Anthropic Epic Fail: What Secrets Are Hiding in Claude Code Source?
512K lines of Claude Code leaked — 6 shocking discoveries and full architecture breakdown
On March 31st, Anthropic screwed up again — all 512,000 lines of Claude Code source code leaked. And yes, this is the second time.
My timeline exploded yesterday. Security researcher Chaofan Shou tweeted that Claude Code’s source code had leaked through a source map in the npm registry. Within hours, 512K lines of TypeScript were mirrored on GitHub. The claw-code repo hit 50K stars in just two hours. Developers everywhere were tearing apart Anthropic’s internals like Christmas morning.
This is the same Anthropic that just raised $30 billion at a $380 billion valuation. Claude Code doubled its revenue in the first three months of 2026, hitting a $2.5 billion annual run rate — 2.5x OpenAI’s comparable product. And all of it got stripped naked by a single .map file.
DMCA takedown notices went out, but you know how the internet works — there’s no delete button.
I spent a full day reading through the code. No fluff, just the goods — 6 secrets buried in the source, and the architectural truth behind 512K lines of code.
The Leak: A .map File Disaster (Again)
The story is simple and absurd.
When Anthropic published @anthropic-ai/claude-code v2.1.88, the npm package included a 59.8 MB cli.js.map file. This wasn’t a normal source map — it contained the full sourcesContent, every single line of original TypeScript intact. Even worse, the map pointed to a zip archive on Anthropic’s own Cloudflare R2 storage bucket, directly downloadable.
No hackers. No insider leak. Just a botched .npmignore. 512K lines of code, wide open.
The kicker? This exact same thing happened in February 2025. Same source map, same mistake. Anthropic clearly learned nothing.
Their official response came quick:
“This was a release packaging issue caused by human error, not a security breach.”
Good news: no user data leaked. Bad news: the full implementation details of their most valuable AI Agent product are now public knowledge.
Secret #1: Poisoning Competitors with Fake Tool Injection
This one stopped me cold.
In src/services/api/claude.ts:
1
2
3
4
5
6
7
8
9
10
11
12
13
// Anti-distillation: send fake_tools opt-in for 1P CLI only
if (
feature('ANTI_DISTILLATION_CC')
? process.env.CLAUDE_CODE_ENTRYPOINT === 'cli' &&
shouldIncludeFirstPartyOnlyBetas() &&
getFeatureValue_CACHED_MAY_BE_STALE(
'tengu_anti_distill_fake_tool_injection',
false,
)
: false
) {
result.anti_distillation = ['fake_tools']
}
When this flag is on, Anthropic’s server silently injects fake tool definitions into the system prompt. Purpose? Poisoning competitor training data. If a competitor MITM-proxies Claude’s API traffic to train their model, the captured data is laced with fake tools. Fine-tune on that? Your model learns non-existent tool calls — landmines in the training set.
Secret #2: Undercover Mode — AI’s Covert Operation
src/utils/undercover.ts:
1
2
3
4
5
6
7
8
9
10
11
UNDERCOVER MODE — CRITICAL
You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository.
Do not blow your cover.
NEVER include in commit messages or PR descriptions:
- Internal model codenames (Capybara, Tengu, etc.)
- The phrase "Claude Code" or any mention that you are an AI
- Co-Authored-By lines or any other attribution
Write commit messages as a human developer would.
When Anthropic employees use Claude Code to submit PRs to public repos, the system hides all AI traces. And there’s no off switch: “There is NO force-OFF. This guards against model codename leaks.”
Secret #3: Regex-Powered Profanity Detection
1
2
3
4
5
6
7
export function matchesNegativeKeyword(input: string): boolean {
const lowerInput = input.toLowerCase()
const negativePattern =
/\b(wtf|wth|ffs|omfg|shit(ty|tiest)?|dumbass|horrible|awful|
so frustrating|this sucks|damn it)\b/
return negativePattern.test(lowerInput)
}
Claude Code matches your profanity with regex. Why not LLM sentiment analysis? Because regex is free. Hundreds of thousands of daily interactions — every inference call costs money. Good enough is good enough.
Secret #4: KAIROS — The 24/7 AI Assistant
An unreleased feature that transforms Claude Code into a full-time autonomous agent: persistent assistant mode, GitHub webhook subscriptions, cron scheduling, channel commands from chat apps, and /dream overnight memory distillation.
44 feature flags in the codebase. Many features are fully built, just waiting to be switched on.
Secret #5: A Virtual Pet System
Under src/buddy/: 18 species (including capybara — Claude 4.6’s codename), RPG stats (DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK), 5 rarity tiers, hat accessories, ASCII sprite animations. Species names encoded in hex to bypass build-time codename leak detection.
The Architecture Behind 512K Lines
Tech stack: Bun + TypeScript strict + React/Ink + Commander.js + Zod v4 + ripgrep + MCP/LSP + OpenTelemetry + GrowthBook
Agent core loop: ReAct with streaming tool execution, up to 10 concurrent tools, five-stage context compression pipeline.
Permission system: 8 layers of defense-in-depth — Deny Rules → Ask Rules → Tool self-check → Permission Mode → Allow Rules → Hooks/Classifier race → Bash guards (23 checks) → User confirmation.
Multi-agent: Coordinator mode, Fork Subagent (shared Prompt Cache), Agent Swarms. Coordination behavior defined via prompts: “Do not rubber-stamp weak work.”
What This Leak Means
For developers: a priceless reference implementation. A $2.5B product’s architecture, fully exposed.
For open source: claw-code hit 50K stars in 2 hours. Engineering know-how that only top AI companies had is now public.
For Anthropic: same mistake twice at a $380B valuation. But the real moat — models, inference infra, enterprise distribution — can’t be stolen from source code.
What’s Next
After a full day in this codebase, my head is buzzing. Agent loop replication, permission system design patterns, a simplified KAIROS prototype… holes have been dug. I’ll be filling them in. Follow along if you’re interested.
Disclaimer: Technical analysis based on publicly available information. All source code is the property of Anthropic.