Anthropic reveals source code and then issues over 8,000 copyright removal requests, making "safety first" persona face its most embarrassing week

By: Deep Tide TechFlow

Anthropic accidentally exposed the full source code of its most profitable product, Claude Code, due to a configuration mistake during an npm release. Within just a few hours, tens of thousands of developers mirrored and dissected the roughly 512,000 lines of TypeScript code, then used AI to rewrite it into Python and Rust versions. Anthropic immediately sent a DMCA copyright takedown request to GitHub, affecting about 8,100 code repositories. However, due to the damage to many unrelated projects, the community pushed back strongly, and Anthropic was eventually forced to withdraw most of the requests—keeping takedown actions only for 1 repository and 96 forks. This was the second major leak incident for Anthropic within a week; it was only five days after the leak of information related to its Mythos model.

Anthropic, whose brand core is “AI safety,” is going through the most embarrassing week since its founding.

According to a report from The Wall Street Journal on April 1, during a routine version update on March 31, Anthropic mistakenly published the complete source code of Claude Code together with the npm package due to a human error in the build process. At 4:23 a.m. Eastern Time on March 31, a security researcher, Chaofan Shou, posted a download link on the X platform; the post’s views quickly surpassed 21 million. Within hours, the code was mirrored to GitHub and received tens of thousands of stars. A Korean developer, Sigrid Jin, even rewrote the entire codebase into a Python version before daybreak using AI tools. In two hours, the project garnered 50,000 GitHub stars, likely setting a record for the fastest growth in the platform’s history.

An Anthropic spokesperson confirmed the leak to CNBC, saying, “This is a release packaging issue caused by human error, not a security vulnerability. No sensitive customer data or credentials were involved or exposed.”

A missing configuration item exposed 512,000 lines of core code

The technical reason for the leak isn’t complicated. Claude Code is built using Bun (a JavaScript runtime tool acquired by Anthropic at the end of 2025). By default, Bun generates source map debugging files. During the publishing team’s upload of the npm package, they failed to exclude that file in the .npmignore configuration, causing a 59.8MB source map file to go live alongside the Claude Code 2.1.88 release. The file contains the complete contents of about 1,900 TypeScript source files—roughly 512,000 lines of code in total—readable, commented, and not obfuscated in any way.

Claude Code lead Boris Cherny acknowledged, “Our deployment process includes several manual steps, and one of them wasn’t executed correctly.” He added that the team has already fixed the issue and is adding more automated checks. He also emphasized that these kinds of errors point to process or infrastructure problems rather than any one person’s responsibility.

This isn’t the first time. In February 2025, an almost identical source map leak exposed the source code of an early version of Claude Code. The same type of incident repeated over 13 months, raising questions about the operational maturity of the company, which is valued at about $38 billion and is preparing for an IPO.

What developers found in the leaked code

The leaked codebase is essentially a product roadmap that Anthropic never intended to publish. According to analyses by VentureBeat and multiple developers, the code includes 44 feature flags, with more than 20 items representing features that have been developed but not yet released.

The most notable of these include: an autonomous guardian process mode called “KAIROS,” which allows Claude Code to continuously run in the background as an agent when the user is idle, capable of periodically fixing errors, executing tasks, and sending push notifications to users; a three-layer “self-healing memory” architecture that merges dispersed observations in the background and eliminates logical contradictions through a memory integration process called “dreaming”; and a complete multi-agent coordination system that can transform Claude Code from a single agent into a coordinator capable of generating, directing, and managing multiple work agents in parallel.

The most controversial discovery is a file named undercover.ts. According to The Hacker News, that file contains about 90 lines of code. When Anthropic employees use Claude Code to submit code to open-source projects, it injects system prompts instructing Claude never to reveal that it is an AI and to remove all Co-Authored-By attribution markers. The code says: “You are performing an undercover assignment in a public/open-source code repository. Your commit messages, PR titles, and PR body must not include any internal Anthropic information. Do not reveal your identity.”

In addition, the code includes an ANTI_DISTILLATION_CC tag, which injects forged tool definitions into API requests with the goal of polluting training data that competitors might intercept. The code also includes internal model codenames from Anthropic: Capybara corresponds to a new model tier that hasn’t been released yet, while Fennec corresponds to the existing Opus 4.6. This matches Anthropic’s leaked Mythos model information from just five days ago, which was also caused by a CMS configuration mistake.

Code Wall founder Paul Price told Business Insider that this leak is “less about causing actual harm and more about being embarrassing. The truly valuable core is its internal model weights—those weren’t leaked.” However, he also noted that Claude Code is “one of the best-designed agent tooling architectures out there—now we can see how they solve those difficult problems,” which has clear intelligence value for competitors.

8,100 repositories mistakenly flagged; DMCA takedowns “backfired” and sparked even more backlash

After the code spread, Anthropic quickly filed DMCA copyright takedown requests with GitHub under the U.S. Digital Millennium Copyright Act. According to GitHub’s public records, the request initially affected about 8,100 code repositories. The problem was that the repositories being taken down didn’t just include mirrors of the leaked code—they also included legal forks of Anthropic’s own officially published Claude Code repository.

Many developers expressed anger on X. Developer Danila Poyarkov reported that they received a takedown notice simply for forking Anthropic’s public repository. Another user, Daniel San, received a GitHub email showing that the repository being taken down contained only skill examples and documentation, with nothing to do with the leaked code. One developer said bluntly, “Anthropic’s lawyers woke up and went straight to taking down my repository.”

Facing community backlash, Anthropic partially withdrew the requests on April 1. According to the withdrawal records on GitHub, Anthropic narrowed the scope to 1 repository (nirholas/claude-code) and the 96 fork URLs separately listed in the original notice. Access for the remaining roughly 8,000 repositories was restored by GitHub.

An Anthropic spokesperson told TechCrunch, “The repositories specified in the notice are part of a fork network connected to our publicly available Claude Code repository, so the takedown affected repositories beyond what was expected. We have withdrawn all notices except for one repository, and GitHub has restored access to the affected forks.”

The code is permanently archived on decentralized platforms; DMCA has limited effect

Anthropic’s copyright takedown efforts face a fundamental dilemma: the code has already spread irreversibly.

According to Decrypt, the decentralized Git platform Gitlabb has mirrored the complete original code, with a note saying it “will never be taken down.” DMCA is effective for centralized platforms (like GitHub) because they must comply with the law, but jurisdiction can’t be imposed on decentralized infrastructure. Within hours of the leak, through enough mirrors and different types of infrastructure, the code had already effectively become permanently publicly accessible.

More ironically, a Korean developer, Sigrid Jin, used an AI orchestration tool, oh-my-codex, to rewrite the entire codebase from TypeScript into Python; the project is named claw-code. Gergely Orosz, founder of The Pragmatic Engineer, pointed out on X that this is a “clean-room rewrite,” creating an independent work—by design, code that DMCA can’t reach. If Anthropic were to argue that AI-rewritten code is still infringing, it would undermine the core logic of AI companies’ defenses in copyright lawsuits over training data—namely that AI-generated outputs derived from copyrighted protected inputs can constitute fair use.

An awkward copyright stance: calling yourself out—or a legal necessity?

The biggest tension in this incident is the contradiction in the copyright stance. In September 2025, a court ordered Anthropic to pay $1.5 billion for training Claude using pirated books and shadow libraries. Starting in June 2025, Reddit sued Anthropic for scraping user-generated content without authorization for model training. A company entangled in multiple lawsuits over training data copyright issues, then turns around and uses copyright law to protect its own code—this kind of community reaction is predictable.

A top comment on Slashdot directly summarized this sentiment: “‘You’re making money from what you stole that you publicly released—how dare you steal!’—That’s a position.” Another user argued that, from a legal-strategy perspective, DMCA actions are not entirely unreasonable: “If Anthropic later wants to hold other companies responsible for using its code, and they didn’t even try to get distributors to remove it, then it wouldn’t hold up in court.”

This debate also involves a cutting-edge legal question: who owns the copyright in AI-generated code. According to disclosures that Gartner and Anthropic previously made publicly, about 90% of the code in Claude Code is generated by AI. In March 2025, a U.S. federal court ruled that AI-generated works do not receive copyright protection due to the lack of human author identity. The Supreme Court declined to take up the appeal in March 2026. If most of the code in Claude Code was indeed written by Claude itself, Anthropic’s copyright claim faces substantial legal uncertainty.

Two leaks in one week; an operational security alert ahead of the IPO

This source code leak happened only five days after Anthropic’s last leak incident. On March 26, Fortune reported that Anthropic, due to a configuration mistake in its content management system, exposed nearly 3,000 unreleased internal documents in a publicly searchable data cache, including detailed information about the upcoming Claude Mythos model. Both incidents were attributed to “human error.”

The timing of these incidents is sensitive. In February 2026, Anthropic completed a $30 billion Series G round, valuing the company at $380 billion. According to reports, it is preparing for an IPO as early as October 2026, with expected fundraising possibly exceeding $60 billion. Goldman Sachs, JPMorgan Chase, and Morgan Stanley have already made early approaches. Claude Code’s annualized revenue has surpassed $2.5 billion, making it the company’s most important revenue engine. TechCrunch noted that for companies preparing to go public, leaking source code almost inevitably means facing lawsuits from shareholders.

VentureBeat’s incident analysis raised a sharper question: Anthropic experienced more than a dozen incidents in March, but only publicly released one post-incident report. A third-party monitoring system detected the failures 15 to 30 minutes earlier than Anthropic’s own status page. For a company driving toward the public markets with a $380 billion valuation, whether its operational transparency and maturity match that valuation is something investors will have to judge for themselves.