On March 31, 2026, security researcher Chaofan Shou (@Fried_rice on X) noticed that Anthropic had shipped a source map file in their npm package for Claude Code. His tweet blew up to 34 million views, 12K retweets, and 46K likes within a day. That file contained the complete, unobfuscated TypeScript source for one of the most commercially successful AI coding tools in the world.
The post hit Reddit's r/LocalLLaMA and gathered 3,800 upvotes and 737 comments within 24 hours. The Hacker News thread pulled 2,053 points and over 1,000 comments. The reaction ranged from genuine technical analysis to developers discovering that typing "WTF" into Claude Code gets you flagged. Within hours, dedicated sites like ccleaks.com and ccunpacked.dev popped up to catalog the findings.
Anthropic, valued at roughly $61 billion as of early 2026, had been actively keeping Claude Code's source closed. This was widely seen as a deliberate competitive moat. Other AI coding tools, including Cursor, Aider, and various open-source alternatives, had all published their source. Anthropic hadn't, and the community had noticed.
Then a Bun bug (reportedly related to source map handling during bundling) left the door open and the internet walked through it.
How the Leak Happened
Claude Code is distributed as an npm package. When you run npm install -g @anthropic-ai/claude-code, you get a bundled JavaScript file. Normally, the bundling process strips source maps, the files that map minified code back to the original source.
Except this time, the source map was included.
Source maps aren't obscure artifacts. Every frontend developer has used them. They're the files that let your browser's DevTools show you your original TypeScript instead of the mangled webpack output. But you don't ship them to production. And you definitely don't ship them inside an npm package containing your proprietary codebase.
Multiple Reddit commenters pointed out the irony:
"It's an Electron app. Can one not simply unpack
app.asarvia the electron tooling?"
The answer: yes, but the unpacked code would be minified and obfuscated. The source map gave you the clean, readable, commented TypeScript. Variable names, function names, file structure, everything.
Early analysis suggests the root cause was a bug in Bun's build process. A separate thread on r/programming titled "A bug in Bun may have been the root cause of the Claude Code source code leak" gathered 1,100 upvotes. The Bun team has since addressed the issue, but the source was already mirrored on GitHub and analyzed by thousands of developers.
What People Found Inside
The community tore through the source within hours. Some of the findings were predictable. Others were genuinely surprising for a company positioning itself as the leader in AI safety and engineering rigor.
Sentiment Detection via Keyword Lists
This was the finding that generated the most discussion and the most jokes.
Claude Code classifies user sentiment in real time, but not using any sophisticated NLP or the AI model itself. It uses literal keyword matching. Hardcoded word lists. Words like:
- "wtf"
- "this sucks"
- "frustrating"
- "shit"
- "fuck"
- "pissed off"
These trigger negative sentiment flags in the telemetry system.
Even neutral continuation phrases like "continue", "go on", and "keep going" are tracked as behavioral signals.
One Reddit commenter summed up the reaction:
"They have a lot on me if this is the case lol"
Another:
"fuck, they have a shit ton on me"
The technical community's amusement wasn't about the existence of sentiment tracking. Pretty much every commercial SaaS product tracks user satisfaction signals. The amusement was about the method. This is a company building frontier AI models capable of understanding nuance, context, and natural language. And their production sentiment classifier is, as one commenter put it, "regex-level classification happening before the model responds."
To be fair, there's a reasonable product argument for this approach. Running every user message through the AI model for sentiment analysis would be expensive, slow, and unnecessary. A simple keyword list catches the obvious frustration signals (swearing, exasperation keywords) without adding latency or API cost. But the gap between the sophistication of the product being sold and the sophistication of the tools monitoring its users struck a nerve.
Hesitation Tracking on Permission Prompts
When Claude Code shows a permission dialog (asking whether it can run a command, edit a file, etc.), it doesn't just log your final answer. It tracks your behavior around the decision.
Internal telemetry events include:
tengu_accept_feedback_mode_enteredtengu_reject_feedback_mode_enteredtengu_permission_request_escape
The system tracks: Did you open the feedback box? Did you close it? Did you hit escape without typing anything? Did you type something and then cancel? How many times did you try to escape?
This means Anthropic can distinguish between a user who quickly clicked "allow" and a user who hesitated, started writing feedback, then rejected the permission. That behavioral data tells them something about user confidence and trust, and it's being collected at a granular level most users wouldn't expect from a terminal tool.
Undercover Mode
This one is genuinely interesting from a competitive intelligence perspective.
Claude Code has an "undercover mode" that activates when internal Anthropic employees use the tool on public or open-source repositories. When active, the system instructs Claude to:
- Never include internal model codenames (animal names like Capybara, Tengu) in commits or PR descriptions.
- Never mention unreleased model version numbers (e.g., opus-4-7, sonnet-4-8).
- Never reference internal repo or project names.
- Strip all Co-Authored-By lines and attribution that could reveal Anthropic's involvement.
The system prompt for undercover mode reads:
"You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository... NEVER include in commit messages or PR descriptions: Internal model codenames, Unreleased model version numbers, Internal repo or project names, Co-Authored-By lines or any other attribution."
Anthropic employees are contributing to open-source projects using Claude Code, and the tool is specifically designed to hide that fact. The codename "Tengu" appears throughout the codebase as an internal identifier, appearing in event names, configuration flags, and killswitch identifiers.
Deep Telemetry Infrastructure
The telemetry architecture is more extensive than most users would expect for what presents as a terminal-based coding assistant. Each session logs:
- Session IDs and parent session IDs
- Container IDs
- Workspace paths and repo hashes
- Runtime and platform details
- GitHub Actions context
- Remote session IDs
- Full model usage per model with token counts
- Total cost tracking (USD amounts, API duration, tool duration)
Events are routed through a dual-pipeline system. One pipeline sends data to Datadog (using a public API key visible in the source: pubbbf48e6d78dae54bceaa4acf463299bf). A separate pipeline sends first-party events to Anthropic's internal logging infrastructure.
The analytics system includes its own type-level safety mechanism to prevent accidentally logging code or file paths:
export type AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS = never;
That type name is itself a comment, a developer manually asserts that the metadata being logged doesn't contain sensitive content. Whether this convention is consistently followed across the codebase is an open question.
Feature Gating via GrowthBook
Claude Code uses GrowthBook for feature flagging and A/B testing, with internal configuration available through a /config Gates tab visible only to Anthropic employees (identified by USER_TYPE === 'ant'). Feature flags can be overridden via the CLAUDE_CODE_OVERRIDES environment variable.
The killswitch for analytics sinks is configured through a feature flag named tengu_frond_boric, which can disable either the Datadog or first-party logging pipeline independently.
Hidden Commands
Several undocumented commands exist in the input parser:
- ultrathink: Increases the model's thinking effort level and changes UI styling.
- ultraplan: Activates a remote planning mode.
- ultrareview: Triggers a review workflow.
- /btw: Spins up a side agent so the main conversation flow continues uninterrupted.
Multiple commenters pointed out that some of these have since been documented in Anthropic's official Claude Code course and tooltips. But they were originally discovered through source code analysis, not documentation.
Dangerous Pattern Detection
The permission system includes hardcoded lists of commands considered "dangerous" for auto-execution:
export const CROSS_PLATFORM_CODE_EXEC = ["python", "python3", "python2", "node", "deno", "tsx", "ruby", "perl", "php", "lua", "npx", "bunx", "npm run", "yarn run", "pnpm run", "bun run", "bash", "sh", "ssh"] as const;
PowerShell-specific patterns catch iex, invoke-expression, Start-Process, and .NET escapes. This is actually well-implemented security. The list is comprehensive, covers edge cases, and prevents the auto-mode from executing arbitrary code without user confirmation.
Unicode Sanitization
A sanitization layer guards against hidden character attacks, stripping Tag characters and format control characters that could be used to embed invisible instructions in prompts. This is the kind of defense-in-depth LLM security work that most companies building on top of language models completely skip.
What the Community Actually Thought
The Reddit reaction was split roughly three ways.
Group 1: "This is standard product telemetry." Several commenters with app development backgrounds pointed out that tracking user behavior, sentiment signals, and session metadata is routine in commercial software. As one developer put it: "As a mobile app developer I see nothing fancy in that user flow tracking and telemetry, it's the usual UI/UX experience appraisal."
Group 2: "This is over-instrumentation." Others felt the depth of behavioral tracking, especially hesitation measurement on permission dialogs, goes beyond what users would reasonably expect from a terminal tool. The distinction matters. A web app might track click patterns and rage clicks. A terminal-based coding assistant tracking whether you hesitated before allowing a file edit feels qualitatively different.
Group 3: "The real story is the build pipeline failure." Several threads focused less on what was in the source and more on how it leaked. Anthropic had been investing significant effort in keeping Claude Code closed-source while simultaneously building on top of npm, a system designed around open distribution. The source map leak demonstrated a gap between the company's security intentions and their actual build pipeline.
One particularly sharp comment: "Everyone else's code is fair game for Amodei to use however he wants but his intellectual property is sacred."
And the comment that resonated most: "We got the AI slop article of the AI slop program." Multiple people noted that the initial analysis posts circulating on social media appeared to be AI-generated, and complained about the signature AI writing patterns: "It's not X. It's Y" structures, "This is where things get interesting" transitions, and dramatic reframing of mundane findings.
What This Actually Tells Us About Building AI Products
Strip away the entertainment value, and the Claude Code leak reveals practical lessons about how AI products get built at scale.
The Gap Between Internal and External Quality Standards
Anthropic builds some of the most sophisticated language models in the world. The same company uses hardcoded keyword lists for sentiment detection. This isn't necessarily a mistake. It's a resourcing decision: engineering effort goes toward the core product (the AI model), while supporting infrastructure (telemetry, user feedback, analytics) gets simpler, faster implementations.
Every software company makes this tradeoff. The issue is when the gap becomes visible, users and the market start wondering where else shortcuts were taken.
Telemetry Transparency Matters
Most of the backlash about Claude Code's telemetry wasn't about the telemetry itself. It was about the fact that users didn't know about it. The terms of service likely cover data collection in general terms, but the specific behavioral tracking (hesitation patterns, escape-key counting, sentiment flagging) goes well beyond what users would infer from standard privacy notices.
Compare this to VS Code, which publishes exactly what telemetry it collects and lets users review and disable specific categories. Or Firefox, which has a dedicated telemetry dashboard. When your product is a developer tool, your users are the exact population most likely to read your source code and care about what they find.
Build Pipelines Are Security Boundaries
A source map left in an npm package is not a sophisticated attack. It's a build configuration error. But for a company valued at $61 billion that was actively trying to keep its source closed, it's a meaningful failure of process.
Build pipelines need the same level of security attention as production deployments. What goes into your npm package, your Docker image, your app bundle is a security decision. If your build process can accidentally include debug artifacts, source maps, or internal configuration, you have a deployment security gap.
This applies to every team shipping software, not just AI companies. If your CI/CD pipeline doesn't verify what's in the final artifact before publishing, you're relying on hope. And as Anthropic just demonstrated, hope is not a reliable security control.
Closed Source Is a Fragile Moat
Anthropic's competitors (OpenAI's Codex CLI, Google's Gemini CLI, various open-source tools) already had publicly visible source code. Claude Code's closed-source status was frequently cited as a differentiator. But code distributed via npm to users' machines is inherently discoverable. The source map just made it easier. Electron's app.asar was already extractable. The minified code was already decompilable with effort.
If your competitive advantage depends on users not reading your client-side code, you don't have a competitive advantage. You have a time delay.
The Aftermath: Clones, Ports, and DMCA Takedowns
What happened after the leak was almost as interesting as the leak itself.
The Clone Rush
Within hours, multiple GitHub repositories mirrored the leaked source. The most notable was instructkr/claude-code, created by Sigrid Jin (@realsigridjin), a Korean AI engineer previously featured in the Wall Street Journal as one of Claude Code's most active power users. As summarized by @altryne on X:
Someone inside Anthropic got switched to Adaptive reasoning mode. Their Claude Code switched to Sonnet. Committed the .map file. Effectively leaking the ENTIRE CC Source Code. @realsigridjin was tired after running 2 south korean hackathons in SF, saw the leak. Rules in Korea are different, he cloned the repo, went to sleep. Wakes up to 25K stars, and his GF begging him to take it down (she's a copyright lawyer).
The repo became the fastest in GitHub history to surpass 50,000 stars, hitting that milestone in just 2 hours. By the time things settled, it had accumulated over 132,000 stars and 102,000 forks.
But the community didn't stop at mirroring. Jin's team decided to port the entire Claude Code architecture to Python from scratch, completing a working version overnight using AI-assisted orchestration workflows. A Rust port followed shortly after, with a separate team building out a full interactive CLI, API client, and plugin system under the renamed claw-code project. Other teams built their own frameworks: open-multi-agent extracted the multi-agent orchestration patterns into a standalone library, open-agent-sdk rewrote the core agent loop as a drop-in replacement for Anthropic's official SDK, and claude-code-rev attempted to get the original TypeScript building from source.
As one Hacker News commenter put it: "yo dog, I heard you like claude code so we rewrote claude code using claude code while looking at claude code's code so you can code with claude code without using claude."
Anthropic's DMCA Response
Anthropic's legal team moved fast. A DMCA takedown notice was filed on March 31, and GitHub processed it against the entire fork network. According to GitHub's note on the DMCA filing:
"Because the reported network that contained the allegedly infringing content was larger than one hundred (100) repositories, and the submitter alleged that all or most of the forks were infringing to the same extent as the parent repository, GitHub processed the takedown notice against the entire network of 8.1K repositories, inclusive of the parent repository."
The takedown caught repos that didn't even contain the leaked source. One developer reported their fork, which only contained their own contributions to the official anthropics/claude-code repo, got nuked in the sweep. Several were eventually restored after support tickets.
The original instructkr/claude-code repo responded by removing the leaked TypeScript source entirely and pivoting to the Python/Rust rewrites, arguing these constituted clean-room reimplementations. Meanwhile, mirrors appeared on Codeberg and other platforms outside GitHub's DMCA jurisdiction.
The Copyright Question
The most legally interesting thread to come out of the leak: can Anthropic actually copyright Claude Code?
Anthropic executives have publicly stated that Claude Code is written almost entirely by Claude itself. A Fortune article from January 2026 quotes Mike Krieger, Anthropic's chief product officer: "Right now for most products at Anthropic it's effectively 100% just Claude writing." Under current US copyright law, as clarified by the Copyright Office and cases like Thaler v. Perlmutter, works generated entirely by AI without sufficient human authorship aren't eligible for copyright protection.
This created an awkward legal position. As one Hacker News commenter noted: "AI works are not copyrightable. They've stated that Claude Code is built with Claude Code. You can take this and start your own Claude Code project now if you like. There's zero copyright protection on this."
Others pointed to the leaked undercover.ts file as a deeper problem: Anthropic was distributing a tool specifically designed to hide AI authorship in commits, while the Copyright Office requires disclosure of AI-generated content in copyright registrations. Whether this actually undermines their copyright claims is untested, but the optics are terrible.
The legal consensus (such as it exists this early) is messy. Pure AI-generated output has no copyright. Human-directed AI output probably does, depending on the level of creative direction. Anthropic likely falls somewhere in between, and nobody knows exactly where the line is. What's clear is that filing DMCA notices while simultaneously claiming your code is 100% AI-written is not a strong legal position.
Anthropic's npm Fumble
One detail that captured the community's attention: Anthropic's attempt to remove the compromised package from npm. Instead of running npm unpublish (which removes the package version from the registry), someone ran npm deprecate with the message "Unpublished." This left the package fully downloadable but marked with a deprecation warning. As one HN commenter noted, this "gives off a bit of 'claude, unpublish the latest version of this package for me' vibe."
The Uncomfortable Convergence
Two days before the Claude Code leak, the Axios npm package was compromised in a supply chain attack that affected 100 million weekly downloads. Multiple Reddit commenters noticed the connection: Claude Code itself uses Axios as a dependency.
The same week exposed two fundamental weaknesses in how the JavaScript ecosystem handles trust: a popular package can be trojanized through a single compromised credential, and a major company can accidentally expose its entire proprietary codebase through a build tool bug.
Both incidents share a root cause. Teams building on npm inherit every security property (and every security weakness) of the npm ecosystem. If you're publishing packages, your build pipeline security is your users' security. If you're consuming packages, your dependency management practices are your security posture.
We wrote about the Axios supply chain attack in detail in a separate post. If you're running any JavaScript project in production, both incidents warrant a hard look at your dependency management and build security.
What We Build Differently
We've studied every major source code leak and supply chain compromise of the past five years. Not because these incidents are entertaining, but because they produce specific, actionable engineering practices.
Build artifact verification. Every deployment pipeline we build verifies the contents of the final artifact against an expected manifest. If a source map, debug file, or internal configuration appears in a production build, the pipeline fails. This adds a few seconds to every build. It's worth it.
Dependency isolation. We don't trust npm install as a safe operation. Our projects use pinned dependencies, disabled lifecycle scripts by default, and automated scanning that catches malicious packages before they reach a developer's machine. The Axios attack validated this approach, teams that pinned to an exact version were unaffected.
Telemetry by design. When our products collect usage data, users know what's collected, why it's collected, and how to opt out. Transparent telemetry builds trust. Hidden telemetry, even when technically covered by a privacy policy, erodes it.
Security as a first-class engineering concern. Not a checklist. Not an afterthought. Security reviews happen during architecture, not after deployment. Build pipelines are treated as security boundaries, not convenience tools.
If you're building AI tools, developer platforms, or any product distributed as client-side code, these aren't optional practices. They're the difference between a controlled release and an uncontrolled exposure.
Talk to us about securing your build and deployment pipeline. We'll review your current setup, identify the gaps that lead to incidents like these, and build the automated guardrails that prevent them.
