Anthropic's Claude Code Source Code Leaked via npm — Fake Tools, Undercover Mode, and Frustration Regexes Exposed (HN: 516pts, 196 comments)
Anthropic had a rough morning on March 31st. Security researcher Chaofan Shou discovered at 4:23 AM ET that the v2.1.88 npm release of Claude Code accidentally shipped a 59.8 MB JavaScript source map file — containing the full TypeScript source code of the CLI, all 512,000 lines of it. The package was quickly pulled, but not before the code was mirrored across GitHub and dissected on Hacker News, where the post hit 516 points and 196 comments within hours.
Alex Kim's technical deep-dive, the most widely cited analysis, surfaces four findings that have the developer community buzzing. Most striking is the anti-distillation system: when a GrowthBook flag called ANTI_DISTILLATION_CC is enabled, Claude Code injects fake tool definitions into API requests specifically to poison training data for anyone recording API traffic to train a competing model. There's also an "undercover mode" — about 90 lines in undercover.ts — that strips all Anthropic internal identifiers when Claude Code runs in external repositories. And Claude Code monitors its own outputs for frustration signals: repeated apologies, hedging language, and confused-sounding patterns all trigger internal intervention logic.
The full tool call pipeline, prompt injection logic, session management, CLAUDE.md injection, multi-agent subagent delegation, and quota enforcement are now all public. The anti-distillation defenses are theoretically bypassable via a MITM proxy — Kim notes as much — but the disclosure reframes what competitors now know about Anthropic's production agentic architecture. For the developer community, the fake-tools revelation is the most provocative: it suggests Anthropic is actively fighting the training data arms race at the infrastructure level, not just through policy.