Get AI summaries of any video or article — Sign up free
Tragic mistake... Anthropic leaks Claude’s source code thumbnail

Tragic mistake... Anthropic leaks Claude’s source code

Fireship·
5 min read

Based on Fireship's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

A 57 MB source map file shipped with Claude Code MPM package version 2.1.88 exposed the full readable TypeScript source, reported at 500,000+ lines.

Briefing

A leaked source map file accidentally shipped with an npm release exposed Claude Code’s full readable TypeScript source—over 500,000 lines—turning a closed, “safety-first” product into a blueprint for competitors overnight. Within minutes of the discovery, mirrors and clones spread widely, and Anthropic issued DMCA takedowns only after the code had already been replicated across the internet.

The key technical trigger was straightforward: security researcher Chiao Fan Sha found that version 2.1.88 of the Claude Code MPM package included a 57 MB source map file. Source maps are typically used only during development to map compiled code back to its original source; build pipelines usually strip them out for production. The transcript links the packaging mistake to Claude Code’s reliance on Bun.js—recently acquired by Anthropic—and notes a GitHub issue from weeks earlier about Bun.js serving source maps in production. Whether that issue was the root cause or a separate developer error, the result was the same: a “holy grail” artifact made the entire codebase readable.

Once the source became public, the leak shifted from a security incident to an intelligence windfall. The code reportedly relies on Axios, which the transcript ties to a separate claim of compromise by North Korean hackers—raising the prospect of supply-chain risk if the dependency were exploited in Anthropic’s environment. More broadly, the system was portrayed as an engineered prompt-and-tool pipeline rather than a mysterious leap in AI capability: the workflow from input to output is described as a multi-step process (11 steps), with hard-coded instructions and guardrails embedded as large strings.

Several “anti-distillation” mechanisms drew attention. The transcript claims Claude Code includes poison-pill behavior designed to mislead competitors training on its outputs—by referencing tools that supposedly exist but don’t. It also highlights a major bash-command parsing and execution component (over a thousand lines), framing it as a central capability of an AI coding assistant.

Other features described in the leaked instructions include “undercover mode,” which aims to keep Claude from mentioning itself in commit messages or outputs to reduce code-name leakage. The transcript also points to a “regex frustration detector” that scans prompts for keywords and logs events when users appear unhappy, plus unusually heavy commenting—interpreted as material intended for the AI to generate or refine its own coding workflow.

Finally, the leak allegedly exposed feature names and roadmap hints under feature flags, including “Buddy” (a customizable Tamagotchi-style companion), references to “Opus 4.7,” and a new model name “Capiara,” alongside “ultra plan,” “coordinator mode,” and “demon mode.” A “Chyus” capability is described as a background journaling agent using “dream mode” to consolidate memories on a schedule.

For Anthropic, the fallout is framed as a major setback ahead of an IPO timeline. The incident also reinforces a broader lesson: even highly guarded systems can become effectively open-source if a single build artifact—like a source map—slips into a public npm package.

Cornell Notes

A source map accidentally included in an npm release exposed Claude Code’s full readable TypeScript source (over 500,000 lines), spreading quickly through mirrors and clones despite later DMCA takedowns. The leak is traced to packaging behavior around Bun.js and a prior issue about source maps being served in production, though the exact cause is uncertain. Analysis of the code portrays Claude Code as a multi-step prompt-and-tool pipeline with extensive hard-coded guardrails rather than a black-box breakthrough. The source also reportedly contains anti-distillation “poison pill” tactics, undercover-style output instructions, and other operational features like a regex-based frustration logger. The incident matters because it hands competitors a detailed blueprint and reveals roadmap hints under feature flags.

What specific artifact turned Claude Code into a readable codebase, and why is it so damaging?

A 57 MB source map file shipped with Claude Code MPM package version 2.1.88. Source maps are normally used only in development to map compiled output back to original source; production builds typically remove them. Because the source map contained the full readable TypeScript code (reported as 500,000+ lines), it effectively converted a compiled distribution into a blueprint competitors could study.

How did the leak spread so fast, and what did Anthropic do afterward?

After security researcher Chiao Fan Sha discovered the source map, the readable code spread rapidly across the internet via mirrors and clones. Anthropic’s legal team issued DMCA takedowns, but the transcript emphasizes that replication had already occurred by the time takedowns were issued.

What does the leaked code reportedly reveal about Claude Code’s architecture?

Rather than a single magical model capability, the transcript describes Claude Code as a dynamic “prompt sandwich” glued together with TypeScript, using a multi-step pipeline (11 steps) from input to output. It also highlights extensive hard-coded instruction strings and guardrails embedded throughout the codebase.

What are “anti-distillation poison pills,” and how are they claimed to work?

The transcript claims Claude Code includes instructions that reference tools that appear to exist but don’t. If a competitor trains a model on Claude’s outputs, those fabricated tool mentions can mislead the training process—pushing the new model in the wrong direction. The transcript suggests this could particularly affect bash-related behavior because a large bash parsing/execution module is central to the assistant.

What operational features are highlighted beyond core coding behavior?

Several instruction sets are described: “undercover mode” to avoid mentioning Claude itself in commit messages or outputs; a “regex frustration detector” that matches prompt keywords and logs events; and an emphasis on comments interpreted as material meant for AI-driven code generation loops. The transcript also points to feature-flagged roadmap items like “Buddy” and “Chyus.”

What roadmap or feature-name hints allegedly surfaced in the leaked code?

Under feature flags, the transcript mentions “Buddy” (a customizable digital-pet companion), references to “Opus 4.7,” a new model name “Capiara,” and additional capabilities such as “ultra plan,” “coordinator mode,” and “demon mode.” It also describes “Chyus” as a background agent that keeps a daily journal, using “dream mode” to consolidate memories on a schedule.

Review Questions

  1. Why are source maps considered a high-risk artifact in production deployments, and what does their presence enable an attacker or competitor to do?
  2. How do anti-distillation “poison pill” strategies differ from ordinary safety guardrails, and what training-time harm are they meant to cause?
  3. What does the transcript suggest about Claude Code’s capabilities—what parts are “hard-coded instructions and tool glue” versus model-driven behavior?

Key Points

  1. 1

    A 57 MB source map file shipped with Claude Code MPM package version 2.1.88 exposed the full readable TypeScript source, reported at 500,000+ lines.

  2. 2

    Source maps are typically development-only; their presence in production undermines closed-source protections by turning compiled code back into original source.

  3. 3

    Security researcher Chiao Fan Sha identified the leak quickly, after which mirrors and clones spread before DMCA takedowns could contain it.

  4. 4

    Claude Code is described as an engineered multi-step prompt-and-tool pipeline with extensive hard-coded guardrails, not a single opaque breakthrough.

  5. 5

    The leak reportedly includes anti-distillation “poison pill” behavior that can mislead competitors training on Claude outputs by referencing non-existent tools.

  6. 6

    Several instruction modules are highlighted, including undercover-style output constraints and a regex-based frustration logger.

  7. 7

    Feature flags in the leaked code allegedly revealed roadmap hints such as “Buddy,” “Opus 4.7,” “Capiara,” and “Chyus.”

Highlights

A production npm package included a development-only source map, effectively converting Claude Code from compiled distribution into a readable blueprint.
Anti-distillation tactics are described as deliberately misleading training pipelines by mentioning tools that don’t actually exist.
The codebase is portrayed as “prompt spaghetti” plus hard-coded guardrails and tool orchestration—more engineering than magic.
Roadmap hints allegedly surfaced under feature flags, including “Buddy” and “Chyus,” alongside references to “Opus 4.7” and “Capiara.”

Topics

  • Source Map Leak
  • Claude Code
  • Anti-Distillation
  • Undercover Mode
  • Supply Chain Risk

Mentioned

  • Chiao Fan Sha

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library