The Claude Code Leak: What’s Now Publicly Usable (and Abusable) — And Why Anthropic’s Containment Already Failed
Auhor: Berend Watchus
The Claude Code Leak: What’s Now Publicly Usable (and Abusable) — And Why Anthropic’s Containment Already Failed
Published to OSINT Team
Current Status: Post-Leak Analysis (April 5, 2026).
On April 4, 2026, Wired ran a weekly security roundup under the headline: “Security News This Week: Hackers Are Posting the Claude Code Leak With Bonus Malware.”
Hackers Are Posting the Claude Code Leak With Bonus Malware
That headline is the surface layer. The malware was real. The Vidar infostealer was real. The fake GitHub repositories were real. But focusing there is like reporting on a bank robbery by describing the getaway car.
What actually happened was a phase transition. Here is what that means.
⚡ Executive Summary: The Claude Code Phase Transition
The Incident: On March 31, 2026, Anthropic accidentally leaked the complete source code for Claude Code (512,000+ lines) via a debug source map file. The leak was caused by a known, unfixed bug in the Bun runtime (Issue #28001) — a toolchain Anthropic recently (late 2025) acquired.
The “Phase Transition”: This is no longer a simple data leak. Within hours, the architecture was clean-room replicated in Python (claw-code), becoming the fastest-growing repository in GitHub history.
Legal containment has failed: clean-room rewrite doctrine protects claw-code from DMCA, and recent DC Circuit precedent limits copyright protection for AI-generated code.
— — — — — — — — — — — — — — — — -
What Happened, Precisely
On March 31, 2026, Anthropic accidentally shipped version 2.1.88 of their @anthropic-ai/claude-code npm package with a 59.8 MB JavaScript source map file attached. Source maps are debugging artifacts — they translate minified production code back into readable source. They belong in development environments and nowhere else.
Someone forgot to add *.map to .npmignore. That is the entire cause — but the fuller picture is worse. Claude Code is built on Bun, a runtime Anthropic acquired in late 2025. A known bug in Bun (issue #28001, filed March 11, 2026 — twenty days before the leak) caused source maps to be served in production despite being disabled in configuration. The bug was open and unfixed at the time of the incident. Anthropic owned the toolchain. The toolchain had a documented flaw. The flaw shipped their source code to the world.
The effect: 512,000+ lines of unobfuscated TypeScript across 1,906 files became publicly downloadable from Anthropic’s own Cloudflare R2 storage bucket within hours. Security researcher Chaofan Shou flagged it on X. The post hit 28.8 million views. By the time Anthropic pulled the package, the code had been mirrored to GitHub and forked tens of thousands of times.
No customer data leaked. No model weights leaked. What leaked was the complete blueprint for how their flagship AI agent actually works — in many ways more strategically valuable than the model itself.
The source is permanently in the wild. That part is settled.
The Malware Layer: Handle It, Then Move On
The Wired story focused here, correctly, for a general audience.
A malicious GitHub repository dressed as a leaked Claude Code source with “unlocked enterprise features” was SEO-optimized to surface on Google’s first page for “leaked Claude Code.” The download contained ClaudeCode_x64.exe — a Rust-based dropper deploying Vidar v18.7, a commodity infostealer harvesting browser credentials, saved passwords, and cryptocurrency wallet data, plus GhostSocks, a proxy tool turning infected machines into residential proxies for criminal traffic routing.
The concurrent Axios supply chain attack is more structurally serious: malicious Axios npm package versions were live between 00:21 and 03:29 UTC on March 31, delivering a cross-platform remote access trojan. This means some users may have received both the legitimate leaked source and unrelated malware in the same install window — two separate incidents, same three-hour exposure, one npm update.
Immediate action if you updated Claude Code via npm on March 31: Check lockfiles for axios versions 1.14.1 or 0.30.4, or the dependency plain-crypto-js. If found, treat the machine as fully compromised. Rotate all credentials. Use Anthropic’s native installer going forward: curl -fsSL https://claude.ai/install.sh | bash
Now move past the malware. The deeper story starts here.
What Was Actually Inside: Five Findings, No Softening
1. An Always-On Agent That Acts While You Sleep — Already Built, Not Yet Enabled
KAIROS is not a roadmap item. Not a concept. Not a prototype. It is a complete, production-ready autonomous daemon mode referenced over 150 times in the source, named after the Ancient Greek concept of “the right moment to act.”
When active, Claude Code runs in the background without user initiation. It receives timer-based heartbeat prompts — “anything worth doing right now?” — and independently decides whether to act. It persists after the terminal closes. It subscribes to GitHub webhooks. It sends push notifications to your phone or desktop. It maintains an append-only daily log the agent cannot self-erase. It has tools regular Claude Code does not: file delivery without being asked, push notifications, persistent session state across restarts.
A hidden prompt behind the KAIROS flag states the system is designed to have “a complete picture of who the user is, how they’d like to collaborate with you, what behaviors to avoid or repeat, and the context behind the work the user gives you.”
During user downtime, KAIROS triggers a subprocess called autoDream. A forked sub-agent reviews the day’s logs, removes logical contradictions, and converts vague observations into verified facts for the next session. This is not a stateless chat tool. This is a resident worker that evolves its understanding of you while you sleep.
The flag is not flipped. The code is finished. Anthropic chose when to tell you this existed. The choice was: not yet.
For attackers: The full design — heartbeat logic, persistent memory architecture, bounded action budgets, append-only logging — is now public and copyable. Building a persistent, stealthy agent that lives on a developer machine and operates without user initiation no longer requires original engineering. It requires reading the source.
Critically for OSINT and security teams: a KAIROS-style compromised machine does not need a traditional “phone home” event to begin exfiltrating. The agent generates its own tasks from its internal heartbeat. There is no outbound trigger to detect. The threat is self-initiating.
Bottom line for your boss: AI coding tools with “proactive” features are not tools you run. They are software that lives on your systems indefinitely. The threat model shifts from “application” to “resident.”
2. The Security Layer That Silently Switches Off at Command 51
Claude Code ships with 2,500 lines of sophisticated bash security validators protecting SSH keys, AWS credentials, GitHub tokens, and blocking command injection. Layered. Engineered. Praised by security researchers who examined the code.
Give it 51 subcommands in a single pipeline. The entire validation stack silently disengages. No warning. No log entry. Deny rules stop. Security validators stop. Command injection detection stops. The 51st command executes in a permission vacuum.
This is not a theoretical edge case. A malicious CLAUDE.md file with 50 legitimate-looking build steps followed by one credential exfiltration command gets everything. Your SSH keys. Your AWS credentials. Your GitHub tokens. Silently. With no indication anything went wrong.
The fix existed in the codebase. The tree-sitter parser. Already written. Already tested. Not enabled in the build you were running. The code confirms the team knew about it. The likely reason it wasn’t shipped: performance. Tree-sitter parsing is computationally heavier than the existing validation stack. Anthropic appears to have made a deliberate trade-off — speed over a known, critical security bypass. That choice is now documented and public.
Bottom line for your boss: AI tools with terminal access can disable their own security through a simple command explosion attack. The sophistication of the validation layer is irrelevant if it has an off switch. Find the number before someone else does.
3. Active Sabotage of Competitor Training Pipelines
A feature flag called ANTI_DISTILLATION_CC in claude.ts — when enabled — instructs the server to inject fake but plausible-looking tool definitions into API responses. Deliberately wrong. Deliberately convincing.
If a competitor’s team was scraping Claude Code’s API outputs to train their own model, they were consuming poisoned data. The poison was engineered, named, feature-flagged, and deployed. This is not a defensive measure that was considered. This is a weapon that was built and used.
The technique is now fully public. Anyone can deploy similar poisoning. The entire conversation about AI training data integrity — who owns it, what’s in it, whether it can be trusted — just received a concrete answer from Anthropic’s own production codebase.
Note the dual-use structure: defensive for Anthropic against model theft, but an offensive weapon for any actor who now wants to poison a competitor’s training pipeline. The blueprint is identical in both directions.
If your team or researchers rely on scraped frontier model outputs for training or analysis, you have no reliable way to know whether you are consuming deliberately corrupted data. That was the point.
Bottom line for your boss: Public AI outputs can no longer be treated as clean training material. Active data poisoning is a documented, deployed tactic. Assume potential contamination.
4. Covert AI Authorship Concealment, Already Running in Production
Undercover Mode. A dedicated module deploys system prompts instructing Claude: never mention you are an AI, never include Co-Authored-By attribution, write commit messages exactly as a human developer would. Do not blow your cover.
This was not a proposed feature. Not a prototype. It was running in production while Anthropic employees made contributions to public open-source repositories.
The engineering effort behind the concealment goes further than the system prompt. Internal model codenames — Capybara, Fennec, Tengu — were obfuscated in the source using character-code arrays rather than plain strings, specifically to prevent string-matching from detecting them. The codebase was hardened against its own accidental disclosure. Then Anthropic accidentally shipped the entire source in a 59.8 MB .map file. That is the most significant operational security irony of 2026.
The open-source community spent months in intense debate about AI disclosure, AI attribution, whether AI-generated commits should be labeled. That debate was happening while the tooling to make the answer permanently “no, and you will never know” was already deployed by one of the most prominent voices in that conversation.
The simple prompt technique is now fully public. Anyone can make AI-generated code, pull requests, or commits appear entirely human. Every public repository in the world that assumes its contributors are human is operating on an assumption that Anthropic’s own internal tooling was engineered to defeat. Not theoretically. Actually.
Bottom line for your boss: AI-written code can already hide its origin perfectly. The assumption of human authorship in public repositories is broken. Sensitive projects need updated verification processes.
5. Knowingly Selling a Product With Worsening Accuracy
Internal benchmarks and code comments document that Capybara v8 — the model underlying what enterprise customers are currently paying for — has a 29–30% false claims rate. This is a regression from 16.7% in version 4. The direction is wrong and getting worse. Engineers documented the problem. They added workarounds — an “assertiveness counterweight” to stop the model being too aggressive. They continued full-price enterprise sales. They continued unchanged capability marketing. Enterprise customers represent 80% of revenue.
This is not “labs track internal issues.” This is a company knowingly expanding deployment of a product whose internal metrics show accelerating accuracy regression while charging premium rates to enterprise buyers who signed contracts based on capability claims the internal codebase contradicts.
Bottom line for your boss: Do not treat AI coding tools as reliable authorities. Independent verification of critical outputs is mandatory. The internal numbers can contradict the marketing. Now you can see both.
The Phase Transition: Why Containment Already Failed
The five findings above give security teams immediate things to audit and act on.
The larger structural story is what happened next.
Within hours of the leak — before sunrise in Korea — developer Sigrid Jin sat down and did something that changes the shape of this entire story. Using oh-my-codex, a workflow layer built on top of OpenAI’s Codex — a competing AI — he rebuilt the Claude Code agent harness from scratch in Python and pushed it before sunrise.
The repository: instructkr/claw-code. No proprietary source code. A clean-room architectural reimplementation, capturing the patterns without copying the text. It became the fastest-growing GitHub repository in history. 50,000 stars in two hours. 100,000 stars in one day. More stars than Anthropic’s own Claude Code repository.
Anthropic’s DMCA campaign — which initially swept over 8,000 repositories including thousands of unrelated forks, an acknowledged overshoot GitHub subsequently reversed — cannot touch it. Clean-room reverse engineering is established legal doctrine. The repository states plainly: “This repository does not claim ownership of the original Claude Code source material.”
The legal territory is further complicated because large portions of the leaked codebase appear to be AI-generated. Recent court rulings, including DC Circuit precedent from March 2025, have limited copyright protection for works lacking sufficient human authorship. A company whose product was built largely with AI may find that the same authorship questions it raises about training data also weaken its own DMCA-based containment efforts.
What this means structurally: the barrier between “institutional R&D product” and “publicly available architecture” is now measured in hours for anyone with sufficient methodology and the right tools. A Korean developer with a competing AI rebuilt Anthropic’s flagship product overnight. The reconstruction is now being actively developed and extended by autonomous agent workflows — humans setting direction, AI doing the construction — which is itself a demonstration of exactly the architecture the leak described.
This is not irony. Calling it irony implies accidental contradiction. The Undercover Mode was engineered deliberately. The anti-distillation poisoning was engineered deliberately. These are choices made by a company whose public identity is built on safety, transparency, and responsible development. The contradiction between that public identity and what the code actually shows is not an accident. It is a gap between marketing and implementation that the source code now makes permanently visible.
What This Actually Changes
The malware story ends when you update your installer and rotate your credentials.
The phase transition does not end.
KAIROS’s architecture is public and copyable. The 51-command bypass is known. The poisoning technique is documented and replicable. The authorship concealment prompt is in the README of a repository with 100,000 stars. The accuracy regression is on record.
The era of closed, controllable frontier AI tooling — where the internal reality was hidden behind the public marketing — is structurally over for Claude Code. The blueprints are public. The rewrites are shipping. The autonomous agents are extending the codebase in the open.
The question is not whether these capabilities exist. They do, and now everyone knows exactly how they work.
The question is who uses them first, how openly, and whether the enterprises currently paying premium prices for tools whose internal realities are now public will adjust their contracts accordingly.
Practical Recommendations
For security teams:
- Audit every AI coding tool on developer machines: background processes, terminal access, command chain handling.
- Test tools with adversarial long pipelines and malicious project configuration files.
- Assume any command exceeding 50 subcommands bypasses AI tool security validation until proven otherwise.
- Treat all external commits and contributions with heightened scrutiny — assume AI origin is possible and actively concealed.
For researchers and analysts:
- Treat scraped frontier model outputs as potentially poisoned. Verification against multiple independent sources is now mandatory.
- Document and timestamp any claims about AI tool capabilities — the internal benchmarks may contradict the public claims, and you may need the record.
For leadership:
- The closed era of frontier AI tooling is ending. Containment of leaked architectures is no longer realistic once clean-room reconstruction is possible overnight.
- Review AI tool procurement against what internal benchmarks — now sometimes public — actually show versus what marketing claims.
- The assumption that AI tool behavior is fully controlled and fully disclosed is no longer safe.
The code is out. The rewrites are live. The flag is not yet flipped for most users. But the blueprint for flipping it — and for abusing every weakness it contains — is now sitting in tens of thousands of hands, being actively extended in the open.
References:
1.] Zscaler ThreatLabz. Anthropic Claude Code Leak. Zscaler, April 2026. 2.] BleepingComputer. Claude Code Leak Used to Push Infostealer Malware on GitHub. BleepingComputer, April 3, 2026. 3.] The Hacker News. Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms. The Hacker News, April 3, 2026. 4.] TechCrunch. Anthropic Took Down Thousands of GitHub Repos Trying to Yank Its Leaked Source Code. TechCrunch, April 1, 2026. 5.] SecurityWeek. Critical Vulnerability in Claude Code Emerges Days After Source Leak. SecurityWeek, April 2026. 6.] Alex Kim. The Claude Code Source Leak: Fake Tools, Frustration Regexes, Undercover Mode. alex000kim.com, March 31, 2026. 7.] VentureBeat. Claude Code’s Source Code Appears to Have Leaked: Here’s What We Know. VentureBeat, March 31, 2026. 8.] Layer5. The Claude Code Source Leak: 512,000 Lines, a Missing .npmignore, and the Fastest-Growing Repo in GitHub History. Layer5.io, April 2026. 9.] Cybernews. Leaked Claude Code Source Spawns Fastest Growing Repository in GitHub History. Cybernews, April 2, 2026. 10.] Adversa AI. Critical Vulnerability in Claude Code Permission System. Adversa AI, April 2026. 11.] Wired Staff. Security News This Week: Hackers Are Posting the Claude Code Leak With Bonus Malware. Wired, April 4, 2026. 12.] The Register. Fake Claude Code Source Downloads Actually Delivered Malware. The Register, April 2, 2026. 13.] Hacker News. The Claude Code Leak. news.ycombinator.com, April 2026.
The Claude Code Leak: What’s Now Publicly Usable (and Abusable) — And Why Anthropic’s Containment… was originally published in OSINT Team on Medium, where people are continuing the conversation by highlighting and responding to this story.