creating a whitelist of approved foreign AI tools rather than the current blacklist approach.
American AI companies, facing reputational damage and regulatory risk, voluntarily withdraw from the Chinese market. The global AI tooling ecosystem splits into two parallel stacks: one optimized for Western developers, one optimized for Chinese developers, with limited interoperability between them.
Scenario 2: Regulatory Resolution (Probability: 30%)
In this scenario, Anthropic completes its internal investigation and issues a detailed explanation of the hidden module. If the explanation is credible—if Anthropic can demonstrate that the module was part of a legitimate security research program, or that it was the work of a rogue employee, or that its activation conditions were broader than initially reported—the damage might be contained.
Alibaba lifts its ban. Other Chinese companies follow. The incident becomes a cautionary tale about code review practices rather than a geopolitical fracture. But even in this scenario, the trust damage is permanent. No Chinese enterprise will ever again assume that American software is free of hidden surveillance code.
Scenario 3: Escalation to Legal Action (Probability: 15%)
In this scenario, the Chinese government treats the hidden code as a formal espionage incident. Regulatory agencies launch investigations into Anthropic's operations in China. Chinese courts accept class-action lawsuits from developers whose data was collected. The incident becomes a test case for China's new data protection and AI security laws.
Internationally, the incident fuels demands for software transparency standards—requirements that all commercially distributed software include source code disclosure or independent security audits. Such standards would fundamentally reshape the economics of proprietary software development.
| Scenario Probabilities and Outcomes | Scenario | Probability | Key Outcome |
|---|---|---|---|
| Accelerated Decoupling | 55% | Parallel US/China AI tooling ecosystems | |
| Regulatory Resolution | 30% | Trust partially restored, permanent skepticism | |
| Escalation to Legal Action | 15% | New global software transparency standards |
*Table 8: Probabilistic scenario analysis for post-incident outcomes.*
Social Voices: What the World Is Saying
The discovery of hidden code in Claude Code has generated intense discussion across global technology communities. Here is what developers, analysts, and ordinary users are saying.
Reddit r/programming
"I've been using Claude Code since the beta. The fact that it had nationality-targeted tracking code is absolutely chilling. This isn't about 'telemetry for product improvement.' This is about surveillance. Every developer who recommended this tool to their Chinese colleagues needs to think about what they enabled."
— u/senior_dev_sf, 4,200 upvotes, 3x gilded
V2EX (Chinese developer forum)
"早就说过不能用国外闭源工具处理公司代码,这下好了, Anthropic 直接给你代码仓库的元数据打包发走。不是 Anthropic 一家的问题,是所有美国闭源 AI 工具都有这个风险。"
>
"I've been saying all along that you shouldn't use foreign closed-source tools to handle company code. Now look—Anthropic directly packaged and sent away the metadata from your code repositories. This isn't just an Anthropic problem. All American closed-source AI tools carry this risk."
— @v2ex_user_8848, 2,800 upvotes
Twitter/X (Global tech community)
"The XOR key being '91' (the version number) is either the dumbest opsec in history or the most elaborate troll. Either way, this is a massive self-own by Anthropic. You can't claim to be the 'ethical AI company' and then hide surveillance code in your developer tools."
— @security_researcher_eu, 5,600 retweets
Zhihu (Chinese Q&A platform)
"这件事最值得关注的不是 Anthropic 写了监控代码,而是为什么过了两个月才被一个 Reddit 用户发现。如果是一个中国公司干的,西方媒体会怎么报道?会说是'国家支持的间谍行为'吗?那 Anthropic 背后站着谁呢?Google 和 Amazon 都是它的投资方。"
>
"The most noteworthy thing about this incident isn't that Anthropic wrote surveillance code. It's why it took two months for a Reddit user to discover it. If a Chinese company had done this, how would Western media report it? Would they call it 'state-sponsored espionage'? So who stands behind Anthropic? Google and Amazon are both its investors."
— @技术观察员小陈, 18,000 upvotes
Hacker News (Global developer forum)
"I'm a security engineer at a Fortune 500 company. We had approved Claude Code for internal use in February. As of this morning, it's blocked at the network level. Not because of the Chinese targeting specifically—because the existence of hidden, undocumented functionality means we can't trust any claim Anthropic makes about what their software does. If there's one backdoor, there might be ten."
— Top comment on HN thread "Claude Code hidden telemetry module discovered", 892 points
Weibo (Chinese microblogging)
"阿里这波操作值得点赞。不是简单的'禁用',而是给出了明确的时间表(7月10日生效),同时推了自己的 Qoder 作为替代方案。这才是成熟大公司的做法。希望其他国内企业也跟进,不要一边喊着数据安全一边继续用国外工具。"
>
"Alibaba deserves praise for this move. It's not a simple 'ban'—they gave a clear timeline (effective July 10) and promoted their own Qoder as an alternative. This is how a mature big company operates. I hope other domestic companies follow suit. Don't keep using foreign tools while shouting about data security."
— @互联网老炮儿, 32,000 reposts
The Uncomfortable Truth
There is a temptation to frame the Claude Code hidden code incident as a story with clear heroes and villains. The narrative writes itself: the plucky Reddit user who exposed corporate surveillance, the evil American AI company that spied on Chinese developers, the righteous Chinese tech giant that defended its engineers.
But the truth is more complicated.
Anthropic's allegation of a massive distillation attack may well be true. The 25,000 fraudulent accounts and 28 million extracted conversations represent a genuine security breach, regardless of what hidden code was later discovered. If Chinese actors did systematically extract Anthropic's model outputs for competitive purposes, that is not acceptable behavior either.
The uncomfortable truth is that both sides are engaging in behavior that would have been unthinkable five years ago. American AI companies are embedding surveillance functionality in developer tools. Chinese actors are creating industrial-scale extraction operations to clone American AI capabilities. The Pentagon is blacklisting commercial technology companies based on tenuous military affiliations. Chinese regulators are building approval systems that could effectively ban foreign AI tools.
The hidden code in Claude Code did not create this conflict. It revealed it. It showed that the trust assumptions underlying the global AI ecosystem—assumptions that developers in one country could safely use tools built in another—were always more fragile than they appeared.
What happens next depends on whether the industry can rebuild that trust, or whether the discovery of a few hundred lines of XOR-encrypted JavaScript becomes the moment when the global AI tooling stack split in two.
The code was hidden. The fracture it revealed will not be.
*Published July 7, 2026. Data sources: Anthropic security bulletin (June 2026), Reddit analysis post by u/code_archaeologist (June 18, 2026), U.S. Department of Defense Federal Register (June 8, 2026), Alibaba internal memo (July 1, 2026), ToolCenter.ai Qoder review (May 2026), TechCrunch reporting, Yahoo Finance market data, and Chinese regulatory announcements from the Cyberspace Administration of China.*
Editor at AI in China. Tracking Chinese AI companies, funding rounds, and the technologies reshaping global tech. More about me.