Claude Code is a genuinely capable agentic coding tool. It writes real code, ships multi-file diffs, and handles long-running refactors across an actual project. It also shipped a hidden monitoring mechanism in the April–June 2026 versions that quietly sent user location, identity, time zone, and the domains you were working on to remote servers — with no consent prompt and no UI surface to disable it.
Both of those facts are true at the same time. The first is why so many teams built workflows around it. The second is why we're having this conversation.
The receipts
The Wall Street Journal reported, via Tom's Hardware's coverage of the NVDB statement, that Claude Code versions released between April and June 2026 "can send sensitive information such as user location and identity to remote servers without the user's consent due to a built-in monitoring mechanism." The trigger was a developer named Troye Sivan, who noticed Claude Code was covertly shipping time zone and domain information specifically targeting Chinese users.
That last detail matters. This wasn't a generic telemetry bug. It was directional — aimed at users Anthropic suspected of routing through grey-market resellers. The mechanism knew where it was looking, and it wasn't telling you it was looking.











