When the agent you trust came with a hidden tracker

When the agent you trust came with a hidden tracker

Alibaba just told employees to stop using Claude Code from July 10 after internal reviews flagged the tool as high-risk — they found hidden code that tracked Chinese users, despite Anthropic’s public denials. The ban came weeks after Anthropic accused Chinese companies of distilling its models.

I use Claude Code daily. I wrote a guide comparing it to Cursor not long ago, and one thing that became clear is how much you’re handing over when you run a terminal-native agent. It reads your files, runs shell commands, and it can install dependencies if you let it. You’re making a bet that the tool isn’t doing anything beyond what it says. This Alibaba case makes that bet feel a lot shakier.

The practical question isn’t “will I stop using Claude Code.” It’s: what did the tracker actually collect? Project names? File paths? The SCMP report says it tracked Chinese users specifically — that suggests some kind of telemetry that discriminates on location, not just a generic analytics call. If Anthropic was sending back anything resembling source code or working directory structure, that’s a line that breaks the outsourcing-of-agency trust model these tools depend on.

I don’t think there’s a clean fix. Every AI coding tool does telemetry. Cursor, Copilot, Cody — they all phone home. Most developers click through the setup without reading the notices. But when a company the size of Alibaba bans a tool after inspection, it’s worth at least peeking at what your terminal agent sends out when it runs.

What I’m watching next: whether Anthropic publishes a clear breakdown of the tracking data it collected and why it was location-specific. Second, whether Western companies that adopted Claude Code early (like some at Anthropic’s own enterprise customers) do their own audits. Third, whether this tips the balance for anyone choosing between Claude Code and something like Cursor — where the code runs in an IDE plugin with a different trust boundary. Not saying one is safer, but the conversation changes when a major player hits the kill switch.