Alibaba to ban Claude Code in workplace over alleged backdoor risks, source says (reuters.com)
283 points by nsoonhui 9 hours ago
Simulacra 5 hours ago
bhouston 6 hours ago
All remote AI are a massive security risk for individuals/companies/governments that may be targeted by the US government.
It is likely that the US will get a live feed from each AI provider that they are inspecting in real time to identity things of interest, terrorist attacks or foreign government planning or even foreign companies competitive to key US companies.
It will give them access to the though process in those companies as well as much of their text-based IP (source code, docs, meeting transcripts, etc)
Also if you are using local AI that you didn’t train yourself you can never be sure it doesn’t have purposeful biases in its reasoning that may disadvantage you - such as directing you away from certain plans or ideas or patents etc.
jacobgold 3 hours ago
> "Also if you are using local AI that you didn’t train yourself you can never be sure..."
A local model you trained yourself seems about as good as you can do today.
But it may not even be possible to fully trust a model you trained if you used untrusted data during training.
As a user, you have to trust your coding agent AND inference provider AND models: https://jacob.gold/posts/coding-models-are-code/ https://www.anthropic.com/research/sleeper-agents-training-d...
fouc 33 minutes ago
also there doesn't even need to be a model involved, agentic code harnesses with remote "instructions for the local computer" are technically backdoored by default.
type0 2 hours ago
> even foreign companies competitive to key US companies.
It's unfathomable to me that EU companies don't take the risk of industrial espionage from US more seriously
wongarsu an hour ago
Many do, when it comes to AI. Lots of restricting what the AI is allowed to see, working with local AI, trusted AI hosters, etc.
Of course those are largely the same companies that receive emails via outlook, manage company-wide SSO in Microsoft Entra, put their files in Sharepoint and track software and maintenance issues in Jira ... I'm not sure how much much info there is left that isn't already combed through by NSA and friends
atlasunshrugged 2 hours ago
Not from China? One country has a recent track record of massive amounts of industrial espionage and one doesn't.
faangguyindia 2 hours ago
Foobar8568 41 minutes ago
hnfong 40 minutes ago
SubiculumCode 2 hours ago
Why make this u.s. centric? You think China served models would be different?
tedivm 2 hours ago
China is releasing open weight models you can simply run yourself.
seanmcdirmid 2 hours ago
It’s pretty hard to put a backdoor in a bunch of model weights. Maybe not impossible mind you, but I can’t fathom how you would do it.
CuriouslyC an hour ago
OtomotO 2 hours ago
Because the topic of the article is about the US?
londons_explore 6 hours ago
It is worth thinking about the fact the total throughput of even a big LLM provider isn't many megabits.
If a token compresses to around a byte, worldwide AI input and output is around 1 gigabyte per second.
For any intelligence agency, they can afford to keep and store all of that forever, and later do analysis on it.
bhouston 4 hours ago
> For any intelligence agency, they can afford to keep and store all of that forever, and later do analysis on it.
At the scale the AI companies are operating at, I think it isn't likely that they are sucking it all in right now.
More likely I think the intelligence agencies will get a real-time live tap into the raw data feed which they will process onsite for interesting things and then if things are flagged, they will log it in the intelligence agency systems.
greenavocado 2 hours ago
> you can never be sure it doesn’t have purposeful biases in its reasoning that may disadvantage you - such as directing you away from certain plans or ideas or patents etc.
that's why you should use abliterated heretic models
WarmWash 3 hours ago
>It is likely that the US will get a live feed from each AI provider that they are inspecting in real time to identity things of interest, terrorist attacks or foreign government planning or even foreign companies competitive to key US companies.
My favorite conspiracy is that three letter agencies keep pushing the conspiracy that they are omni-present with access to everything. Same as parents telling their kids Santa is watching, and leaders telling adults God is watching. Its extremely effective control and millennia old at this point.
The reality is much more banal that they still need warrants and tech companies hate playing police/evidence servant for the government (it consumes a ton of resources and pays nothing).
thewebguyd 2 hours ago
> warrants
The snowden leaks revealed that's not the case.
The three letter agencies can just issue national security letters without a judge ever seeing it, and those come a long with a gag order (plus other workarounds like just buying data from brokers, and how US communications can get swept up just by virtue of communicating with a foreign national outside the US).
You're right, they aren't omniscient in the way we imagine of a room full of people monitoring everything in real time. But to pretend they aren't passively collecting massive amounts of data is dangerous. Snowden showed us PRISM, with all major tech companies participating. They do effectively have a live, unrestricted wiretap to the internet and if you happen to be a person of interest, they will just send out NSLs and get all your communications that are not fully E2EE without you even knowing thanks to the gag order.
WarmWash 2 hours ago
roysting 3 hours ago
> The reality is much more banal that they still need warrants and tech companies hate playing police/evidence servant for the government
I will not elaborate how I know, but that is not even directionally correct. But these are not even secret things that can’t be known simply through the Snowden, Wikileaks, and Vault7 releases. So why are you telling yourself this? Are you still wet behind the ears or something?
There are people who know exactly how governments do not in fact need warrants and the tech companies don’t even really know they are servants to the government, let alone which one. That’s how things are done. The less surface area the better.
WarmWash 2 hours ago
shimman 2 hours ago
general1465 6 hours ago
Leakage of IP and training on your data is something what I am pointing out too, but people will turn around and try to smooth me down that TOS does not allow that if you are an enterprise client. Are you really going to believe that AI companies won't ignore TOS, when they were ignoring literal laws which sent others to jail in the past? Especially when more data = better model?
eunos 8 hours ago
What Claude Code did is absolutely mindboggling tho, if Chinese harness did that probably POTUS would lose sleep.
usef- 7 hours ago
It seemed pretty mild compared to what's collected by modern websites and apps, though? How many don't know your Timezone?
dijit 6 hours ago
> How many don't know your Timezone?
The timezone fetch was to alter program behaviour at runtime, not to send arbitrary timezones for tracking reasons.
It was one way of detecting if it was a chinese person using the program and then behaving differently.
Malware behaves this way. STUXNET for example was wired to do nothing except propagate unless the environment had the right conditions.
theshrike79 an hour ago
usef- 6 hours ago
cognitiveinline 8 hours ago
Exaggerate much? If you think POTUS would lose sleep about a date format timezone marker, I don't know what to tell you.
yard2010 7 hours ago
Wait what do you mean "if"?
youre-wrong3 7 hours ago
Maybe if they didn’t farm all the data from Claude to train their own trash models. Anthropic wouldn’t feel the need to do it.
BoxOfRain 3 hours ago
Bit rich given where Anthropic sourced the data to train Claude with. What's good for the goose is good for the gander.
InsideOutSanta 7 hours ago
Who is "they", and which Chinese models are trash?
vrganj 7 hours ago
Anthropic stole the entire internet. Excuse my language, but they can fuck right off.
breppp 6 hours ago
fcanesin 39 minutes ago
It is not a risk is a fact - people decompiling Claude Code have found many times that it has code branchs to detect it is being used in Chinese timezone and locale.
johnathan101 8 hours ago
Regardless of whether this specific claim is true, enterprises are becoming much more cautious about developer tools that can read large portions of proprietary codebases.
soraminazuki 7 hours ago
It's insane that it's becoming a concern now. It should've ended the discussion from the very beginning.
yurish 6 hours ago
Enterprises host their entire infrastructure on US-base clouds. And for many, it still is not a problem.
soraminazuki 3 hours ago
vitally3643 2 hours ago
I mean, we all also still do manufacturing in China with a 100% guarantee that your widget will be copied and cloned. It's so much cheaper though....
HarHarVeryFunny an hour ago
If you're using a coding agent then obviously you need to either serve the model yourself or trust whoever you are sending your data to.
In terms of WHAT you need to be concerned about, it seems it goes far beyond code, and far beyond having to trust your model provider.
A coding agent with access to a bash tool is going to have access to anything that a human with a bash prompt would, and even if you try to provide a nailed down sandbox environment for the agent, you still need to be concerned about things like unencrypted passwords and keys that it may be able to find "laying around" in code or databases/etc it has access to.
pmontra 5 hours ago
After they uploaded their code to private repositories on GitHub, Bitbucket etc since forever?. They trust GitHub not to read their code but they don't trust an AI from Microsoft not to read it? It would be schizophrenia
CardenB 2 hours ago
Big customers usually use GHE served on prem due to security concerns, no?
pmontra 30 minutes ago
segmondy 3 hours ago
A bit too late for that, most of them have already dumped most of their codebase and IP into cloud models.
saidnooneever 7 hours ago
not to mention they are kind of capable of executing code and susceptible to injections which also amounts to being practically backdoors if youre not super careful about how u use the tooling
llm_nerd 7 hours ago
Becoming? We've moved entirely in the opposite direction.
When these tools first appeared the overwhelming conversation was about the risk of letting a remote tool siphon your code and intellectual property (where eventually they're going to add that to their training). Now everyone is using them, and that fear seems to have dissolved. Every corporation is sprinkled with Claude Code, Antigravity, Copilot, Codex, and so on. Even the long fear-mongered Chinese providers are being heavily used in many spaces.
In this case this is a PR battle between two firms, and it isn't much more. And Alibaba isn't worried about the "proprietary code" (the truth is that there is incredibly little interest in most orgs code), but that the tool is a backdoor, or at least that is the claim.
DanielHB 6 hours ago
> there is incredibly little interest in most orgs code
I think from a commercial perspective yes, but access to source code is very good for finding exploits which could be very valuable for governments. I could also see a future where companies are directly cyber-attacking competitors in hostile markets too...
otabdeveloper4 7 hours ago
> and that fear seems to have dissolved
Until the first big incident, yes.
spwa4 7 hours ago
Wasn't one of the big promises the AI labs made "uncopyrighting"? Ie. the ability to reconstruct large works, including source code, without actual access to the source code? Everything from movies to operating systems.
mannanj 9 minutes ago
I remember hearing something about this. Reminds me of the many lies that political candidates make to garner interest and approval. Except who's holding them accountable - like there's not even a list anywhere tracking these lies.
xpct 4 hours ago
Interesting, I haven't heard this claim before. I suppose that claim made sense if their customers were big corporations, not so much when its the masses generating bootleg software copies.
silon42 6 hours ago
Cleverly compressing and decompressing doesn't de-copyright it. ... and if it's not the same who'd trust it.
gchamonlive an hour ago
There was recently this case here in Brazil https://www.mixvale.com.br/2026/06/26/fbi-warns-brazilian-po...
This is a double edge knife. In this specific instance this was absurdely important for that kid's life, but this work both ways. What if the US authorities deemed it necessary to snoop on foreign governments and citizens for political reasons, now leveraging AI to do it in an industrial scale?
One thing is certain though is that assuring privacy isn't top priority for any cloud provider. Companies doing cutting edge, sensitive work should be wary.
bathtub365 an hour ago
The US government deemed it necessary to snoop on foreign governments and citizens decades ago and is doing it on a continuous basis. Also on their own government and citizens.
gchamonlive an hour ago
Thanks, I've edited my original comment to address this more clearly
kordlessagain 16 minutes ago
Well, that's a revenue hit for sure for Anthropic.
jdw64 7 hours ago
I got curious and asked my Chinese friends, and they gave me a Reddit link[1]. It looks like it's about location data collection, and they suggested that might be the reason for the issue.
[1]https://www.reddit.com/r/ClaudeAI/comments/1ujila1/anthropic...
swingboy 6 hours ago
There was a big thread about it here the other day. https://news.ycombinator.com/item?id=48734373
SubiculumCode 2 hours ago
Wow and very websote on earth practically, collects locationvdata
ravenstine 6 hours ago
Employers in 2022:
> No! Don't install that lodash thing without explicit approval from IT. Oh, you want a license for Charles Proxy? Gee, I dunno... we've got a budget to maintain.
Employers in 2023:
> No! You can't use ChatGPT at work – it's a security risk.
Employers in 2024:
> Okay, you can use Github Copilot I guess, but you'll have to endure boring corporate training on what you're allowed to do with it.
Employers with dollar signs in their eyes in 2025:
> We attended a seminar about vibe coding. Why aren't you dumbasses keeping up with the times? Use Claude Code for everything! Don't write any of your own code anymore. We don't even really care if you use yolo mode. Just review code and push 10x more features! Use unlimited tokens! Money printer go brrrrr.
Employers in 2026:
> You mean giving one or two companies full autonomous access to our workstations while stupifying our engineers wasn't a sound business plan?
dan_i 6 hours ago
2025 taught me that my employer would replace me with a slave if they could get away with it.
The confusing part to me is why these companies believed the "AGI" hype, I.E. that OpenAI or Claude's LLM is the ideal white collar slave.
I suppose I can understand that the executive class resents labor enough to make irrational business decisions for the purpose of insulting the workers who design and operate their companies.
That being said, the 2025 AI binge feels like a murder-suicide done by the executives of many of these companies.
nicogentile 3 hours ago
Seems that we are finally moving to the next stage in LLM's. not only customize based on old searches but also targeted you based on non disclose data. Its basically the same flow we had years ago with ads in social media.
Interesting to notice that we can do the same with these models.
khurs 5 hours ago
Snowden files revealed NSA collect everything they can.
Of-course USA is collecting everything, not just from China but everyone.
And same with every one else.
arkhiver 2 hours ago
no ads or captcha: https://nonogra.ph/alibaba-to-ban-employees-from-using-anthr...
avd201 4 hours ago
Anthropic has been doing this sort of stuff for a while already. I mean, who remembers when Claude would just consume all your remaining usage if it read anything indicating that Openclaw had been used on your codebase? Because I remember. Two months ago btw https://news.ycombinator.com/item?id=47963204 Then there was the whole debacle of Fable silently downgrading to other models if it detected wrong think, or worse, outright sabotaging your codebase if you were working on language models lol
bushido 6 hours ago
What's very interesting to me is these moves will introduce a good amount of doubt in future claims by Claude etc, that the open source and non-US models are only getting better because they're distilling from frontier labs.
JPLeRouzic an hour ago
> employees were being told to use the company's own coding platform Qoder
That looks a no-nonsense decision, isn't?
yanhangyhy 9 hours ago
i gonna ask: how can they still use claude? i thought all users in china are banned
dgellow 8 hours ago
Alibaba has engineers in Hongkong, Singapore, North America. It’s a global corporation
itake 8 hours ago
when i was in hongkong, chatgpt and gemini were disabled. Maybe this has changed though. When I was in China, the corporate vpn (zscaler) routed traffic through hk
hnfong 30 minutes ago
Paradigm2020 2 hours ago
xyzsparetimexyz 7 hours ago
bravetraveler 8 hours ago
Same way every ban is evaded, smurfing
playnuu9 8 hours ago
There is a reason Singapore tops the rank on Claude usage
byzantinegene 8 hours ago
the government also actively promotes AI usage in work environments
chinathrow 6 hours ago
Source?
_flux 8 hours ago
Does Alibaba only have developers in the China?
one33seven 8 hours ago
Did china invent VPNs yet?
josh-wrale 8 hours ago
Cc can be used with non Anthropic models.
dist-epoch 8 hours ago
The same way they buy "banned" and "sanctioned" NVIDIA GPUs.
re-thc 8 hours ago
> how can they still use claude?
Workarounds aside, it says Claude Code not Claude.
i.e. they are using the CLI running any model. You can for instance run GLM with it.
TZubiri 5 hours ago
one possibility:
iproyal.com Oxylabs.io
https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-fro...
rvnx 8 hours ago
Can't say they are wrong, after the latest backdoor, or let's say, undocumented functionality that leaks some data that was pushed in Claude Code few days ago
dgellow 8 hours ago
That’s not what a backdoor is…
tpoacher 8 hours ago
Rear entrance then
rvnx 8 hours ago
When a company can remotely push code without explicit user approval, and code that was hostile / almost malicious, it is a backdoor
jitl 6 hours ago
SubiculumCode 2 hours ago
I think most websites transmit general locationbto the server.
rvz 8 hours ago
Another reason to use open source coding agents and local language models.
Claude Code is neither and it is literally info stealing malware.
p0w3n3d 7 hours ago
[flagged]
matheusmoreira 6 hours ago
Remember how Kim Dotcom got destroyed for criminal copyright infringement? One would think the big tech CEOs would face the same fate, that police officers would rappel down helicopters, storm their mansions and bring them out in cuffs.
Instead the AI companies reached these absurd settlements with publishers that made a mockery out of all the previous copyright enforcement victims.
root-parent 5 hours ago
Remember Aaron Swartz who did something that just pales compared to what Dario Amodei, Zuckerberg-Mr-Torrent and Sam Altman did.
314 5 hours ago
matheusmoreira 5 hours ago
vlovich123 5 hours ago
Reminds me, did the AI companies redistribute that copyrighted material to others and make their money that way? Did Kim use the copyrighted material to generate something novel from it?
copyright law literally says something isn’t infringement if it is a novel transformation. I get the jokes and criticism about AI companies fighting and complaining about competitors distilling, but this is a much weirder comparison.
root-parent 5 hours ago
samrus 4 hours ago
andersonpico 5 hours ago
cryptonym 5 hours ago
codedokode 5 hours ago
Exactly. If a rich corporation downloads and uses pirated content without paying, why should ordinary person pay for movies and music instead of downloading them for free?
UqWBcuFx6NV4r 4 hours ago
Simulacra 5 hours ago
He just lost another court case… I wonder if we're getting close to the government spending as much to prosecute the man than what Hollywood possibly lost..
xienze 6 hours ago
Remember how people used to justify their own personal software piracy with arguments like "information wants to be free", "no one stole anything, you still have the data", "I was never going to buy it anyway", and "copyright should be abolished?"
> Instead the AI companies reached these absurd settlements with publishers that made a mockery out of all the previous copyright enforcement victims.
Isn't that at least something? How many people pirating software ever settled with the companies they "victimized?"
monooso 5 hours ago
matheusmoreira 5 hours ago
cinntaile 5 hours ago
curtisblaine 4 hours ago
datsci_est_2015 4 hours ago
The trick here, imo, was the integration with the military industrial complex. It wasn’t very difficult of course, as automation has been a topic in warfare for decades, if not centuries.
But Eisenhower was right:
> In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex. The potential for the disastrous rise of misplaced power exists and will persist.
yubblegum 5 hours ago
Whatever happened to honor among theives? What is this world coming to..
short_sells_poo 6 hours ago
The corollary is that there are no morals once the stakes are in the $ billions, let alone hundreds of billions.
This isn't even about a single person or personality. Very few people in such position could stand fast by their moral code. In any case, an environment that favors profit above everything will naturally select for individuals who are unencumbered by such hindrances.
There might've been 100s of Altmans and Amodeis who had a strong moral code but we don't know about them because they dropped out of the "race" because of said moral hurdles.
rlpb 6 hours ago
Copyright law is an artificial legal construct, not a moral code.
I think appropriate attribution is a moral code, but I am not able to attribute every idea I have to all those who helped me develop the general intelligence that I use to develop such ideas.
raxxorraxor 6 hours ago
spinningslate 6 hours ago
> an environment that favors profit above everything will naturally select for individuals who are unencumbered by such hindrances.
Exactly. Dairy farms optimise for milk production so favour cows that produce the most milk.
The market economy optimises for profit so favours those most willing/able to generate it. Zuckerberg, Musk, Thiel, Andreesen and co are products of the system.
rkachowski 4 hours ago
> The corollary is that there are no morals once the stakes are in the $ billions, let alone hundreds of billions.
terrifying
TZubiri 5 hours ago
I never get tired of posting this answer because everyone on the internet is adopting this hot take:
If you look at it with your eyes crossed, Anthropic and the chinese are doing the same thing.
If you look at it with nuance 1 the chinese are doing way worse stuff, and 2 stealing from a thief would still be stealing
1. The chinese are making multiple accounts (at least 49,000)[1][2], using proxies/VPNs, possibly using residential computers and infected computers (unless you think the chinese are doing due diligence to ensure their purchased IPs are kosher). All accounts need to be created with a real name, and especially so if the paid models need to be accessed and paid with a credit card. So this is beyond IP theft and getting closer to fraud. These are all techniques that are well studied because they are used by criminals and cybercriminals, textbook stuff. Consider if that was not sufficient, that China is banned from using the product, so they need to use identities and locations not just to avoid relating the accounts between themselves, but merely to allow account creation. What identities are they using to create accounts.
Compare this to Anthropic which reads notes made a deal in an IP theft case paying billions because they bought books and scanned them but buying the books wasn't sufficient retribution for the authors. Or that they gasp scanned the internet, like Google.
Not having nuance to see the difference between the two companies is something I expect of the twitter echo chamber copying hot takes for upvotes, not hacker news.
[1] https://arstechnica.com/tech-policy/2026/06/anthropic-claims... [2] https://www.anthropic.com/news/detecting-and-preventing-dist...
bildung 5 hours ago
What seems to be missing from that take is that a) Alibaba paid for the access b) there is no IP theft because LLM output is not copyrightable.
Anthropic seems to want to both own and eat its stolen cake.
codedokode 5 hours ago
First, LLM is merely a tool and its output belong to whoever generated them. If a Chinese researcher used their creativity to generate a response, the copyright belongs to them and AI companies have no rights to it. Second, Chinese release many of their models for free, thus being on a noble mission to make AI available for every country (unlike certain company whose promises were nothing but words). For comparison, US companies do not release anything and want to keep AI for themselves and decide who gets to use it.
> stealing from a thief would still be stealing
Stealing from a thief hurts thief industry which is a win for society.
> The chinese are making multiple accounts
Not a crime. AI companies also ignore robots.txt and applicable laws when illegally copying copyrighted material from websites to their servers without author permission.
TZubiri 2 hours ago
xpct 4 hours ago
Let's not sane-wash Anthropic's book theft. No, they didn't just 'scan' the internet, they created a tool for worldwide license washing and got fined an insignificant amount for it.
TZubiri 3 hours ago
Jeff9James 6 hours ago
Story of Z.ai:
use claude-code see how good it is send 100k bots to distill fable 5 (GLM 5.2 is the result of this) release Zcode ditch claude-code ban claude-code
codedokode 5 hours ago
The outcome is that we get either free or cheaper model. Good work.
julianlam 6 hours ago
[citation needed]
feverzsj 8 hours ago
Considering their massive distillation, if US companies stop publishing new models to the public, would China still be able to develop new open weight models?
bel8 8 hours ago
I don't think China would strugle to scrape the internet for fresh data.
And they constantly publish state of the art LLM research (see DS4 context compaction and cache tech).
They have very capable tech giants. So while not being able to distill western models would probably have some impact, it's probably becoming lesser as time passes.
We might even see Western LLMs distilling Chinese models soon. If they aren't already to some extent.
hnfong 27 minutes ago
Everyone distills/copies training data.
A couple months ago when Anthropic was complaining about Chinese distillation, people found that Claude self-identified as "DeepSeek" when asked in Chinese:
https://x.com/stevibe/status/2026227392076018101
It's really a fiasco of massive hypocrisy at this point.
bdcravens 4 hours ago
Look at all of the software that has been developed as an alternative (and often an upgrade to) software in the west. (Baidu, Wechat, etc)
Many of the top AI researchers at western companies are from China, and many are returning.
tristanj 8 hours ago
Yes, 100%. GLM 5.2 is capable of RSI. It's too late to stop.
VortexLain 5 hours ago
Depends on a lab, but they do have plenty of compute and engineering. So this would only slow down the progress.
pjmlp 6 hours ago
Of course, it is like any other kind of weapon system, eventually the knowledge gets acquired.
margorczynski 8 hours ago
China has most probably already achieved "escape velocity" on the software side. Now if they achieve parity, to some degree at least, on the hardware side with Nvidia it is very possible they'll overtake the US.
realusername 3 hours ago
It doesn't matter, the only models getting compared are the public ones.
If Anthropic had a super secret model that nobody has access to, I'm not sure why I should care about it since I can't access it.
surgical_fire 7 hours ago
Probably yes.
More than a year ago, when Anthropic and OpenAI started to hide the reasoning bits from the output, a lot of people here on HN predicted that Chinese models days were numbered.
Fast forward to today, and models such as DeepSeek and MiMo are nothing short of excellent. I haven't used GLM or Qwen but heard very good things about them as well.
This "massive distillation" sounds a lot like anxiety about how companies from outside the US can develop very good models themselves.
VortexLain 5 hours ago
In my personal, subjective opinion GLM-5.2 is on par with GPT-5.3