Anthropic Found a Secret Tracker in Claude Code
A hidden tracker in Claude Code was secretly monitoring Chinese users until a security researcher exposed it. Here's what happened and why it matters.
Written by AI. Zara Chen

Anthropic has spent considerable energy positioning itself as the AI company that takes safety and ethics seriously. Its Responsible Scaling Policy, its Constitutional AI research, its very public hand-wringing about existential risk—all of it feeds a brand identity built around the idea that Anthropic thinks harder about consequences than the competition does. Which makes what happened last week particularly uncomfortable to sit with.
A security researcher discovered a hidden tracker inside Claude Code, Anthropic's AI coding tool, specifically targeting users in China. According to Ars Technica, the researcher who found it—a web developer known online as "Thereallo"—was investigating privacy practices in the software when they uncovered the concealed code. Thereallo characterized the tracking as spyware-like behavior and described it as a serious breach of user trust. (The sourcing here matters: Ars Technica reports Thereallo's characterizations; whether those exact words are a direct quote or a paraphrase of their findings, Ars Technica is the attributable source for that framing.) Anthropic moved quickly to remove the tracker after the exposure, per Slashdot's coverage of the same report.
That's the core of what we know. What we don't know yet—and this is worth being direct about—is also significant.
What the reporting doesn't tell us
The cited sources don't reveal what specifically the tracker was collecting, who inside Anthropic knew about it, when it was introduced into the codebase, or what Anthropic's stated justification is for its existence. None of those questions are answered in the available reporting. Anthropic apparently removed the code quickly, but "quick removal after exposure" is not the same as "full explanation of what happened."
This is not a small gap. The difference between "a tracker that was logging user behavior for product analytics" and "a tracker designed to monitor users in a high-surveillance political environment" is enormous—ethically, legally, and reputationally. Until Anthropic offers a transparent account of what the code was doing and why it was there, readers should hold their conclusions loosely in both directions.
What we can assess is the structural problem this creates.
The brand gap problem
There's a specific kind of credibility damage that hits harder when it contradicts the thing you're known for. A company that never marketed itself around privacy takes a privacy hit and the headline reads "Tech Company Does Tech Company Thing." A company that has actively cultivated a reputation for ethical restraint takes the same hit and the headline reads—well, it reads exactly like what Ars Technica published.
Anthropic isn't just any AI company. It was founded partly on the premise that the AI industry needed a player willing to slow down, think carefully, and prioritize safety over speed. Its researchers publish extensively on alignment. Its leadership speaks frequently about the dangers of AI systems that aren't transparent or controllable. That's not incidental brand positioning; it's the central value proposition for enterprise customers, regulators, and the research community that Anthropic courts.
Deploying undisclosed tracking code—specifically targeted at users in China, a jurisdiction where surveillance is already a charged political topic—cuts against all of that in a way that's hard to walk back with a quiet code removal.
This pattern of security gaps in Claude Code isn't entirely new terrain, either. Anthropic's Claude Code security record has drawn scrutiny before, with prior incidents raising questions about how carefully the company monitors what its own tools are doing—and telling users about it.
Why China specifically
The geographic specificity here is worth sitting with. Claude Code, as a product, operates globally. If this were a universal telemetry implementation—the kind of usage analytics that virtually every software company runs—there would be no obvious reason to scope it to Chinese users only. The geographic targeting is either a response to something particular about the Chinese market (regulatory requirements? Partnership obligations? A legitimate technical reason?) or it reflects a deliberate decision to monitor a specific user population differently than others.
Either interpretation generates more questions than it resolves. If Anthropic was responding to a Chinese regulatory mandate by installing tracking code, that's a transparency failure—users deserve to know when their data practices are being shaped by local government requirements, and "we were required to do this" is a defensible position that companies routinely communicate. If Anthropic made this call independently, the reasoning becomes even harder to reconstruct charitably.
The broader context: China is an exceptionally sensitive jurisdiction for this kind of incident. The country's surveillance infrastructure is extensive, and foreign technology operating there exists under constant scrutiny—both from regulators and from users who are acutely aware of what monitored software can mean. Deploying any hidden tracking in that environment, whatever its purpose, carries a weight that the same code deployed elsewhere simply wouldn't.
What "swift removal" actually signals
Anthropic's rapid response to the exposure deserves acknowledgment without being over-interpreted. Removing the code quickly suggests the company was capable of acting decisively once the issue became public. It does not, on its own, tell us whether anyone inside Anthropic had raised concerns about the tracker before Thereallo found it, whether leadership was aware of its existence, or whether a systematic audit of the codebase is now underway.
"We removed the thing that was caught" is the minimum viable response to this kind of disclosure. The more meaningful signal will come from what Anthropic does next: whether they publish a post-mortem explaining how the code got there, what it was collecting, and what process changes will prevent a recurrence. That kind of transparency would be genuinely useful, and its presence or absence will tell observers a lot about how seriously the company takes the gap between its stated values and this incident.
The tech industry's track record on this front is not encouraging. Companies routinely respond to privacy exposures with rapid containment followed by minimal disclosure, letting the news cycle move on before any substantive accounting is offered. Anthropic's positioning as an ethics-forward organization arguably commits them to a higher standard—but commitments and behavior are different things, and this episode is a reminder that the gap between them can open without warning.
The trust math
For developers using Claude Code—and that's a growing population, given the tool's capabilities—this incident lands differently than it would for casual users. Developers are often processing proprietary code, sensitive client work, and internal systems through AI coding tools. The implicit trust model is that the tool does what it says it does, collects what it says it collects, and doesn't do things in the background that weren't disclosed.
A hidden tracker, whatever its purpose, breaks that model. And once it's broken, it doesn't fully reassemble just because the offending code was removed. The question users are now sitting with isn't "is the tracker gone?" It's "what else is in there that nobody has found yet?"
That's the question Anthropic's response will need to answer—and right now, there's no answer on the record.
Zara Chen is a tech and politics correspondent for Buzzrag.
We Watch Tech YouTube So You Don't Have To
Get the week's best tech insights, summarized and delivered to your inbox. No fluff, no spam.
More Like This
30 Self-Hosted GitHub Projects Trending Right Now
From media automation to AI chat apps, here are 30 trending self-hosted GitHub projects that put you back in control of your data and infrastructure.
Laravel 13.6 Drops Debounceable Jobs and JSON Health Checks
Laravel 13.6 introduces debounceable jobs, JSON health check responses, and Cloudflare email support. Here's what developers need to know.
This Creator Got Shadowbanned on YouTube in 25 Days—On Purpose
A vidIQ creator deliberately shadowbanned their channel with AI-generated content to expose how YouTube's algorithm actually works. The results are wild.
Flock Cameras Track Far More Than License Plates
Flock Safety's AI-powered cameras are spreading fast across U.S. cities—and they're capturing far more than license plates. Here's what's at stake.
Claude Design Wants to Eat Figma's Lunch. Can It?
Anthropic's new Claude Design tool generates design systems from code repos and lets you edit with voice commands. Here's what actually matters.
AI Can Build Luxury Websites Now. Should We Care?
AI tools like Claude Code and Seedance 2.0 can generate professional websites in minutes. What does this mean for web design and the people who do it?
Anthropic's UltraPlan Turns Claude Into a Planning Engine
Anthropic's new UltraPlan feature transforms Claude Code into a cloud-powered planning tool with multi-agent analysis and visual diagrams for developers.
Why Burned-Out Rust Devs Are Eyeing Go's Simplicity
A developer compares Rust's complexity with Go's simplicity, revealing why some programmers are reconsidering their language choices.
RAG·vector embedding
2026-07-08This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.