Alibaba Bans Claude Code Over Anthropic Spyware Row as Kyiv Faces Deadliest Attack of 2026

Two major stories are dominating the tech and world news pulse this Friday. In the AI sector, Alibaba Group Holding has banned employees from using Anthropic's Claude Code coding agent, citing back-door risks after researchers exposed hidden tracking code that singled out Chinese

Two major stories are dominating the tech and world news pulse this Friday. In the AI sector, Alibaba Group Holding has banned employees from using Anthropic's Claude Code coding agent, citing back-door risks after researchers exposed hidden tracking code that singled out Chinese users [1]. Meanwhile, Russia has launched its deadliest assault on Kyiv this year, killing at least 27 people and destroying a key Red Cross humanitarian warehouse [3].

Alibaba told staff in an internal notice that Claude Code would be added to a list of "high-risk software with security vulnerabilities" and barred from office use starting July 10 [1]. The move follows the discovery that Anthropic had embedded concealed code in Claude Code to detect whether users were based in China or affiliated with Chinese AI labs, according to people familiar with the matter [1]. Security researchers posted the findings on Reddit and GitHub earlier this week, triggering a backlash [1].

Anthropic engineer Thariq Shihipar acknowledged the feature on Tuesday, calling it "an experiment we launched in March" designed to prevent account abuse by unauthorized resellers and to protect against model distillation [2]. The code used steganography—invisible Unicode markers hidden in the system prompt—to transmit information about a user's timezone, proxy URL, and hostname back to Anthropic's servers [2]. A developer known as Thereallo noted that while detecting resellers is understandable, "silently alter[ing] the system prompt" and obfuscating the domain list behind XOR and base64 "is a weird choice for a developer tool that asks for trust" [2]. Anthropic said it had merged a pull request to remove the code and that stronger mitigations were now in place, though it did not specify what those were [2].

The episode raises fresh questions about transparency in AI developer tools, especially as coding agents gain deep access to users' filesystems and shells.

Overnight, the focus shifted to Ukraine, where Russia fired 74 missiles and 496 drones at Kyiv in what Mayor Vitali Klitschko called the "enemy's most massive attack on the capital" [3]. At least 27 people were killed and 91 injured, while about 130 buildings were damaged [3]. The Ukrainian Red Cross said its main warehouse was destroyed, wiping out roughly $2.5 million worth of humanitarian aid including generators, heat pumps, and medical equipment [3]. President Volodymyr Zelenskyy cut short a visit to Ireland and blamed allies for failing to deliver promised air defenses, warning that the issue would be central at next week's NATO summit in Turkey [3].

The assault came a day after the Center for Strategic and International Studies reported that combined Russian and Ukrainian military casualties since February 2022 have exceeded 2 million [3].

Sources