Anthropic Accidentally Leaked Claude Code’s Source—The Internet Is Keeping It Forever

Anthropic didn’t mean to open-source Claude Code. But on Tuesday, the company effectively did—and not even an army of lawyers can put that toothpaste back in the tube.

It started with a single file. Claude Code version 2.1.88, pushed to the npm registry in the early hours of Tuesday morning, shipped with a 59.8MB JavaScript source map—a debug file that can reconstruct the original code from its compressed form. These files are generated automatically and are supposed to stay private. But a single line in the ignore settings let it go out with the release.

Intern and researcher Chaofan Shou, who appears to be among the first to spot the file, posted a download link to X around 4:23 a.m. ET, and watched 16 million people descend on the thread. Anthropic yanked the npm package, but the internet had already archived 512,000 lines of code across 1,900 different files that make up a major part of the project.

“Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed,” an Anthropic spokesperson told Decrypt. “This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”

The leak exposed the full internal architecture of what is arguably one of, if not the most sophisticated AI coding agent on the market: LLM API orchestration, multi-agent coordination, permission logic, OAuth flows, and 44 hidden feature flags covering unreleased functionality.

Among the finds: Kairos, an always-on background daemon that stores memory logs and performs nightly “dreaming” to consolidate knowledge. And Buddy, a Tamagotchi-style AI pet with 18 species, rarity tiers, and stats including debugging, patience, chaos, and wisdom. There’s a teaser rollout for this “Buddy” apparently planned for April 1-7.

Then there’s the detail that made everyone on Hacker News cackle. Per leaker Kuberwastaken, buried inside the code was “Undercover Mode”—a whole subsystem designed to prevent the AI from accidentally leaking Anthropic’s internal codenames and project names when contributing to open-source repositories. The system prompt injected into Claude’s context literally says: “Do not blow your cover.”

Apparently, Anthropic began issuing DMCA takedowns against GitHub mirrors. That’s when things got interesting.

A Korean developer named Sigrid Jin—featured in the Wall Street Journal earlier this month for having consumed 25 billion Claude Code tokens—woke up at 4 a.m. to the news. He sat down, ported the core architecture to Python from scratch using an AI orchestration tool called oh-my-codex, and pushed claw-code before sunrise. The repo hit 30,000 GitHub stars faster than any repository in history.

It’s basically a translation of all the code from the original language to Python, so technically not the same thing, right? We’ll leave that to lawyers and tech philosophers.

The legal logic here is sharp. Gergely Orosz, founder of The Pragmatic Engineer newsletter, argued in a post on X: “This is either brilliant or scary: Anthropic accidentally leaked the TS source code of Claude Code. Repos sharing the source are taken down with DMCA. BUT this repo rewrote the code using Python, and so it violates no copyright & cannot be taken down!”

It’s a clean-room rewrite. A new creative work. DMCA-proof by design.

The copyright angle gets thornier when considering the legal status of AI-generated work, and how muddy the criteria gets when lawyers have to rule whether or not it carries automatic copyright. The DC Circuit upheld that position in March 2025, and the Supreme Court declined to hear the challenge.

If significant chunks of Claude Code were written by Claude itself—which Anthropic’s own CEO has implied—then the legal standing of any copyright claim gets murkier by the day.

Decentralization adds another layer of permanence. The account @gitlawb mirrored the original code to Gitlawb, a decentralized git platform, with a simple message: “Will never be taken down.” The original remains accessible there. A separate repository has compiled all of Claude’s internal system prompts, which is something that prompt engineers and jailbreakers will appreciate as it gives more insights into the way Anthropic conditions its models.

This matters beyond the drama. DMCA takedowns work against centralized platforms. GitHub complies because it has to. Decentralized infrastructure—which powers Gitlawb, torrents, and cryptocurrency itself—doesn’t have the same single point of failure. When a company tries to pull something back from the internet, the only question is how many mirrors exist and on what kind of infrastructure. The answer here, within hours, was: enough.