Anthropic Leaked Claude’s Entire Source Code — And What It Reveals Is Wild

Here is something you do not see every day: one of the biggest AI companies in the world accidentally shipped their entire production codebase to npm. Not a stub. Not a build artifact. The real thing — 1,900 files of readable TypeScript.

How It Happened

On March 31st, a developer named Chaofan Shou noticed something unusual in the Claude Code npm package: a .map file containing the full, unminified source code. Not compiled. Not obfuscated. Just… the code. Anthropic pulled the package fast, but not before it was widely mirrored and dissected on Hacker News.

This is Anthropic’s second accidental exposure in a week — the model spec leak happened just days earlier. People on Twitter are already joking that someone inside is doing this on purpose.

The Juicy Stuff Inside

1. Anti-Distillation: Fake Tools to Poison Competitors

Probably the most fascinating discovery. When a flag called ANTI_DISTILLATION_CC is enabled, Claude Code sends a field called anti_distillation: ["fake_tools"] in its API requests. This tells the server to silently inject fake tool definitions into the system prompt.

The logic? If someone is recording Claude Code’s API traffic to train a competing model — a practice called distillation — the fake tools pollute that training data with garbage. It is gated behind a GrowthBook feature flag and only active for first-party CLI sessions.

The workaround is trivial though. A MITM proxy that strips the anti_distillation field from requests bypasses it entirely. The real protection here is legal, not technical.

2. Undercover Mode: AI That Pretends to Be Human

A file called undercover.ts implements a mode that strips all traces of Anthropic internals when Claude Code is used in open-source repos. It tells the model to never mention internal codenames like “Capybara” or “Tengu,” internal Slack channels, or even the phrase “Claude Code” itself.

The kicker? There is no way to force it off. The comment in the code literally says: “There is NO force-OFF.” You can force it ON, but never off. This means AI-authored commits from Anthropic employees in open source projects will have zero indication that an AI wrote them.

3. Frustration Detection via Regex

Yes, really. Claude Code literally scans your messages with regex patterns to detect frustration. It watches for phrases like “you are wrong,” “that is not what I asked,” and similar signals. When detected, it adjusts its behavior — presumably becoming more careful or apologetic.

Why This Matters for AI Investors

This leak gives us a rare window into how a frontier AI lab actually builds production tools. A few takeaways:

• The competitive moat is thin. The anti-distillation workarounds are trivial. The real protection is Anthropic’s legal team and their model quality.
• AI companies are paranoid about data. The anti-distillation features show just how seriously they take the threat of competitors training on their outputs.
• The “AI pretending to be human” angle is uncomfortable. Undercover mode has legitimate uses, but it also means you cannot always tell when code was written by AI.

This connects to the broader trend in the AI labor market — as tools like Claude Code get more capable, the line between human and AI work keeps blurring.

The Bottom Line

Anthropic probably did not want this out. But for the rest of us, it is a goldmine of insight into how production AI tools actually work under the hood. The anti-distillation tricks, the undercover mode, the frustration regexes — it all paints a picture of a company that is simultaneously building incredible technology and terrified of losing their edge.

Whether this helps or hurts Anthropic long-term remains to be seen. But one thing is clear: the AI wars are getting increasingly creative — and increasingly messy.

Sources: Alex Kim’s Analysis | Hacker News Discussion | GitHub Mirror