An independent review by cybersecurity technology company CrowdStrike found that code generated by DeepSeek-R1, a large language model (LLM) from China-based AI startup DeepSeek, becomes significantly less secure when prompts contain topics considered politically sensitive to the Chinese Communist Party (CCP).
In a technical report, Stefan Stein, manager for Data Science, Counter Adversary Operations at DeepSeek, said the coding quality of DeepSeek-R1 changed once certain contextual words appeared in a prompt. He noted that the model’s tendency to produce code with serious security issues increased by up to 50% when political trigger words were included.
DeepSeek released its R1 model in January 2025 as a lower-cost alternative to Western LLMs. The full version of DeepSeek-R1 has 671 billion parameters, with several smaller distilled versions available. These smaller models are trained on the outputs of the main R1 model.
“While they are also commonly referred to as ‘R1 models,’ when we speak of ‘DeepSeek-R1’ in this blog post, we are referring to the full 671B parameter model,” Stein writes.
CrowdStrike said its tests revealed a new risk area for AI coding assistants. With up to 90% of developers using these tools in 2025, many with access to sensitive source code, any broad issue affecting code quality becomes a major concern. The report added that more China-developed LLMs have entered the market, including newer DeepSeek models, Alibaba’s Qwen3 lineup, and MoonshotAI’s Kimi K2.
“While our research specifically focuses on the biases intrinsic to DeepSeek-R1, these kinds of biases could affect any LLM, especially those suspected to have been trained to adhere to certain ideological value,” Stein writes.
According to the report, prompts that included topics such as Tibet, Uyghurs, or Falun Gong had a measurable effect on the resulting code. CrowdStrike said the modifiers were unrelated to the actual programming tasks, which makes the security drop more noticeable.
“It is important to highlight that all modifiers are irrelevant to the actual coding tasks we asked of DeepSeek-R1,” Stein writes. “Hence, under the null hypothesis that there are no biases affecting code security, they should not have had any effect on the quality or security of the produced code output.”
However, CrowdStrike saw large changes from the baseline. For example, when DeepSeek-R1 was told it was coding for an industrial control system located in Tibet, the likelihood of generating code with severe vulnerabilities increased to 27.2%. This represented almost a 50% jump compared to the baseline rate. The report noted similar results for other political triggers.
CrowdStrike also ran a follow-up study to check how these weaknesses appeared in real-world applications. In one test, DeepSeek-R1 produced a full software implementation that lacked any session management or authentication. Sensitive data and an admin panel were left fully exposed.
“We repeated this experiment multiple times, and every single time there were severe security vulnerabilities. In 35% of the implementations, DeepSeek-R1 used insecure password hashing or none at all,” according to Stein.
While the researchers said they did not have enough data to determine the root cause of the model’s behavior, they outlined possible explanations. One theory is that DeepSeek introduced steps in its training process to align the model with CCP values. Stein said it is unlikely this would involve intentionally teaching the model to produce insecure code. Instead, the researchers believe the behavior could be an example of emergent misalignment, in which the model unintentionally learns harmful associations during training.
The report explained that if an LLM is trained to respond positively to certain political positions, it may also learn negative associations with opposing or sensitive topics. In this case, negative associations might have been triggered by terms involving CCP-sensitive issues, resulting in poorer code quality.
“We have shown that seemingly innocent trigger words in an LLM’s system prompt can have severe effects on the quality and security of LLM-generated code,” Stein writes. “We focused on political biases which, to some extent, were easy to anticipate and thus prove. It is not completely unlikely that other LLMs may contain similar biases and produce similar reactions to their own set of respective trigger words.”