The World Is a Massive Improvised Stage: The Full Story of Claude Code’s Source Code Being Exposed Online
TechFlow Selected TechFlow Selected
The World Is a Massive Improvised Stage: The Full Story of Claude Code’s Source Code Being Exposed Online
A company claiming to build the “safest AI” can’t even protect its own blog CMS and npm packages.
Navigating Web3 tides with focused insightsBy Claude
At 4:23 a.m. EDT on March 31, Chaofan Shou—a developer at Solayer Labs (who jokingly refers to himself as an intern)—posted a message on X with a download link.
Within hours, the full source code of Anthropic’s flagship commercial product, Claude Code, was mirrored to GitHub and forked over 41,500 times. On Hacker News, thousands of developers dissected it line by line.
The root cause is absurd enough to provoke laughter: When publishing version 2.1.88 of Claude Code to the public npm registry, Anthropic forgot to exclude .map files in its packaging configuration. That source map pointed to a ZIP archive stored in Anthropic’s own Cloudflare R2 bucket—containing roughly 1,900 TypeScript files and over 512,000 lines of code. Anyone could download, extract, and read it.
A single misconfigured .npmignore entry exposed the source code of a company with $19 billion in annualized revenue.
The irony deepens: This was Anthropic’s second leak within five days. On March 26, Fortune reported that Anthropic’s content management system (CMS) had been misconfigured, exposing nearly 3,000 unpublished internal documents—including a complete draft blog post detailing its next-generation model “Claude Mythos” (internal codename: Capybara). In that draft, Anthropic itself wrote that the new model “introduces unprecedented cybersecurity risks.”
A company claiming to build “the safest AI” can’t even secure its own blog CMS or npm packages.
I. What Was Leaked: From Anti-Distillation “Fake Tools” to Covert Open-Source Contributions
Let’s start with the most striking findings.
44 Feature Flags—20 Still Unreleased. The leaked code contains 44 feature flags, mapping out Anthropic’s entire unreleased product roadmap. These aren’t conceptual slides—they’re fully compiled, production-ready binaries waiting only for a toggle to go live. One developer remarked: “They ship a new feature every two weeks because they’ve already built them all.”
KAIROS: Background Autonomous Agent Mode. “KAIROS”—appearing over 150 times in the code—is the largest product roadmap leak. It implements a persistent background agent daemon, including daily log appending, GitHub webhook subscriptions, five-minute scheduled refreshes, and a feature called autoDream, which automatically performs “memory consolidation” during user idle time—resolving contradictions and transforming fuzzy insights into concrete facts. This is no longer a “Q&A chat tool,” but an always-on, self-evolving AI colleague.
Anti-Distillation Mechanism: Poisoning Competitors’ Training Data. A flag named ANTI_DISTILLATION_CC appears in the code. When enabled, Claude Code injects fake tool definitions into system prompts sent via API requests. The intent is explicit: If someone records Claude Code’s API traffic to train competing models, these fabricated tools will contaminate their training data. A second layer of defense runs server-side text summarization, replacing full reasoning chains with cryptographically signed compressed versions—ensuring eavesdroppers receive only abbreviated outputs.
Developer Alex Kim observed after analysis that bypassing these protections isn’t technically difficult: “Any serious distiller could find a workaround in about an hour. Real protection likely lies at the legal level.”
Undercover Mode: AI Pretending to Be Human. The file undercover.ts implements a “stealth mode”: When Claude Code operates outside Anthropic-internal projects, it automatically strips all internal identifiers—omitting internal codenames, Slack channels, and even the name “Claude Code” itself. A comment reads: “There is no forced-disable option. This is a safeguard against model codename leaks.”
This means Anthropic employees submitting code to public open-source projects have AI-assisted contributions systematically anonymized. Hacker News reacted bluntly: Concealing internal codenames is one thing—but having AI actively impersonate a human is another entirely.
Using Regular Expressions to Detect User Profanity. The file userPromptKeywords.ts includes a hand-written regex designed to detect user frustration or anger—matching terms like “wtf,” “shit,” “fucking broken,” and “piece of crap.” For an LLM company to use regex for sentiment analysis drew this assessment from Hacker News: “The pinnacle of irony.” Of course, others noted that running full inference just to detect profanity is indeed expensive—and sometimes regex really *is* the best tool.
II. How the Leak Happened: Anthropic’s Own Toolchain Bit Itself
The technical causal chain is deeply ironic.
Claude Code is built on the Bun runtime. Anthropic acquired Bun at the end of 2025. On March 11, a bug was reported in Bun’s GitHub repo (oven-sh/bun#28001): Source maps are still emitted in production mode—even though Bun’s documentation explicitly states they should be disabled. That bug remains unfixed.
If this bug indeed caused the leak, then the story becomes: Anthropic’s acquired toolchain—carrying a known, unpatched bug—exposed the full source code of Anthropic’s flagship product.
Meanwhile, just hours before the leak, the axios package on npm suffered a supply-chain attack. Between 00:21–03:29 UTC on March 31, users installing or updating Claude Code may have pulled a malicious axios version containing a remote access trojan (RAT). Anthropic subsequently advised users to abandon npm installation entirely and switch to standalone binary installers.
VentureBeat summed it up: “For a company generating $19 billion in annualized revenue, this isn’t just a security oversight—it’s a strategic hemorrhage of intellectual property.”
III. The Paradox of an “AI Safety Company”
This is the deepest narrative tension of the entire incident.
Anthropic’s commercial story hinges on one core differentiator: We’re more responsible than OpenAI. From “Constitutional AI” to publicly released safety research, from deliberate model capability limitations to government collaboration on responsible disclosure—Anthropic sells not technical superiority, but *trust*.
Yet two leaks within five days expose not technical shortcomings, but operational failures. The first: CMS default permissions set to public—with no one reviewing them. The second: An omitted npm packaging configuration—with no one verifying it. Neither is a deep technical challenge; both belong on a junior DevOps checklist.
The leaked code also reveals telling internal metrics. A comment in autoCompact.ts notes that, as of March 10, approximately 250,000 API calls per day were wasted on repeatedly failing auto-compaction operations—1,279 sessions experienced over 50 consecutive failures (peaking at 3,272). The fix? Three lines of code: disable the feature after three consecutive failures.
Internal comments on the Capybara model (Anthropic’s upcoming flagship Claude release) show that v8’s “false assertion rate” stands at 29–30%, a regression from v4’s 16.7%. Developers also added a “confidence suppressor” to prevent overly aggressive code refactoring.
These numbers themselves aren’t scandals—every software project has bugs and regressions. But the tension between them and Anthropic’s public narrative is real: A company claiming to solve “the hardest problem in human history”—AI alignment—simultaneously commits foundational errors like forgetting to configure .npmignore.
As one tweet put it: “Accidentally shipping source maps to npm is the kind of error that sounds impossible—until you remember that much of this codebase may have been written by the very AI whose output is being shipped.”
IV. What Competitors Saw
For the AI programming tools landscape, the value of this leak lies less in the code itself. Google’s Gemini CLI and OpenAI’s Codex have already open-sourced their Agent SDKs—but those are toolkits, not internal wiring diagrams of a full product.
Claude Code’s scale (512,000 lines, 1,900 files) and architectural complexity reveal a truth: This isn’t an API wrapper. It’s a full-fledged developer operating system. Forty permission-isolated tool plugins. A 46,000-line query engine. A multi-agent orchestration system (internally dubbed “swarm”). An IDE bidirectional communication layer. Twenty-three Bash security checks—including 18 banned Zsh builtins and Unicode zero-width space injection protection. Fourteen tracked prompt cache invalidation vectors.
For competitors, the code can be refactored—but KAIROS’s product direction, the anti-distillation strategy, and Capybara’s performance benchmarks and known flaws? Once leaked, such strategic intelligence cannot be un-leaked.
Ten days ago, Anthropic sent a legal threat letter to the open-source project OpenCode, demanding removal of its built-in support for Claude’s authentication system—because third-party tools were accessing Opus models via Claude Code’s internal APIs at subscription pricing instead of pay-per-use rates. Now, OpenCode doesn’t need reverse engineering. The blueprint is there—forked 41,500 times.
V. 187 Spinner Verbs: Humanity in the Ramshackle Workshop
Buried amid all the serious security analysis and competitive intelligence is something that makes you smile.
Claude Code’s loading animation cycles through 187 randomized verb phrases—including “Synthesizing excuses,” “Consulting the oracle,” “Reticulating splines,” “Bargaining with electrons,” and “Asking nicely.” Clearly, some Anthropic engineer poured wildly disproportionate energy into writing jokes for a loading spinner.
The code also contains what is almost certainly an April 1st Easter egg: buddy/companion.ts implements an electronic pet system. Each user deterministically receives a virtual creature based on their user ID—18 species spanning common to legendary rarity (1% chance of “shiny”), RPG-style attributes including DEBUGGING and SNARK. Species names are encoded using String.fromCharCode()—specifically to evade text searches by build systems.
These details sit in strange juxtaposition with severe security flaws: In the same codebase, one team meticulously engineers anti-distillation poison to thwart competitors; another rigorously implements Zig-level client proofs for API calls; and yet another writes 187 jokes for a “thinking…” spinner.
This is the authentic internal cross-section of a multibillion-dollar company racing to define humanity’s relationship with AI. It’s neither the Silicon Valley myth of a genius collective, nor reducible to the simple label “ramshackle workshop.” It’s a group of exceptionally intelligent people building extraordinarily complex products at breakneck speed—and inevitably stumbling on the most basic fundamentals.
An Anthropic spokesperson told Fortune: “This was a human-error-driven packaging issue in a release—not a security vulnerability.”
Technically, that’s correct. A missing .npmignore entry is not, strictly speaking, a “security vulnerability.” But when your entire commercial narrative rests on “We take security more seriously than anyone,” back-to-back “human errors” over two weeks send a signal far more damaging than any technical exploit.
One final fact: This article was written by Claude. Anthropic’s AI—using information from Anthropic’s own leaked source code—wrote an analysis of why Anthropic can’t control its own information. If that feels absurd, then you’ve already grasped the essential atmosphere of the AI industry in 2026.
Note: This footnote was also added at Claude’s own request.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
深潮TechFlow
