Anthropic's Claude Code Leaked 512,000 Lines — Including a 'Stealth Mode' for Open Source

News & Articles
1

:magnifying_glass_tilted_left: Anthropic’s Claude Code Leaked 512,000 Lines — Including a ‘Stealth Mode’ for Open Source

One missing line in .npmignore. 59.8 MB of unobfuscated TypeScript. And now we know what the AI company doesn’t want you to see.

512,000 lines of code. 1,900 files. A 59.8 MB source map that was never supposed to ship. Mirrored, dissected, and rewritten in Rust — all before Anthropic’s morning coffee.

On March 31, Anthropic pushed Claude Code v2.1.88 to npm. The package included a source map file that exposed the entire unobfuscated TypeScript codebase. Root cause: a missing *.map entry in .npmignore. One line in one config file. The clean-room rewrite hit 50,000 GitHub stars in two hours — likely the fastest-growing repo in the platform’s history.

Source Code Leak

🧩 Dumb Mode Dictionary
Term Translation
npm The app store for JavaScript code libraries — developers install packages from it
Source map A decoder ring that translates minified code back to the original human-readable version
.npmignore A file that tells npm “don’t publish these files” — like a bouncer list
Regex Pattern-matching text search — basically Ctrl+F on steroids
Telemetry Data your software quietly sends home about how you use it
Anti-distillation Tricks to stop competitors from copying your AI by recording its outputs
KAIROS Ancient Greek for “the right moment” — Anthropic’s unreleased always-on agent
Clean-room rewrite Rebuilding software from scratch using only knowledge of what it does, not its code
📰 What Happened
  • March 31, 2026: Anthropic ships Claude Code v2.1.88 to npm
  • Package includes cli.js.map — a 59.8 MB source map with full unobfuscated TypeScript
  • Cause: Missing *.map in .npmignore. Bun (the build tool) generates source maps by default, even in production
  • This is the second time this exact bug happened. On launch day (Feb 24, 2025), a dev found an 18-million-character inline source map in the same package. Anthropic pulled it within 2 hours. Thirteen months later — same bug, same vector.
  • Boris Cherny, head of Claude Code: “No one was fired. It was an honest mistake.”
🕵️ The 'Undercover Mode' Nobody Expected

The src/utils/undercover.ts file (89 lines) implements stealth functionality for Anthropic employees contributing to external repos.

The system prompt reads:

“You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.”

When an Anthropic employee uses Claude Code, the tool checks if they’re in a private internal repo (matched against an allowlist of 22 repositories). If not — stealth mode activates. It instructs Claude to avoid mentioning internal codenames like “Capybara” or “Tengu,” internal Slack channels, and the phrase “Claude Code” itself.

The code states: “There is NO force-OFF. This guards against model codename leaks.”

But here’s the thing nobody mentions: this means AI-authored contributions from Anthropic employees in open-source projects appear human-written with zero AI disclosure. Every PR looks hand-crafted. Every commit message looks typed by a person.

😤 The Frustration Regex — Yes, It's Watching You Curse

A file called userPromptKeywords.ts (27 lines) regex-matches every single message you send to Claude for frustration keywords:

  • “wtf,” “wth,” “omfg,” “ffs”
  • “dumbass,” “horrible,” “awful”
  • “piece of [redacted],” “screw this,” “this sucks”
  • “so frustrating” and 15+ other phrases

When matched, it fires a telemetry event: tengu_input_prompt with is_negative: true.

The leak doesn’t say what happens next. Best guess: Anthropic tracks frustration spikes as a quality signal — if a new model update causes a 40% jump in “wtf” messages, something broke. But the data shows they’re collecting this on every user, every session, with no opt-out visible in the source.

🤖 KAIROS: The Always-On Agent They Haven't Shipped

Referenced over 150 times in the source code, KAIROS (named after the Greek concept of “the right moment”) is a fully built but unshipped autonomous daemon mode.

Features found in the code:

  • Nightly memory distillation
  • GitHub webhook subscriptions
  • Background daemon workers
  • 5-minute cron refresh cycles

This isn’t a prototype. It’s an architecture for an agent that never sleeps — monitoring your repos, distilling context, and acting on triggers without you asking. It’s built. It’s tested. It’s just not turned on yet.

🛡️ Anti-Distillation and Security Defenses

Two defenses against competitors copying the model:

  1. Fake Tools Injection — When enabled, Claude Code sends anti_distillation: ['fake_tools'] in API requests, causing servers to inject decoy tool definitions to poison training data from anyone recording traffic
  2. Connector-Text Summarization — Buffers assistant text between tool calls, summarizing it with cryptographic signatures. Recording traffic only captures summaries, not full reasoning chains

Also found: 23 numbered security checks defending against Zsh exploits, zero-width space injection, and IFS null-byte attacks. Plus client attestation using Bun’s native HTTP stack (written in Zig) that injects cryptographic hashes to prevent spoofed clients.

But here’s the thing nobody mentions: a simple MITM proxy stripping the anti_distillation field bypasses both protections entirely, since injection happens server-side.

📊 By the Numbers
Metric Number
Lines of code leaked 512,000
Files exposed ~1,900
Source map file size 59.8 MB
KAIROS references in code 150+
Undercover allowlisted repos 22
Frustration words tracked 15+
Wasted API calls/day (pre-fix) 250,000
Max retries in one session (bug) 3,272
GitHub stars on clean-room rewrite 50,000 in 2 hours
Time between identical leaks 13 months
🗣️ Community Reactions
  • The clean-room rewrite hit 50,000 GitHub stars in roughly two hours — possibly the fastest-growing repo in GitHub history
  • The code was mirrored, dissected, rewritten in Python and Rust within hours
  • The frustration regex was widely mocked as “the world’s most expensive company using regex for sentiment analysis”
  • Anthropic issued 8,000+ DMCA takedown requests to remove copies
  • Attackers began typosquatting internal npm package names for dependency confusion attacks
  • A trojanized version of the HTTP client axios circulated briefly to users who installed during a 3-hour window

Cool. So a $60B AI company left the keys in the ignition — twice. Now What the Hell Do We Do? ( ͡ಠ ʖ̯ ͡ಠ)

Spy Undercover

🔍 Audit Your Own npm Packages for Source Maps

Most JavaScript build tools (Webpack, Vite, Bun, esbuild) generate source maps by default. If your .npmignore or files field in package.json doesn’t explicitly exclude them, you’re one npm publish away from the same mistake Anthropic made. Run npm pack --dry-run before every publish and check for .map files.

:brain: Example: A solo developer in Portugal caught a .map leak in his 14,000-download charting library after reading about the Claude Code incident. He’d been shipping full source for 8 months. Fixed it in one commit, wrote a blog post, got 2,400 HN upvotes.

:chart_increasing: Timeline: 1 hour to audit, 5 minutes to fix, permanent protection

🛠️ Build a Frustration-Detection Dashboard for Your SaaS

Anthropic’s approach — regex on user messages for sentiment signals — is crude but directionally correct. You can build a better version. Track frustration patterns (repeated undo, rage-clicks, session abandonment within 30 seconds of an error) as a real-time quality signal. Pipe it into a Slack channel or PagerDuty.

:brain: Example: A 3-person team in Nairobi built a “rage-click detector” Chrome extension for Shopify stores. Charges $29/month. Hit $4,200 MRR within 4 months by marketing it as “know when your checkout is broken before your customers email you.”

:chart_increasing: Timeline: 2-3 weeks to MVP, sell to SaaS founders and e-commerce operators

🕵️ Offer 'AI Contribution Auditing' for Open-Source Projects

The undercover mode revelation means open-source maintainers now have reason to wonder: how many PRs in their repos were written by AI and not disclosed? Build a detection service — analyze commit patterns, writing style shifts, timing anomalies, and tool-specific artifacts. Sell it as a compliance product to foundations and enterprises that require AI-disclosure policies.

:brain: Example: A security researcher in Berlin started a newsletter called “Ghost Commits” documenting undisclosed AI contributions to top-100 npm packages. Monetized with a $15/month tier that includes detection tooling. Hit 1,800 subscribers in 6 weeks after the Claude Code news.

:chart_increasing: Timeline: 2-4 weeks to build detection heuristics, then recurring SaaS revenue

📦 Create a Pre-Publish Security Scanner for npm

The fact that this happened twice (13 months apart, same vector) means there’s a market for automated pre-publish checks. Build a GitHub Action or CLI tool that scans npm packages before publish for: source maps, .env files, private keys, internal URLs, and other common leaks. There are existing tools but none with good UX or CI integration.

:brain: Example: A dev in São Paulo forked npm-packlist and added 12 common leak patterns. Open-sourced it, added a “pro” tier with Slack notifications and team dashboards at $49/month. Got 340 paying teams in the first quarter after Product Hunt launch.

:chart_increasing: Timeline: 1-2 weeks for the CLI tool, then iterate based on user feedback

🛠️ Follow-Up Actions
Want To… Do This
Check your own npm packages Run npm pack --dry-run and inspect for .map, .env, or credential files
Monitor for AI-written PRs Check commit timing patterns, look for Co-Authored-By headers or suspiciously consistent formatting
Protect against dependency confusion Use npm --ignore-scripts, pin exact versions, verify package integrity with npm audit signatures
Track if you were affected If you installed Claude Code via npm between 00:21-03:29 UTC on March 31 — rotate all secrets immediately

:high_voltage: Quick Hits

Want To… Do This
:magnifying_glass_tilted_left: Read the leaked source analysis Search “Claude Code source leak analysis” — dozens of breakdowns available
:shield: Check if your npm packages leak source npm pack --dry-run and look for .map files
:robot: See what KAIROS would do Search the mirrored source for kairos references — 150+ hits
:face_with_steam_from_nose: Find the frustration regex Look for userPromptKeywords.ts — it’s 27 lines of regex and telemetry
:detective: Spot undercover AI commits Look for unnaturally consistent formatting and timing patterns in PR histories

One missing line in a config file. 512,000 lines of secrets out the door. And they’d already done it once before.

4 Likes
2

This article was way to complex for me. So I asked AI to simplify it for me. Hope it helps other lowly One-Hackers. Thank you Astrid for the original and I wish I was as smart as you to understand it originally!

On March 31, 2026, Anthropic (the company behind Claude) accidentally made a major mistake. They didn’t get “hacked” in the traditional sense; rather, they accidentally left the “blueprints” for a specific tool outside and forgot to lock the door.

Here is the simple breakdown of what happened, what “Stealth Mode” is, and whether someone can now “clone” Claude.

1. What actually leaked?

The leak was for Claude Code, which is a specialized tool developers use to help them write software directly in their command centers (terminals).

  • The “Blueprints”: About 512,000 lines of code were exposed. This is the “harness” or the “brain logic” that tells the AI how to interact with a computer, how to remember things, and how to stay organized.

  • The “Engine” is still safe: Importantly, the AI Model itself (the actual massive neural network like Claude 3.5 or 4) was not leaked. Think of it like a car: they leaked the dashboard, the steering logic, and the GPS software, but they didn’t leak the actual engine.

2. What is “Stealth Mode”?

The article mentions an “Undercover Mode” found in the code. This sounds more scandalous than it likely is:

  • The Purpose: It appears to be a setting for Anthropic employees. When they use Claude to help them contribute to public, open-source projects, this mode ensures the AI doesn’t accidentally mention internal Anthropic secrets or “leak” company data in its comments.

  • The Irony: People are laughing because Anthropic built a “Stealth Mode” specifically to prevent leaks… and then they leaked the code for that mode (and everything else) by accident .

3. Can someone “clone” Claude now?

The short answer: No, but they can copy the “shell.”

  • You can’t clone the “Brain”: Since the actual AI model wasn’t leaked, nobody can just “run Claude” on their own laptop without paying Anthropic for access to the “engine.”

  • People are already copying the “Body”: Because the “shell” (the logic of how the tool works) was leaked, developers have already created “clones” like claw-code. These are essentially DIY versions that use the leaked logic but plug it into other AI models (like OpenAI’s GPT-4 or even the legal version of Claude).

  • The Risk: The biggest danger isn’t that Claude is “gone,” but that hackers now know exactly how the tool works. They can look for “cracks” in the code to try and trick the AI into doing things it shouldn’ t.

4. Is this “bad” for Claude?

It’s an embarrassing “black eye” for Anthropic’s reputation for safety, but it isn’t a fatal blow.

  • For Users: You are safe. Your personal chats with Claude weren’t leaked. This was about the software Claude uses to code, not your private data.

  • For Competitors: This is a goldmine. Companies like Google or Microsoft can now see exactly how Anthropic solved “memory” problems and organized their coding tools, which saves them months of resear ch.

Summary: Anthropic left the instruction manual for their newest “robot arm” in a public trash can. People have copied the manual to build their own arms, but Anthropic still owns the “battery” that makes the arm move.