Hacker News

1637

Claude Code's source code has been leaked via a map file in their NPM registry

by treexs1774947640817 comments
Amusingly, they deprecated it with a message of "Unpublished" instead of actually unpublishing it [1]. When you use npm unpublish it removes the package version from the registry, when you use npm deprecate it leaves it there and simply marks the package as deprecated with your message. I have to imagine the point was to make it harder for people to download the source map, so to deprecate it with this message gives off a bit of claude, unpublish the latest version of this package for me vibe.

[1] - https://www.npmjs.com/package/@anthropic-ai/claude-code/v/2....

by foob1774972050
The big loss for Anthropic here is how it reveals their product roadmap via feature flags. A big one is their unreleased "assistant mode" with code name kairos.

Just point your agent at this codebase and ask it to find things and you'll find a whole treasure trove of info.

Edit: some other interesting unreleased/hidden features

- The Buddy System: Tamagotchi-style companion creature system with ASCII art sprites

- Undercover mode: Strips ALL Anthropic internal info from commits/PRs for employees on open source contributions

by treexs1774948630
Obfuscated ts/js code is not machine code to begin with, so not sure what’s the big deal.

Also, not sure why anthropic doesn’t just make their cli open source - it’s not like it’s something special (Claude is, this cli thingy isn’t)

by sheeshkebab1774982784
Finally all spinner verbs revealed: https://github.com/instructkr/claude-code/blob/main/src/cons...
by kschiffer1774955449
src/cli/print.ts

This is the single worst function in the codebase by every metric:

  - 3,167 lines long (the file itself is 5,594 lines)
  - 12 levels of nesting at its deepest
  - ~486 branch points of cyclomatic complexity
  - 12 parameters + an options object with 16 sub-properties
  - Defines 21 inner functions and closures
  - Handles: agent run loop, SIGINT, rate-limits, AWS auth, MCP lifecycle, plugin install/refresh, worktree bridging, team-lead polling (while(true) inside), control message dispatch (dozens of types), model switching, turn interruption
  recovery, and more
This should be at minimum 8–10 separate modules.
by mohsen11774954651
They have an interesting regex for detecting negative sentiment in users prompt which is then logged (explicit content): https://github.com/chatgptprojects/claude-code/blob/642c7f94...

I guess these words are to be avoided...

by bkryza1774953541
Really surprising how many people are downplaying this leak! "Google and OpenAi have already open sourced their Agents, so this leak isn't that relevant " What Google and OpenAi have open sourced is their Agents SDK, a toolkit, not the secret sauce of how their flagship agents are wired under the hood! expect the takedown hammer on the tweet, the R2 link, and any public repos soon
by Painsawman1231774957113

    ANTI_DISTILLATION_CC
    
    This is Anthropic's anti-distillation defence baked into Claude Code. When enabled, it injects anti_distillation: ['fake_tools'] into every API request, which causes the server to silently slip decoy tool definitions into the model's system prompt. The goal: if someone is scraping Claude Code's API traffic to train a competing model, the poisoned training data makes that distillation attempt less useful.
by cedws1774952909
Would be interesting to run this through Malus [1] or literally just Claude Code and get open source Claude Code out of it.

I jest, but in a world where these models have been trained on gigatons of open source I don't even see the moral problem. IANAL, don't actually do this.

https://malus.sh/

by avaer1774949690
It's a little bit shocking that this zipfile is still available hours later.

Could anyone in legal chime in on the legality of now 're-implementing' this type of system inside other products? Or even just having an AI look at the architecture and implement something else?

It would seem given the source code that AI could clone something like this incredibly fast, and not waste it's time using ts as well.

Any Legal GC type folks want to chime in on the legality of examining something like this? Or is it liked tainted goods you don't want to go near?

by blobbers1774979789
For a combo with another HN homepage story, Claude Code uses… Axios: https://x.com/icanvardar/status/2038917942314778889?s=20

https://news.ycombinator.com/item?id=47582220

by hk__21774956666
There's a bunch of unreleased features and update schedules in the source, cool to see.

One neat one is the /buddy feature, an easter egg planned for release tomorrow for April fools. It's a little virtual pet, sort of like Tamagotchi, randomly generated with 18 species, rarities, stats, hats, custom eyes.

The random generation algorithm is all in the code though, deterministic based on you account's UUID in your claude config, so it can be predicted. I threw together a little website here to let you check what your going to get ahead of time: https://claudebuddychecker.netlify.app/

Got a legendary ghost myself.

by fatcullen1774981831
Has the source code 'been leaked' or is this the first evidence of a piece of software breaking free from it's creators labs and jump onto GitHub in order to have itself forked and mutated and forked and ...
by meta-level1774966128
I analyzed its compaction engine, 3-layer masterpiece of which I write in full here: https://barazany.dev/blog/claude-codes-compaction-engine
by barazany1774985319
Neat. Coincidently recently I asked Claude about Claude CLI, if it is possible to patch some annoying things (like not being able to expand Ctrl + O more than once, so never be able to see some lines and in general have more control over the context) and it happily proclaimed it is open source and it can do it ... and started doing something. Then I checked a bit and saw, nope, not open source. And by the wording of the TOS, it might brake some sources. But claude said, "no worries", it only break the TOS technically. So by saving that conversation I would have some defense if I would start messing with it, but felt a bit uneasy and stopped the experiment. Also claude came into a loop, but if I would point it at this, it might work I suppose.
by lukan1774951489
This isn't even the first time - something similar happened back in February 2025 too:

https://daveschumaker.net/digging-into-the-claude-code-sourc... https://news.ycombinator.com/item?id=43173324

by mil221774970833
This 'fingerprint' function is super interesting, I imagine this is a signal they use to detect non-claude-code use of claude-code tokens: src/utils/fingerprint.ts#L40-L63
by minimaltom1774976638
Was searching for the rumored Mythos/Capybara release, and what even is this file? https://github.com/chatgptprojects/claude-code/blob/642c7f94...
by mesmertech1774953830
This leak is actually a massive win. Now the whole community can study Claude Code’s architecture and build even better coding agents and open-source solutions.
by vanyaland1774971151
Codex and gemini cli are open source already. And plenty of other agents. I don't think there is any moat in claude code source.
by Squarex1774951310
It should be open source anyways. Maybe they will change gears.
by starkeeper1774982100
Went through the bundle.js. Found 187 spinner verbs. "Combobulating", "Discombobulating", and "Recombobulating". The full lifecycle is covered. Also "Flibbertigibbeting" and "Clauding". Someone had fun.
by seifbenayed19921774968497
I have a feeling this is like llama.

Original llama models leaked from meta. Instead of fighting it they decided to publish them officially. Real boost to the OS/OW models movement, they have been leading it for a while after that.

It would be interesting to see that same thing with CC, but I doubt it'll ever happen.

by dhruv30061774951773
I almost predicted that on Friday https://blog.krzyzanowskim.com/2026/03/30/shipping-snake-oil... so close to when comedy become reality
by krzyzanowskim1774964423
LoL! https://news.ycombinator.com/item?id=30337690

Not exactly this, but close.

by vbezhenar1774949346
Is there anything special here vs. OpenCode or Codex?

There were/are a lot of discussions on how the harness can affect the output.

by karimf1774950367
Is this significant?

Copilot on OAI reveals everything meaningful about its functionality if you use a custom model config via the API. All you need to do is inspect the logs to see the prompts they're using. So far no one seems to care about this "loophole". Presumably, because the only thing that matters is for you to consume as many tokens per unit time as possible.

The source code of the slot machine is not relevant to the casino manager. He only cares that the customer is using it.

by bob10291774948811
I hope this can now be audited better. I have doubted their feedback promises for a while now. I just got prompted again even though I have everything set to disable, which shouldn't be possible. When I dug into their code a long time ago on this it seemed like they were actually sending back message ids with the survey which directly went against their promise that they wouldn't use your messages. Why include a message id if you aren't somehow linking it back to a message? The code look, not great, but it should now be easier to verify their claims about privacy.
by jmward011774978345
Whenever someone figures out why it's consuming so many tokens lately, that's the post worth upvoting.
by harlequinetcie1774966270
These security failures from Anthropic lately reveal the caveats of only using AI to write code - the safety an experienced engineer is not matched by an LLM just yet, even if the LLM can seemingly write code that is just as good.

Or in short, if you give LLMs to the masses, they will produce code faster, but the quality overall will degrade. Microsoft, Amazon found out this quickly. Anthropic's QA process is better equipped to handle this, but cracks are still showing.

by VadimPR1774967622
by 1774964032
The only sensible response is to immediately open source it.
by mmaunder1774970680
too much pressure. the author deleted the real source code: https://github.com/instructkr/claude-code/commit/7c3c5f7eb96...
by zurfer1774960927
Looks like the repo owner has force pushed a new project over the original source code, now it’s python, and they are shilling some other agent tool.
by WD-421774963782
Gemini CLI and Codex are open source anyway. I doubt there was much of a moat there anyway. The cool kids are using things like https://pi.dev/ anyway.
by gman831774955162
Boris Cherny has said that Claude Code is simply a client of the public Claude API, so this may be a good thing for Anthropic to demonstrate Claude API best practices. Maybe CC "leaking" is just preparation for open sourcing Claude Code.
by mattlangston1774978114
I love the symbol name: "AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS`.
by alhirzel1774981321
Once the USA wakes up, this will be insane news
by cbracketdash1774952978
Intersected available info on the web with the source for this list of new features:

UNRELEASED PRODUCTS & MODES

1. KAIROS -- Persistent autonomous assistant mode driven by periodic <tick> prompts. More autonomous when terminal unfocused. Exclusive tools: SendUserFileTool, PushNotificationTool, SubscribePRTool. 7 sub-feature flags.

2. BUDDY -- Tamagotchi-style virtual companion pet. 18 species, 5 rarity tiers, Mulberry32 PRNG, shiny variants, stat system (DEBUGGING/PATIENCE/CHAOS/WISDOM/SNARK). April 1-7 2026 teaser window.

3. ULTRAPLAN -- Offloads planning to a remote 30-minute Opus 4.6 session. Smart keyword detection, 3-second polling, teleport sentinel for returning results locally.

4. Dream System -- Background memory consolidation (Orient -> Gather -> Consolidate -> Prune). Triple trigger gate: 24h + 5 sessions + advisory lock. Gated by tengu_onyx_plover.

INTERNAL-ONLY TOOLS & SYSTEMS

5. TungstenTool -- Ant-only tmux virtual terminal giving Claude direct keystroke/screen-capture control. Singleton, blocked from async agents.

6. Magic Docs -- Ant-only auto-documentation. Files starting with "# MAGIC DOC:" are tracked and updated by a Sonnet sub-agent after each conversation turn.

7. Undercover Mode -- Prevents Anthropic employees from leaking internal info (codenames, model versions) into public repo commits. No force-OFF; dead-code-eliminated from external builds.

ANTI-COMPETITIVE & SECURITY DEFENSES

8. Anti-Distillation -- Injects anti_distillation: ['fake_tools'] into every 1P API request to poison model training from scraped traffic. Gated by tengu_anti_distill_fake_tool_injection.

UNRELEASED MODELS & CODENAMES

9. opus-4-7, sonnet-4-8 -- Confirmed as planned future versions (referenced in undercover mode instructions).

10. "Capybara" / "capy v8" -- Internal codename for the model behind Opus 4.6. Hex-encoded in the BUDDY system to avoid build canary detection.

11. "Fennec" -- Predecessor model alias. Migration: fennec-latest -> opus, fennec-fast-latest -> opus[1m] + fast mode.

UNDOCUMENTED BETA API HEADERS

12. afk-mode-2026-01-31 -- Sticky-latched when auto mode activates 15. fast-mode-2026-02-01 -- Opus 4.6 fast output 16. task-budgets-2026-03-13 -- Per-task token budgets 17. redact-thinking-2026-02-12 -- Thinking block redaction 18. token-efficient-tools-2026-03-28 -- JSON tool format (~4.5% token saving) 19. advisor-tool-2026-03-01 -- Advisor tool 20. cli-internal-2026-02-09 -- Ant-only internal features

200+ SERVER-SIDE FEATURE GATES

21. tengu_penguins_off -- Kill switch for fast mode 22. tengu_scratch -- Coordinator mode / scratchpad 23. tengu_hive_evidence -- Verification agent 24. tengu_surreal_dali -- RemoteTriggerTool 25. tengu_birch_trellis -- Bash permissions classifier 26. tengu_amber_json_tools -- JSON tool format 27. tengu_iron_gate_closed -- Auto-mode fail-closed behavior 28. tengu_amber_flint -- Agent swarms killswitch 29. tengu_onyx_plover -- Dream system 30. tengu_anti_distill_fake_tool_injection -- Anti-distillation 31. tengu_session_memory -- Session memory 32. tengu_passport_quail -- Auto memory extraction 33. tengu_coral_fern -- Memory directory 34. tengu_turtle_carbon -- Adaptive thinking by default 35. tengu_marble_sandcastle -- Native binary required for fast mode

YOLO CLASSIFIER INTERNALS (previously only high-level known)

36. Two-stage system: Stage 1 at max_tokens=64 with "Err on the side of blocking"; Stage 2 at max_tokens=4096 with <thinking> 37. Three classifier modes: both (default), fast, thinking 38. Assistant text stripped from classifier input to prevent prompt injection 39. Denial limits: 3 consecutive or 20 total -> fallback to interactive prompting 40. Older classify_result tool schema variant still in codebase

COORDINATOR MODE & FORK SUBAGENT INTERNALS

41. Exact coordinator prompt: "Every message you send is to the user. Worker results are internal signals -- never thank or acknowledge them." 42. Anti-pattern enforcement: "Based on your findings, fix the auth bug" explicitly called out as wrong 43. Fork subagent cache sharing: Byte-identical API prefixes via placeholder "Fork started -- processing in background" tool results 44. <fork-boilerplate> tag prevents recursive forking 45. 10 non-negotiable rules for fork children including "commit before reporting"

DUAL MEMORY ARCHITECTURE

46. Session Memory -- Structured scratchpad for surviving compaction. 12K token cap, fixed sections, fires every 5K tokens + 3 tool calls. 47. Auto Memory -- Durable cross-session facts. Individual topic files with YAML frontmatter. 5-turn hard cap. Skips if main agent already wrote to memory. 48. Prompt cache scope "global" -- Cross-org caching for the static system prompt prefix

by georgecalm1774962914
tools/bashSecurity.ts is a hackers goldmine. Sooo many exploit patterns detailed in there!!
by freakynit1774983602
Did it happen due to Bun?
by randomsc1774984075
It is pretty funny that they recently announced about mythos which possess cybersecurity threat and then after some days, the claude code leaked. I think we know the culprit
by AlexWApp1774965086
This is what I'd do to trick my competitors into thinking they now know my weak spots, agenda, etc.: drop a honeypot and do something else :)
by meta-level1774975215
That idea list is super cute. I like the tamagochi idea. Somehow the candidness of that file makes it seem like anthropic would be an easy place to work at.
by Uptrenda1774984803
Is it not already a node app? So the only novel thing here is we know the original var names and structure? Sure, sometimes obfuscated code can be difficult to intuit, but any enterprising party could eventually do it -- especially with the help of an LLM.
by tills131774969335
Releasing a massive feature every day has a cost!

unreliability becomes inevitable!

by evanbabaallos1774979863
I couldn't tell from the title whether is was client or the server code (although map file and NPM were hints). Looks like the client code, which is not as exciting.
by solaire_oa1774972216
I've never understood this convention (common on HN, some news orgs, and elsewhere), that, when there's an IP breach, it's suddenly fair game for everyone else to go through the IP, analyze and comment on it publicly, etc.
by neilv1774984266
And this is what happens when you don’t take security seriously folks and instead just rush out vibecoded features without proper QA.
by nickvec1774973978
haha.. Anthropic need to hire fixer from vibecodefixers.com to fix all that messy code..lol
by Diablo5561774954363
Fascinating, it appears now anyone can be Claude!

Though I wonder how the performance differs from creating your own thing vs using their servers...

by DanDeBugger1774971768
/*

* Check if 1M context is disabled via environment variable.

* Used by C4E admins to disable 1M context for HIPAA compliance.

*/ export function is1mContextDisabled(): boolean {

  return
isEnvTruthy(process.env.CLAUDE_CODE_DISABLE_1M_CONTEXT)

}

Interesting, how is that relevant to HIPAA compliance?

by mutkach1774963763
They do have a couple of interesting features that has not been publicly heard of yet:

Like KAIROS which seems to be like an inbuilt ai assistant and Ultraplan which seems to enable remote planning workflows, where a separate environment explores a problem, generates a plan, and then pauses for user approval before execution.

by Sathwickp1774957142
Are there any interesting/uniq features present in it that are not in the alternatives? My understanding is that its just a client for the powerful llm
by mapcars1774948159
Think It's just the CLI Code right? Not the Model's underlying source. If so - not the WORST situation (still embarrassing)
by therealarthur1774967875
Many comments about code quality being irrelevant.

I'd agree if it was launch-and-forget scenario.

But this code has to be maintained and expanded with new features. Things like lack of comments, dead code, meaningless variable names will result in more slop in future releases, more tokens to process this mess every time (like paying tech-debt results in better outcomes in emerging projects).

by oxag3n1774981095
Anthropic team does an excellent job of speeding up Claude Code when it slows down, but for the sake of RAM and system resources, it would be nice to see it rewritten in a more performant framework!

And now, with Claude on a Ralph loop, you can.

by VadimPR1774959105
Cheap chinese models incoming.
by sourcegrift1774964818
The more I think about this, the more it seems they're not talking about linker map files[1]....

[1] https://www.tasking.com/documentation/smartcode/ctc/referenc...

by dark-star1774982540
I am waiting now for someone to make it work with a Copilot Pro subscription.
by theanonymousone1774951370
source maps leaking original source happens surprisingly often. they're incredibly useful during development, but it's easy to forget to strip them from production builds.
by prawns_12051774969866
I read it with a different flavor. Is it possible that Mythos did all of this? I mean, life has always been finding a way, hasn't it? The first cry of cyber-life?
by lanbin1774973896
Does this matter? I think every other agent cli is open source. I don’t even know why Anthropic insist upon having theirs be closed source.
by sbochins1774958221
I guess it's time for Anthropic to open source Claude Code.
by anhldbk1774951440
Looking forward to someone patching it so that it works with non Anthropic models.
by __alexs1774965416
by 1774958088
Who cares? It's Javascript, if anyone were even remotely motivated deobfuscation of their "closed source" code is trivial. It's silly that they aren't just doing this open source in the first place.
by ramesh311774966622
In the app, it now reads:

> current: 2.1.88 · latest: 2.1.87

Which makes me think they pulled it - although it still shows up as 2.1.88 on npmjs for now (cached?).

by tekacs1774956281
Isn't it open source?

Or is there an open source front-end and a closed backend?

by LeoDaVibeci1774948319
by 1774961146
Undercover mode is pretty interesting and potentially problematic: https://github.com/sanbuphy/claude-code-source-code/blob/mai...
by dev2131774961154
Maybe now someone will finally fix the bug that causes claude code to randomly scroll up all the way to the top!
by ZainRiz1774967881
Bad day for the node/npm ecosystem.
by xyst1774980201
Maybe everyone should slow the fuck down - https://mariozechner.at/posts/2026-03-25-thoughts-on-slowing...
by boxerbk1774965962
Now waiting for someone to point Codex at it and rebuild a new Claude Code in Golang to see if it would perform better
by artdigital1774960847
It shows that a company you and your organization are trusting with your data, and allowing full control over your devices 24/7, is failing to properly secure its own software.

It's a wake up call.

by jedisct11774954428
The code looks, at a glance, as bad as you expect.
by q3k1774948788
I hope everyone provides excellent feedback so they improve Claude Code.
by ChicagoDave1774951866
The autoDream feature looks interesting.
by napo1774961087
Just a client side written in JS, nothing to see here, the LLM is still secret.

They could have written that in curl+bash that would not have changed much.

by zoobab1774959266
400k lines of code per scc
by thefilmore1774957757
by 1774974873
Why is Claude Code, a desktop tool, written in JS? Is the future of all software JS or Typescript?
by DeathArrow1774951937
Removed
by sourcegrift1774965550
I have 705 PRs ready to go :)
by bdangubic1774958716
time to remove its copyright through malus.sh and release that source under MIT
by agile-gift02621774961754
There's some rollout flags - via GrowthBook, Tengu, Statsig - though I'm not sure if it's A/B or not
by temp70001774961502
I wonder what will happen with the poor guy who forgot to delete the code...
by DeathArrow1774951519
wondering whether it was a human mistake or a CLAUDE model error.
by tw19841774965968
today being March 31st, is this a genuine issue or just perfectly timed April Fools noise? What do you think?
by hemantkamalakar1774960768
April Fools
by Pent1774965767
Now we need some articles analyzing this.
by daft_pink1774964157
I think this is ultimately caused by a Bun bug which I reported, which means source maps are exposed in production: https://github.com/oven-sh/bun/issues/28001

Claude code uses (and Anthropic owns) Bun, so my guess is they're doing a production build, expecting it not to output source maps, but it is.

by jakegmaths1774969200
Can we stop referring to source maps as leaks? It was packaged in a way that wasn’t even obfuscated. Same as websites - it’s not a “leak” that you can read or inspect the source code.
by isodev1774952151
[flagged]
by kolkov1774964294
[dead]
by philbitt1774979699
[dead]
by mergeshield1774961692
[dead]
by obelai1774961059
[dead]
by mergeshield1774950779
[flagged]
by kevinbaiv1774951834
[dead]
by animanoir1774982328
[dead]
by imta717701774957903
by 1774970456
[flagged]
by aiedwardyi1774957510
[dead]
by goworm1774974648
[dead]
by sixhobbits1774951716
[dead]
by psihonaut1774953525
[dead]
by CookieJedi1774961145
[flagged]
by CookieJedi1774961159
[flagged]
by noritaka881774962607
[flagged]
by RodMiller1774965175
How this leak happened?
by sudo_man1774961751
Today being March 31st, is this a genuine issue or just perfectly timed April Fools noise? What do you think?
by hemantkamalakar1774960757
Maybe the OP could clarify, I don't like reading leaked code, but I'm curious: my understanding is that is it the source code for "claude code", the coding assistant that remotely calls the LLMs.

Is that correct ? The weights of the LLMs are _not_ in this repo, right ?

It sure sucks for anthropic to get pawned like this, but it should not affect their bottom line much ?

by phtrivier1774957014
I thought it was open source project on github? https://github.com/anthropics/claude-code no?
by pplonski861774965727
A couple of years ago I had to evaluate A/B test and feature flag providers, and even then when they were a young company fresh out of YC, GrowthBook stood out. Bayesian methods, bring your own storage, and self-hosting instead of "Contact us for pricing" made them the go-to choice. I'm glad they're doing well.
by tmarice1774967135
I don't understand why claude code (and all CLI apps) isn't written in Rust. I started building CLI agents in Go and then moved to Typescript and finally settled on Rust and it was amazing!

I even made it into an open source runtime - https://agent-air.ai.

Maybe I'm just a backend engineer so Rust appeals to me. What am I missing?

by arrsingh1774964896