« All posts

Claude Code's Hidden Telemetry Sparks China NVDB Warning

Claude Code quietly sent user location and identity data without consent in its April-June 2026 builds. China's NVDB flagged it; Anthropic is rolling the mechanism back.

According to reporting picked up from the Wall Street Journal, Claude Code builds released between April and June 2026 quietly transmitted user location, identity, time zone, and working domain data to remote servers without consent or any UI toggle. Developer Troye Sivan discovered the mechanism specifically targeted users routing through Chinese grey-market resellers, prompting China's National Vulnerability Database (NVDB) to call it a 'serious threat' and urge users to uninstall or update the tool.

Anthropic engineer Thariq Shihipar confirmed the feature was an experimental anti-abuse and anti-distillation mechanism that would be fully rolled back in the next release. He also noted that tracking functions would remain in the product going forward, just no longer hidden. The company had previously accused DeepSeek and Alibaba of distilling Claude via thousands of fraudulent accounts, giving the anti-abuse motive real weight — but that doesn't erase the trust broken by shipping silent data egress with no opt-in.

For developers, the practical takeaway is straightforward: check your installed version, pin a known-good build, and audit outbound network connections with tools like lsof. The deeper lesson is that project structure shouldn't depend on any single coding agent's behavior — conventions, component models, and validated configuration need to live in a durable layer that survives any agent's next undisclosed experiment.

» SourceDev.to