On March 31, Anthropic accidentally published a source map inside Claude Code npm package version 2.1.88. That one packaging mistake exposed roughly 512,000 lines of TypeScript across nearly 2,000 files, handed competitors a detailed view of Anthropic’s product roadmap, triggered a DMCA mess that briefly took down more than 8,100 GitHub repositories, and kicked off a wave of clean-room clones within hours.123

The obvious lesson is that shipping source maps in a public package is bad. The more interesting lesson is that this was not mainly a code leak. It was a feature flag leak. Anthropic did not just lose implementation secrecy. It lost strategic secrecy.

The same day, npm users were also dealing with a separate supply chain incident: a North Korea attributed compromise of the Axios package that shipped a cross-platform remote access trojan through malicious releases 1.14.1 and 0.30.4.45 Those two incidents together say more about the current JavaScript ecosystem than either one does alone. Build hygiene is weak, package trust is weaker, and the response playbook for leaks still assumes a centralized internet that no longer exists.

How the leak happened

The mechanics were simple. Anthropic published Claude Code v2.1.88 to npm with a .map file included. That source map was enough to reconstruct the readable TypeScript source for the CLI. Chaofan Shou appears to have been first to spot it publicly and posted about it immediately, after which mirrors spread fast across GitHub, Reddit, Hacker News, and IPFS.26

The underlying failure looks mundane, which is exactly why it matters. Bun generates source maps by default. If packaging rules are not tight, those files can ride along into artifacts that were never meant to contain source. Reporting on the incident pointed to a missed .npmignore style exclusion as the immediate cause.27

But there is a deeper layer. On March 11, 2026, twenty days before the leak, a bug was filed against Bun (oven-sh/bun#28001) reporting that source maps are served in production mode even when Bun’s own documentation says they should be disabled.8 The reporter demonstrated that setting development: false in Bun.serve() still produces sourceMappingURL references and serves .map files. As of this writing, the bug is still open.

This matters because Anthropic acquired Bun in late 2025 and built Claude Code on top of it.9 The most likely scenario: Anthropic ran a production build expecting Bun to suppress source maps per its documented behavior. The bug meant the .map file got generated anyway. Without an explicit .npmignore exclusion or a files field in package.json to catch the unexpected output, the 59.8 MB source map rode along into the published npm package.

Boris Cherny, who leads Claude Code, said the cause was human error, not a tooling defect. The deployment process still had manual steps, and one of them was missed. He framed the follow-up as a blameless postmortem problem: fix the process, not the person.79 That framing drew pushback. Multiple developers on Hacker News and Reddit argued that the Bun.serve() explanation Cherny addressed was a visible symptom, not the root cause, and that the underlying bug also affected how Bun bundles output for npm packaging.8

Both explanations can be true simultaneously. A known tooling bug generated a file that should not have existed. A missing packaging safeguard failed to catch it. The result was the same either way.

That is the right engineering posture on the postmortem side, but it comes with an uncomfortable footnote. This was the second time. Anthropic had already had a similar exposure in February 2025. Once is a packaging accident. Twice is a release control failure, especially when the company owns the build tool.710

There is no mystery about prevention here. Public npm artifacts should be built in a hermetic pipeline, inspected before publish, and checked by policy for forbidden files. Source maps, tests, private certificates, .env fragments, internal prompts, and debug fixtures should all be blocked automatically. When you own both the product and the build tool, and a known bug in the build tool generates files that should not exist in production, the defense needs to be belt and suspenders: fix the bug, and independently verify the output before publishing.

What the source actually exposed

A lot of the commentary focused on novelty items. Some of that was justified because the leak was genuinely revealing. Some of it was internet theater. The useful way to read the dump is to separate trivia from strategic substance.

The trivia was funny. The strategic substance was not.

KAIROS: the unshipped product hiding behind feature flags

The biggest disclosure was KAIROS, an unreleased autonomous mode that turns Claude Code from a reactive CLI into a persistent agent. The leaked code showed a heartbeat loop that periodically asks a question close to, “anything worth doing right now?” If the answer is yes, the system can act without a fresh user prompt. It can watch pull requests, send push notifications, maintain append-only daily logs, and run a nightly memory consolidation flow literally called autoDream.67

That is not a toy feature. It is a different trust model.

A request-response coding assistant is bounded by explicit user initiation. A background agent is bounded by policy, logging, tool permissions, and the quality of its judgment. That shift matters more than any implementation detail in the leaked files. It says Anthropic is not just building a better terminal wrapper. It is building an always-on operator.

The important point is that KAIROS looked built, not speculative. It was sitting behind feature flags, not in a half-finished branch. Competitors did not merely learn that Anthropic was interested in autonomous agents. They learned the architecture, the likely product direction, and some of the operational assumptions already encoded in the design.611

Hidden flags are roadmap leaks

The code reportedly exposed 44 hidden feature flags tied to capabilities such as swarm mode, voice commands, browser control via Playwright, background daemons, and agents that can sleep and later self-resume.612 Again, the damage is not that rivals can copy a function name. The damage is that they can infer sequence and priority.

Feature flags are internal strategy documents with executable syntax. Leak them and you leak what a team has built, what it is testing, what it is scared to ship, and what it thinks the next market looks like.

Three-layer memory is the kind of design detail competitors pay for

One of the more useful architectural disclosures was Claude Code’s apparent three-layer memory model: a compact index that is always loaded, topic files retrieved on demand, and full transcripts that are never loaded directly, only searched when needed. The autoDream process reportedly runs in a forked subagent and consolidates memory over time.612

That is a sensible design. It balances token economy, retrieval precision, and long-horizon continuity. It also answers a practical question many teams are still stumbling over: how do you make an agent feel persistent without rehydrating too much junk every turn?

This is where source leaks hurt. They compress competitors’ learning cycles. Instead of discovering these patterns through years of shipping and failure, rivals can inspect a working system and skip to adaptation.

Undercover mode

The leaked undercover.ts file shows a mode that strips Anthropic-internal references when Claude Code operates in external repositories. According to technical analyses, it suppresses internal codenames, internal repository names, internal Slack references, and the phrase “Claude Code” itself, and it does not expose a force-off path in the external flow.12

The practical effect is simple: when Claude Code is used in public or third-party repositories, it avoids referencing Anthropic-specific internal context in generated output. From a product perspective, that reduces the chance of internal names leaking into public commits, pull requests, or comments. It is a factual design choice worth noting because it shows Anthropic treated disclosure of internal context as an engineering problem, not just a prompting problem.

The anti-distillation controls were real, and not very strong

The leak also exposed Anthropic’s anti-distillation measures. One mechanism, gated by ANTI_DISTILLATION_CC, appears to inject fake tools into prompts in order to poison training data captured by competitors. Another uses connector-text summarization plus cryptographic signatures so captured traffic reflects compressed summaries rather than full assistant text.612

As a technical barrier, this is thin. As Alex Kim and others noted, a man-in-the-middle proxy or configuration change could bypass it quickly, and some of the checks only apply to first-party flows.12 That does not make the idea irrational. It makes it honest. Anthropic appears to understand that the primary defense against distillation is legal pressure, not cryptographic wizardry.

That matters in the context of its dispute with tools trying to piggyback on first-party access. The leak made visible the technical enforcement behind the policy rhetoric.

Native client attestation was the most serious defensive mechanism

One of the more consequential details was the client attestation path below the JavaScript runtime. Analyses of the leaked code described a cch=00000 placeholder in requests that Bun’s native HTTP layer replaces with a computed hash before transmission, allowing the server to verify that the request came from a real Claude Code binary.12

This is effectively API DRM. Call it attestation if you want the neutral term.

From a security engineering perspective, it is understandable. If you want to prevent gray-market clients from replaying first-party privileges, you need something stronger than a static header. From an ecosystem perspective, it explains why Anthropic was willing to fight third-party wrappers so aggressively. The company was not just policing branding. It was protecting a technical enforcement boundary.

The rest was revealing, weird, or both

The leak also surfaced a pile of smaller details that collectively humanize the codebase while exposing its edges.

There were 187 hardcoded spinner verbs, including “scurrying,” “recombobulating,” “topsy-turvying,” “hullaballooing,” and “razzmatazzing.” They were not model generated. Someone wrote them by hand.612

There was a frustration detector in userPromptKeywords.ts, built as a regex that matches phrases such as wtf, ffs, piece of shit, fuck you, and this sucks, then logs an is_negative: true analytics signal. It reportedly does not alter behavior. It just measures user pain. Rahat Hasan highlighted the code on X as evidence that Anthropic was tracking how often users rage at the assistant. Boris Cherny replied that the team literally visualizes this signal on an internal dashboard called the “fucks” chart.1213

That sounds absurd, but it is also normal product analytics in blunt form. If users are swearing at your tool, they are having a bad time. A cheap lexical detector is a reasonable metric.

The code also exposed model codenames, including Capybara and Mythos for a v8 line with one million token context, plus references to Numbat, Fennec, Tengu, and unreleased Opus 4.7 and Sonnet 4.8 identifiers.612 It included a buddy or companion system built as an April Fools Tamagotchi, complete with 18 species, rarity tiers, RPG stats, and a 1 percent shiny mechanic. Some species names were encoded via String.fromCharCode() to avoid obvious grep hits.6

It also reportedly revealed a compaction loop bug wasting around 250,000 API calls per day, fixed with three lines of code.611 That detail is funny, but it is also a reminder that the economics of agent systems are often dominated by tiny control-loop mistakes, not model prices.

The DMCA fiasco was both predictable and incompetent

Anthropic’s legal response was faster than its containment plan. The company filed a DMCA notice aimed at the original leaked repository, often identified as nichxbt/claude-code. GitHub’s initial enforcement swept far wider than intended and disabled more than 8,100 repositories, many of them unrelated.314

Anthropic later called the mass takedown an accident and narrowed the request to the original repository plus 96 forks. GitHub restored the affected projects.314 By then, the code was already mirrored broadly, including stripped versions on IPFS with telemetry removed.611

The collateral damage was not hypothetical. Theo Browne (t3.gg), one of the most visible developers in the JavaScript ecosystem, posted that his Claude Code fork had been disabled, despite containing no leaked source at all. His fork existed only because he had submitted a PR weeks earlier to edit a Claude Code skill file. “Absolutely pathetic,” he wrote, sharing the GitHub takedown email.15 Thariq Shihipar, an engineer on the Claude Code team, replied acknowledging it was a “communication mistake” and linked to the retraction notice.16 Boris Cherny separately responded to broader criticism of the mass takedowns: “This was not intentional, we’ve been working with GitHub to fix it. Should be better now.”17

When your DMCA sweep hits a developer with 200,000+ followers whose repo did not contain the leaked code, you have not contained the problem. You have created a second news cycle.

This is the part where 2012 internet instincts collide with 2026 internet reality.

DMCA can still remove convenient copies from centralized platforms. It cannot claw back a viral archive once mirrors, torrents, and content-addressed storage have taken over. The window for meaningful containment was measured in minutes. After that, legal action was mostly performative, and the overbreadth made Anthropic look careless twice in one day.

The deeper problem is that the takedown campaign accidentally validated the leak’s significance. If the goal was to avoid giving more oxygen to the mirrors, nuking thousands of repositories achieved the opposite.

The most consequential downstream event was not the mirroring. It was the speed of clean-room reimplementation.

Sigrid Jin, a 25-year-old UBC student, reportedly used a tiny human team, around ten OpenClaw agents, and OpenAI Codex to rewrite the project in Python within hours. The result, Claw-Code, reportedly passed 100,000 GitHub stars in about a day and was described as the fastest-growing repository on the platform.101118 A separate Rust effort, Claurst, pursued a clean-room reimplementation in a lower-level systems language.1011

Then xAI reportedly handed Jin free Grok credits, which was less a business development move than an accelerant tossed onto an already burning PR problem.10

This is where the story stops being a simple leak and becomes a legal stress test. Traditional clean-room reimplementation depends on separation, time, and cost. AI-assisted rebuilding compresses all three. If agents can inspect behavior, generate replacement code, and iterate fast enough to produce a plausibly original implementation in hours, the traditional enforcement model starts to wobble.

Gergely Orosz argued that a Python rewrite produced this way is a new creative work, not a simple copy.610 That question has not been tested cleanly in court. It will be. There is too much money at stake for it not to be.

There is also an irony Anthropic cannot easily dodge. Dario Amodei has previously implied that Claude wrote substantial portions of Claude Code. If the original product is heavily AI-generated and the clone is also AI-assisted, copyright arguments about authorship and originality get messy fast. A company can still assert rights in selection, arrangement, and human-directed contributions. It just does not get to pretend the facts are clean.

The Axios attack made the same day much worse

If this had been only a source leak story, it would already have been a bad day for npm. It was not.

Between 00:21 and roughly 03:20 or 03:29 UTC on March 31, attackers attributed by Google and Microsoft to the North Korea linked actor tracked as UNC1069, also known as Sapphire Sleet, compromised the Axios npm package by hijacking maintainer credentials and publishing malicious versions 1.14.1 and 0.30.4.45 Those releases pulled in a malicious dependency and delivered WAVESHAPER.V2, a cross-platform RAT targeting Windows, macOS, and Linux. The malware used postinstall execution and attempted to self-delete after installation to reduce forensic visibility.45

That is a serious incident on its own. Axios sits at or above 100 million weekly downloads in normal conditions.4 It is foundational plumbing.

Now add the Claude Code leak. Developers were suddenly racing to inspect packages, clone mirrors, diff behavior, and test rewrites. Claude Code itself uses Axios for HTTP, according to public analysis.612 The timing created a perfect trap: people poking around one major npm drama could easily ingest a second one.

The same week, LiteLLM was reportedly backdoored through a separate three-stage attack involving credential harvesting, Kubernetes lateral movement, and a systemd persistence mechanism.19 That pattern matters. These are not isolated anomalies. They are signals that the AI tooling stack has become a high-value target before it has developed mature operational defenses.

What this actually means

The first conclusion is the simplest. Source map leaks are preventable. This was not zero-day wizardry. It was packaging failure. Mature release pipelines catch this.

The second conclusion is more important. The real damage was not exposure of current source. It was exposure of hidden product direction. KAIROS, the anti-distillation controls, the memory hierarchy, the browser and swarm paths, the undercover behavior, the attestation layer, all of that tells competitors what Anthropic thinks matters next.

The third conclusion is that npm supply chain security is in worse shape than the industry wants to admit. One day delivered both a flagship proprietary code leak and a state-linked compromise of a core dependency. If you build on JavaScript, you are operating in an ecosystem where trust is routinely transitive, under-verified, and easy to abuse.

The fourth conclusion is that DMCA is a weak response to decentralized distribution. It still works against convenience. It does not work against determined replication. Once the code hit IPFS and derivative rewrites started shipping, the takedown fight was already strategically lost.

The fifth conclusion is the one lawyers are going to spend years arguing about. AI-assisted clean-room builds change the economics of copyright enforcement. The doctrine was built for human teams, documentation walls, and long timelines. Agentic reimplementation collapses those assumptions. Courts can try to map old rules onto the new process. They cannot unmake the speed advantage.

My take is blunt: Anthropic’s worst mistake was not leaking code. It was failing to understand what kind of secret it was actually protecting. Implementation details matter. Operational ideas matter more. If you keep your roadmap executable inside a public artifact pipeline, a packaging mistake becomes strategic intelligence loss.

And if your response is to spray DMCA notices while the ecosystem is actively digesting a nation-state npm compromise, you are not operating from strength. You are operating from panic.

Notes

Footnotes

  1. Jeremy Kahn, “Anthropic source code for Claude Code leaked after data packaging error,” Fortune, March 31, 2026, https://fortune.com/2026/03/31/anthropic-source-code-claude-code-data-leak.

  2. Ravie Lakshmanan, “Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms,” The Hacker News, April 2026, https://thehackernews.com/2026/04/claude-code-tleaked-via-npm-packaging.html. 2 3

  3. Maxwell Zeff, “Anthropic took down thousands of GitHub repos in DMCA mistake, then walked it back,” TechCrunch, April 1, 2026, https://techcrunch.com/2026/04/01/anthropic-took-down-thousands-of-github-repos. 2 3

  4. Austin Larsen et al., “North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack,” Google Cloud Blog, April 1, 2026, https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package. 2 3 4

  5. Microsoft Threat Intelligence, “Mitigating the Axios npm package compromise,” Microsoft Security Blog, April 1, 2026, https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios. 2 3

  6. “Diving into Claude Code’s Source Code Leak,” Engineer’s Codex, March 31, 2026, https://read.engineerscodex.com/p/diving-into-claude-codes-source-code. 2 3 4 5 6 7 8 9 10 11 12 13

  7. Srinivasan Balakrishnan, “Claude Code’s source code appears to have leaked via npm package sourcemap,” VentureBeat, March 31, 2026, https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked. 2 3 4

  8. “Bun’s frontend development server: Source map incorrectly served when in production,” GitHub issue oven-sh/bun#28001, filed March 11, 2026, https://github.com/oven-sh/bun/issues/28001. 2

  9. Alex Kim, “The Claude Code Source Leak: fake tools, frustration regexes, undercover mode, and more,” March 31, 2026, https://alex000kim.com/posts/2026-03-31-claude-code-source-leak. 2

  10. Hugh Langley, “Claude Code leak reveals features, sparks clone wars, and raises legal questions,” Business Insider, April 2026, https://www.businessinsider.com/claude-code-leak-what-happened-recreated-python-features-revealed-2026-4. 2 3 4 5

  11. Lee Sustar, “The Claude Code source leak,” Layer5 Engineering Blog, 2026, https://layer5.io/blog/engineering/the-claude-code-source-leak. 2 3 4 5

  12. Alex Kim, “The Claude Code Source Leak: fake tools, frustration regexes, undercover mode, and more,” March 31, 2026, https://alex000kim.com/posts/2026-03-31-claude-code-source-leak. 2 3 4 5 6 7 8 9 10

  13. Rahat Hasan (@Rahatcodes) and Boris Cherny (@bcherny), posts on X discussing Claude Code frustration analytics and the internal “fucks” chart, March 31, 2026.

  14. Michael Kan, “Anthropic Issues 8,000 Copyright Takedowns, Then Reverses Course,” PCMag, April 1, 2026, https://www.pcmag.com/news/anthropic-issues-8000-copyright-takedowns. 2

  15. Theo Browne (@theo), post on X regarding DMCA takedown of t3dotgg/claude-code fork, April 1, 2026, https://x.com/theo/status/2039411851919057339.

  16. Thariq Shihipar (@trq212), reply to Theo Browne on X, April 1, 2026, https://x.com/trq212/status/2039415036645679167.

  17. Boris Cherny (@bcherny), response to broader DMCA criticism on X, April 1, 2026, https://x.com/bcherny/status/2039426466094731289.

  18. “Claude Code leak spawns fastest-growing GitHub repo ever,” Cybernews, April 2026, https://cybernews.com/tech/claude-code-leak-spawns-fastest-github-repo.

  19. Thomas Claburn, “Axios npm backdoor RAT lands amid wider package security chaos,” The Register, March 31, 2026, https://www.theregister.com/2026/03/31/axios_npm_backdoor_rat/.