Artificial Intelligence Technology

Anthropic Leak explained: everything you need to know

Nitin Tayal00 views

Claude Code, specifically Claude Code v2.1.88, accidentally shipped in a way that made it effectively open source for a minute. And that minute turned into a whole week of mirrors, forks, ports, DMCAs, arguments about copyright, and a pretty rare look at how a modern LLM coding product is actually stitched together.

So this is the leak, in plain terms. What happened, what got out, what it revealed, and what people built from it after the fact.

What leaked, exactly

Claude Code is Anthropic’s agentic coding app. Not just a chat box, but a tool using loop. It reads files, edits them, runs commands, coordinates multiple steps, manages permissions, and tries to not trash a repo while doing it.

The leak exposed parts of that product’s implementation:

  • LLM API orchestration and routing logic
  • Multi agent coordination patterns
  • Permission logic and safety rails for tool use
  • OAuth flows and auth related glue
  • Dozens of hidden feature flags, reported as 44
  • Internal subsystems and experiments, including “Kairos” and “Buddy”
  • A subsystem called “Undercover Mode” meant to stop the assistant from leaking internal codenames
  • Tool definitions, scaffolding, and the Claude Code system prompt and policies
  • Implementation details like parallel tool execution, file edit strategies, stop conditions for the agent loop

What it did not include is also important.

No model weights. No proprietary training pipeline. No “core Anthropic servers” blueprint. Mostly product code and product logic, shipped in compiled or obfuscated form in places, but still very recoverable.

How it got leaked (very short version)

A build of Claude Code v2.1.88 was accidentally open sourced in a way that included a huge JavaScript source map file, around 59.8MB. Source maps are basically the “undo the minification” companion files. They exist to make debugging easier. They also make reverse engineering way easier when they slip into public artifacts.

An intern, Chaofan Shou, posted a download link to X. The link spread fast, and the package reportedly hit around 16 million downloads before the situation fully cooled off.

Once people had the artifacts, mirrors appeared. GitHub repos popped up. The usual open source archaeology kicked in, but at hyperspeed.

Why source maps mattered so much

In modern web and Electron style apps, shipping minified bundles is normal. What makes those bundles readable again is the source map. If a production build leaks with its source map intact, the code goes from “annoying to analyze” to “oh, this is basically the project layout, function names, and original structure.”

That is why this leak had so much downstream energy. Not because the code was magical, but because it was legible.

Immediate consequences: the first wave

The first wave looked like this:

  1. Mirrors everywhere. GitHub mirrors, personal gists, zip reuploads, then backups of backups.
  2. Anthropic DMCA takedowns. GitHub repos started disappearing. Some complied quickly. Others reappeared under different names, or moved platforms.
  3. Decentralized persistence. Copies showed up on Gitlawb, a decentralized git platform. And once something is in that kind of infrastructure, takedowns get… messy. There is no single “delete button” that works.

That pattern matters. Not as drama, but as reality. For better or worse, decentralized code hosting makes leaks stick.

The second wave: ports, rewrites, “clean room-ish” clones

After mirrors came adaptations.

One of the biggest headlines was Sigrid Jin porting core architecture to Python using a tool called oh my codex. That repo reportedly hit 30k GitHub stars quickly, which tells you the appetite here. People didn’t just want to read the code. They wanted a usable, hackable version they could run and extend in their own stacks.

And then smaller projects followed the same idea:

  • reimplement the agent loop
  • recreate the tool schema and permission prompts
  • replicate the diff based editing approach
  • reproduce the parallel tool call batching
  • build plugins and integrations around the exposed interfaces
  • extract and study the system prompt and behavior defaults

This is where the leak’s real impact landed. Claude Code is not the only agentic coding tool, but it is one of the more mature ones. Getting a blueprint, even a partial one, accelerates everyone else’s iteration.

What the leak revealed about Claude Code’s design

A bunch of details were already suspected by anyone building in this space. Still, seeing them confirmed is different.

Parallel tool calls are a first class feature

Claude Code runs tools in parallel when it can, batching independent operations for speed. That means the agent isn’t strictly doing:

  1. read file
  2. think
  3. run one command
  4. think
  5. edit one file

It can do “read these three files” and “check these two commands” concurrently, then merge the results. Practical upshot is that the system is optimized for workflows where tasks are decomposed into independent chunks.

This also explains why some prompts work better when they explicitly structure independent subtasks. The system can actually exploit that structure.

The agent loop has explicit stop conditions

Agentic systems can get stuck in loops, especially if “done” is fuzzy. Claude Code stops based on a completion signal, an error, or a turn limit. That is not glamorous, but it is one of the key differences between a demo and a product.

There is a quiet design principle here: stop early, stop safely, don’t keep digging.

The bash tool is the heavy lifter

Among Claude Code’s tools, bash is the most capable. It handles file operations, git actions, package management, and multi step workflows. Which is also why it needs the most permission structure around it.

The leak reinforced that Claude Code is basically a careful shell operator with an LLM brain attached. Not a magical IDE. It does real work by running real commands.

File editing uses a diff based, string replacement style

Instead of rewriting full files all the time, the toolchain emphasizes diffs and targeted replacements. That reduces accidental damage. It also fits well with guardrails like “read before edit,” because the system can anchor edits to known text.

You can see the product bias: minimize blast radius, avoid massive rewrites unless necessary.

Git safety defaults: avoid destructive operations

Claude Code avoids destructive git operations by default and prefers reversible actions. Again, not flashy. But it’s a product shaped by incidents. People do not forgive tools that nuke a branch.

So the safe pattern is: create commits, use branches, avoid force pushes, avoid rewriting history, keep changes inspectable.

CLAUDE.md as a first class project primitive

One of the most interesting exposed design choices is that CLAUDE.md files are treated as first class features, not just “documentation.”

They sit at the project root and encode:

  • conventions and style rules
  • tech stack details
  • preferred libraries
  • common commands
  • repo specific constraints
  • how to run tests, linting, build steps
  • any “don’t do this” landmines

It is basically a persistent alignment layer for the agent, and also for humans. The point is consistency across contributors and across sessions, so the assistant doesn’t relearn the same project rules every time.

This is also a bigger hint about where agentic coding is going. Less reliance on ad hoc prompting. More reliance on repo native configuration and memory.

Hidden subsystems and feature flags: what they suggest

The leak reportedly exposed 44 hidden feature flags. Feature flags are how products ship experiments safely, or at least, less dangerously. They also reveal what the team is thinking about next.

Two leaked internal projects got a lot of attention:

  • Kairos: described as a background daemon for memory logs. That suggests a persistent “memory” layer, likely capturing events, summaries, or context to improve continuity.
  • Buddy: described as a Tamagotchi style AI pet. More playful, but also not random. Many dev tools are trying to make assistants feel present, ambient, and sticky.

And then there was Undercover Mode, a subsystem intended to prevent the AI from leaking internal codenames. That’s kind of hilarious, but it is also very real. If internal identifiers show up in outputs, it leaks roadmap and internal projects. So you build a filter. Or a separate prompt layer. Or a naming sanitizer.

All of these point to a product evolving beyond “answer questions” and into “be a long running coworker process,” with memory, personalization, and internal secrecy boundaries.

Anthropic’s response: takedowns, and then a semi open release

Anthropic issued DMCA takedowns against GitHub mirrors. That was the expected corporate move, and it worked partially. It also didn’t work, because mirrors are hydra heads and decentralized git is basically designed to resist central deletion.

More interesting is what happened after: Anthropic published an npm package, @anthropic-ai/claude-code, with minimally obfuscated source code.

That changed the narrative a bit. It didn’t “undo” the leak, but it did shift the center of gravity toward an official artifact. At the same time, developers still decompiled and circulated the earlier versions, and dug into system prompts and tool logic.

So now there are effectively two parallel worlds:

  • unofficial leaked artifacts and forks
  • official packages that reveal some internals anyway, just in a controlled way

A big part of the debate after the leak was legal, not technical.

Add another layer: the legal status of AI generated work and copyright claims is still unclear in many jurisdictions. If portions of the code were generated with AI assistance, does that change authorship or enforcement. Maybe, maybe not, depending on what exactly was generated, how much human control existed, and what country you’re in. But it absolutely fuels arguments.

Practically, most serious companies will avoid directly using leaked code. Even if it’s technically possible. The compliance risk is not worth it. But studying patterns, reimplementing ideas, writing “inspired by” systems. That’s harder to police, and easier to justify.

The bigger consequence: a blueprint for agentic coding products

The long term impact is not that Claude Code became open source. It didn’t.

The impact is that the leak showed, in concrete terms, how an LLM coding agent is structured in production:

  • parallel tool execution and batching
  • explicit stop conditions to avoid loops
  • tool permission layers and reversible defaults
  • diff based editing strategies
  • repo resident convention files like CLAUDE.md
  • background memory logging experiments
  • prompt level behavior shaping, including “don’t apologize unnecessarily”
  • subsystems to prevent internal leakage, like Undercover Mode

These are not secrets anymore. Anyone building a competitor can implement the same architecture patterns without copying a line of code. In fact, many already have.

And that’s why the forks and ports mattered. Not as piracy, but as momentum. The leak compressed months of reverse engineering into a few days.

In the end it’s a very modern kind of leak. Not a vault door left open. More like somebody accidentally put the building’s wiring diagram on the front desk for an afternoon. Enough time for everyone to take pictures. Enough time for the whole industry to learn something.

Related posts

Perplexity Computer: The AI That Builds Entire Projects End-to-End

Sarvam Makes 30B and 105B Parameter AI Models Public and Open Source

The 2026 Efficiency Standard: Why Your Inventory Needs an AI-Powered Mobile Brain

Add Comment

This website uses cookies, AI-driven technology, and human editorial oversight to create and refine our content to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More