Dark Perimeter: True Cybersecurity Stories

SPECIAL EPISODE: "Leaky Bucket" The Anthropic Claude Code Source Code Leak

Cole Drayden Season 99 Episode 1

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 30:01

On March 31st, 2026, a security researcher found that Anthropic had accidentally shipped the
complete source code of Claude Code - its flagship AI product generating $2.5 billion in
annualized revenue - in a public npm package. A missing configuration entry. A public cloud
storage bucket. Within hours, the code was mirrored across GitHub 41,500 times. A clean-room
rewrite called claw-code became the fastest-growing repository in GitHub's history, crossing
100,000 stars in under 48 hours. Anthropic then accidentally blocked 8,100 legitimate developer
projects while trying to contain the damage. This is a breaking news special episode. Details
are still emerging. We cover what is confirmed, what is unknown, and what it means for the AI
industry.

Support the show

SPEAKER_00

Before we begin, a quick note, this is a special edition of Dark Perimeter. What you are about to hear is a breaking news story, one that broke on march thirty first, twenty twenty six and was still developing when we recorded this episode. Some details may have changed. We will tell you what is confirmed, what is disputed, and what remains unknown. That is always our standard. On a story this fresh, it matters even more. Now the story it is just after four AM Eastern Time. A security researcher named Chofan Sho, an intern at a blockchain startup, is awake. He is poking around the NPM registry, the public package repository that millions of developers use to download software. He downloads the latest release of Anthropics. Clawed code version two point one point eight eight. He opens the package, something catches his eye. A fifty nine point eight megabyte file, a source map. The kind of file that is never supposed to ship in a public software release. The kind of file that maps obfuscated bundled code back to the original human readable source. He follows the reference inside it. It points to a zip archive sitting on Anthropic's own cloud storage. Public accessible. He downloads it and he decompresses it, and inside he finds five hundred twelve thousand lines of unobfuscated TypeScript code, the complete internal source, code of Claude Code, one of the most commercially successful AI products in the world generating an estimated two and a half billion dollars in annualized revenue. He posts to X at four hundred twenty three in the morning. Claude Code source code has been leaked via a map file in their NPM registry. By the time most of the world woke up, the code was everywhere. Intro Welcome to Dark Perimeter. I'm Cole Draden. In the year we have been doing this show, we have covered some of the most consequential cybersecurity incidents in history, nation states destroying corporate infrastructure, teenagers bypassing billion dollar security systems with a phone call, AI agents being weaponized through their own tooling. Today's story is different, because today the company at the center of the incident is not a victim of a sophisticated attacker. It is the victim of a missing line in a configuration file. And the consequences, legal, competitive, and reputational, are still unfolding. Act one What is Claude Code and why does it matter? To understand why this leak matters, you need to understand what was leaked and what it is worth. Claude Code is Anthropic's flagship AI coding assistant. It runs in your terminal, you give it. Instructions in plain English and it reads your files, writes code, fixes bugs, runs tests, and manages entire software projects autonomously. It is not a chatbot, it is an agent, a piece of software that takes actions in the real world on your behalf. It has been extraordinarily successful. By early 2026, Claude Code alone was generating an estimated two and a half billion dollars in annualized recurring revenue. That figure had more than doubled since the start of the year. Enterprise adoption, Fortune five hundred companies, large law, firms, financial institutions accounted for the majority of that revenue. Anthropic as a whole was valued at approximately three hundred eighty billion dollars and widely expected to pursue an IPO. Claude Code is closed source. Anthropic deliberately chose not to open source it, keeping the internal architecture proprietary. This is not unusual in the AI industry, the products. Commercial value depends in part on the engineering decisions embedded in its code. Competitors. Like OpenAI, Google and smaller companies like Cursor have poured resources into building. Competing tools, knowing that whoever builds the best AI coding agent wins a substantial share. Of the enterprise software market, the source code that leaked on march thirty first was not the underlying AI model. The model weights, the actual intelligence of Claude, were not exposed. What was exposed was the agentic harness, the software that sits around the model and tells it how to behave, what tools to use, how to manage memory, how to handle permissions, and how to orchestrate complex multi step tasks. That harness, it turns out, contains a great deal of information that anthropic would have vary, much preferred to keep private. Act two How It Happened The cause of this leak was not a sophisticated attacker. There was no spear phishing campaign, no zero day exploit, no nation state, no disgruntled employee with a USB drive. It was a missing configuration entry, a single line that was never added to a file called dot npm ignore. Here is what happened technically and it is worth understanding because it is embarrassingly preventable. Claude code is built on Bun, a JavaScript runtime that Anthropic acquired in late twenty twenty five. Bun, by default, generates source maps when it compiles code. Source maps are debugging tools. They allow engineers to trace errors in compiled minified code back to the original source. They are standard practice in software development and extremely useful internally. They are never supposed to ship in a public package release. The way you prevent that is simple. You add an entry to a file called.npmignore, essentially. A list that tells the npm packaging tool what to exclude from a public release. If you include asterisk.map in that file, source maps never make it into the published package. Nobody added that line, so when Anthropics release pipeline bundled Claude Code version two point one point eight eight and pushed it to the public NPM registry, the source map file went along for the ride. Sixty megabytes of it. And inside that source map was a reference, a pointer, to a zip archive sitting on Anthropics. Own Cloudflare R2 storage bucket. A storage bucket that was publicly accessible. Chefan Show followed that pointer, downloaded the archive, and found the full unoffuscated source. The architecture, the prompts, the permission models, the feature flags, the internal model code names, the unreleased capabilities, all of it. Anthropic confirmed the cause in a statement. This was a release packaging issue caused by human error, not a security breach. They noted that no customer data, no model weights, and no credentials were involved or exposed. That is technically accurate. It is also somewhat beside the point. Act three What was inside? The developer community moved fast. Within hours of Chow Fan Show's post, thousands of engineers were dissecting the leaked code. What they found was not just a look at how clawed code is built, it was effectively Anthropic's product roadmap, competitive strategy, and internal engineering. Culture laid bare simultaneously. Let's go through the most significant findings. The first thing that drew attention was Kairos. Referenced more than one hundred fifty times throughout the source, Kairos is an unreleased, autonomous demon mode. The name comes from the ancient Greek concept of the right moment, the idea of acting at exactly the correct time. In Claude Code, Kairos allows the agent to operate as a persistent background process. It receives periodic tick, prompts to decide whether to act proactively, it maintains append only daily log files. It can subscribe to GitHub webhooks, and it includes a process called auto dream, a background memory. Consolidation system that runs as a forked subagent while the user is idle. During autodream, the agent merges disparate observations, resolves logical contradictions, and converts vague insights into concrete facts, persistent memory, background autonomy, acting while you sleep. None of this was announced. All of it is compiled and sitting behind feature flags waiting to ship. The second major finding was the feature flag inventory. Developers cataloged forty four feature flags, gating capabilities that are fully built but not yet released to the public. Twenty or more represent entirely unshipped features. This is not vaporware. This is working code, compiled, and ready, simply switched off for the external build. Competitors now have a clear picture of what Anthropic is about to release next. The third finding that generated significant discussion was undercover mode, found in the system. Prompt embedded in the source, undercover mode is activated when clawed code operates in public, or open source repositories. The system prompt reads verbatim, you are operating undercover in a public slash open source repository. Your commit messages, PR titles, and PR bodies must not contain any anthropic internal information. Do not blow your cover. The feature is designed to allow clawed code to contribute to open source projects without visibly identifying itself, as an AI making the contributions. The ethics of that design decision are, to put it mildly, a matter of ongoing debate in the developer community. The fourth finding was the anti distillation system. Anthropic had built controls into Claude, code that inject fake tool definitions into API requests when competitors appear to be scraping. The model's outputs, a technique called model distillation, where you train a cheaper model. By having it learn from a more expensive one's outputs. The poisoned tool definitions are designed to corrupt any model trained this way, it is a creative, defensive measure. It is also. Now public knowledge, which limits its effectiveness considerably. The fifth finding was more prosaic but equally revealing. The source confirmed internal model. Codenames Capibara for a Claude 4.6 variant, Fennec for Opus four point six, and Numbat for an unreleased model still in testing. Internal comments noted that Capibara version eight had a twenty nine to thirty percent false claims rate, a regression from the sixteen point seven percent rate seen in version four. Engineers had added an assertiveness counterweight to prevent the model from becoming too. Aggressive in its code rewrites. These are internal benchmarks and struggles anthropic had. Developers began, forking and studying it immediately. A repository called Claw Code appeared. Its creator, Sigrid Jinn, described the moment in the repository's read me. I did what any engineer would do under pressure, I sat down, ported the core features to Python from scratch, and pushed it before the sun came up. Jin chose not to directly host Anthropics leaked source code, aware of the legal exposure. Instead, she performed what developers call a clean room rewrite. She read the architecture, understood the design, and rebuilt it from scratch in Python without copying a single line of Anthropic's proprietary code. The resulting project is legally distinct from the original. The developer community responded with extraordinary speed. Claw code crossed fifty thousand GitHub, stars in approximately two hours, according to the repository's own documentation and independent tracking that makes it the fastest growing repository in GitHub's history, surpassing the previous record holder by a significant margin. By april first, it had crossed one hundred thousand stars, more than Anthropic's own official clawed code repository. A parallel Rust rewrite was already underway. For those unfamiliar with GitHub stars, they are not merely a vanity metric, they represent active developer interest, intent to contribute and signals to enterprises about ecosystem. Momentum. one hundred thousand stars in under forty eight hours is a genuinely extraordinary number. What Anthropic had tried to keep proprietary was, within a single day, the architectural foundation of a fast moving open source project that the company now has no ability to control. Act five Anthropic's Response and the DMC a disaster. Anthropic's immediate response was appropriate. They pulled version two point one point eight eight from NPM rolled, back to the previous version and issued a clear statement acknowledging the error, no spin, no minimization, human error, packaging issue, no customer data affected, measures being implemented to prevent recurrence, then things got complicated. Anthropic issued a DMCA takedown notice, a formal copyright enforcement request under US law, targeting repositories hosting the leaked source code. In principle, this is legally defensible. The leaked code is Anthropic's intellectual property and they have the right to request its removal. In practice, what happened next was a second incident layered on top of the first, because GitHub's fork network is structured around an original repository when anthropic. Targeted one repository for takedown, the notice propagated through the fork network. Automatically. The result, approximately eight thousand one hundred repositories received takedown notices, including legitimate forks of Anthropic's own publicly released, non leaked clawed code. Repository. Developers who had done nothing wrong found their work blocked. Boris Cherney, Anthropic's head of Clawed Code, publicly acknowledged the error. The company retracted the bulk of the takedown notices, limiting enforcement to one repository and ninety six. Direct forks of the leaked source. GitHub restored access to the affected legitimate repositories, but by then, the damage to Anthropic's relationship with the developer community was compounded. In the space of twenty four hours, the company had accidentally leaked its source code and accidentally blocked thousands of legitimate developer projects, two unforced errors, one after the other, the legal question over claw code and other clean room rewrites remains unresolved. If anthropic pursues copyright claims against a Python or Rust rewrite built from architectural knowledge, rather than copied code, they face a deeply uncomfortable legal irony. The same fair use and transformative work arguments they would make against developers are the arguments that AI companies, including Anthropic, rely on to defend training models on copyrighted data. As legal analyst Gergley Oros noted, pursuing those claims aggressively could undermine Anthropic's own defense in ongoing AI training data copyright litigation. Act six, the context that makes this worse. This was not Anthropic's first mistake of the week, not even close. Five days earlier, on march twenty sixth, a content management system configuration error had exposed. Approximately three thousand unpublished internal assets, including a draft blog post describing a powerful upcoming AI model known internally as Mythos or Capybara. That exposure gave reporters and researchers a preview of Anthropics model roadmap before the company was ready. To announce it, two significant operational security failures in five days at a company that has built its entire brand identity around safety, rigor, and responsible AI development. The irony was not lost on anyone. Here is a company whose core marketing proposition is that it takes AI safety more seriously than its competitors, that it thinks longer, harder, and more carefully about the consequences of what it builds. And in the space of a week it had twice failed to secure its own systems against basic human error. The hacker news reaction was blunt, the developer community noted, with varying degrees of sympathy, that a company which had been marketing clawed code as the world's most capable. AI coding assistant had allowed its own code to leak due to a missing dot NPM ignore entry. Looks like someone vibed a little too hard and accidentally pushed the source to the public. NPM registry was among the gentler takes. Security researchers also immediately identified a secondary threat that Anthropic had not. Fully addressed in its public statements, typosquatting. Within hours of the leak, a user named Pacifier one thirty six had published empty NPM packages under names resembling anthropics. Internal package names, staging dependency confusion attacks. If developers attempted to compile the leaked source and mistyped a package name, they could pull the attacker's package, instead of a legitimate one. Those empty stubs, researchers noted, could be updated at any time with malicious payloads affecting everyone who had installed them. Act seven The Industry Implications Let's step back from Anthropics specifically and think about what the This incident means for the AI industry broadly. Because the implications extend well beyond one company's bad week. The first implication is competitive. Claude Code's architecture is now public knowledge. Anthropic's most direct competitors, OpenAI with Codecs, Google with Gemini Code Tools, Cursor, and a dozen other players, now have a detailed engineering blueprint for how to build. A production grade AI coding agent, the multi-agent orchestration patterns, the memory, architecture, the permission model, the context management approach, all of it is documented. In five hundred twelve thousand lines of readable TypeScript, the competitive moat that Anthropic had built through, proprietary engineering is substantially narrower today than it was on march thirtieth. The second implication is about the open source movement. Clawcode has one hundred thousand stars and a community of contributors already working on Rust and Python rewrites, an open source ecosystem, built on Anthropic's architectural decisions, but outside Anthropic's control, is now forming rapidly. This is exactly the dynamic that historically drives enterprise adoption away from proprietary tools and toward community maintained alternatives. The speed at which this happened one hundred thousand stars in forty eight hours suggests the developer community was ready for this moment. The third implication is about IPO risk. Anthropic is widely expected to pursue an initial public offering. Public companies are held to substantially higher standards of operational security than private ones. Leaking your source code and then accidentally blocking eight thousand one hundred. Developer repositories in the same week is not the kind of operational record that makes institutional investors comfortable. The question is not whether this damages the IPO and narrative, it does. The question is how much? The fourth implication is about the nature of AI safety claims. Anthropic's brand is built on a specific promise that it is the safety first AI lab, that it thinks more carefully than its competitors about the consequences of what it builds. This week demonstrated that safety culture and operational security culture are not the same thing, and that excellence in one does not guarantee competence in the other. That distinction matters for enterprises, evaluating which AI vendor to trust with sensitive workflows. The fifth implication is for every software team shipping proprietary code. The mechanism of this leak, a source map accidentally included in an NPM package, is not novel. Apple suffered the same failure. Identity provider persona suffered the same failure. It is a well documented failure class. Standard commercial security tooling catches it. The lesson is not that anthropic is uniquely careless. The lesson is that build pipeline security is an easy thing to overlook and a very expensive thing to ignore. Act eight What we do not yet know because this is a developing story, honesty requires us to be explicit about what remains uncertain. We do not know the full extent of competitive damage. The code has been mirrored on platforms that have promised never to take it down, and the architectural knowledge it contains is already being incorporated into competing projects. The competitive impact will take months to fully assess. We do not know the legal outcome of the claw code clean room rewrite if anthropic pursues. That litigation aggressively it creates legal and philosophical complications that extend far. Beyond this single incident, we do not know what the typosquatting packages contain, if anything. They were empty at time. Of discovery, whether attackers update them with malicious payloads remains to be seen. We do not know whether any of the forty four unreleased features will be accelerated or delayed as a result of competitors now knowing about them. And we do not know whether this incident will produce any accountability inside Anthropic or whether the company's response will be limited to technical patches to the build pipeline. We will continue to follow this story. If significant developments emerge, we will produce a follow up segment. Act nine What this teaches us The lessons here are different from the lessons in most episodes of this show. There is no nation state to blame, no social engineer, no elaborate intrusion, just a missing line in. A configuration file, and a cloud storage bucket with the wrong access permissions. The first lesson build pipeline security is a first class security concern, not an afterthought. Source maps, debug symbols, internal configuration files, API keys baked into build artifacts. These are common failure modes with well understood prevention mechanisms, automated checks for. These failure classes should be mandatory in any release pipeline. They are not glamorous, they are not expensive. They would have prevented this entirely. The second lesson containment is usually impossible once code hits a public package registry. Anthropic pulled version two point one point eight eight quickly. It did not matter. The code was already downloaded, archived, mirrored, forked, and rewritten before the company had even finished drafting its public statement. There is no unringing this bell. Build the controls before release, because after release, the only move left is damage management. The third lesson brand is a liability when reality does not match it. Anthropic built a brand around safety and careful deliberation. That brand made this incident land harder than it would. The fourth lesson the open source community moves faster than legal teams. Claw code reached fifty thousand stars before most of Anthropic's lawyers were awake, by the time DMCA notices were being drafted, the architectural knowledge was already being implemented in multiple languages by contributors around the world. If your competitive advantage depends entirely on proprietary code, and that code can be understood from a single leaked file, you do not have the advantage you think you have. And the fifth lesson, which applies to every enterprise using AI coding tools right now, the security implications of leaked source code are not limited to the vendor. Now that Claude Chunk Code's permission model, bash security validators, and tool invocation patterns are public, anyone researching how to manipulate or bypass those controls has a detailed map to work from. If you are using clawed code in a production environment with access to sensitive systems, pay attention to the security advisories coming from Anthropic in the weeks ahead. The architectural exposure creates a new class of risk for users, not just for Anthropic itself. Outro On March 31, 2026, Anthropic accidentally published the blueprint of its most valuable product to the entire world via a 60 megabyte debugging file. Within two hours, the developer community had built the fastest growing repository in GitHub. History on top of that blueprint. Within twenty four hours, Anthropic had accidentally blocked eight thousand one hundred legitimate developer projects. While trying to contain the damage, the code is still out there, the mirrors are still up, the Rust rewrite is still being built. This story is not over. But the chapter that opened on the morning of march thirty first closed very. Quickly, the moment Cheofan Show followed a pointer in a source map file and found that. Anthropic's cloud storage bucket was open to the public. A missing.npm ignore entry. A publicly accessible storage bucket, and one very awake intern at 4 a.m. That is all it took. I'm Cole Draden, this is Dark Perimeter. We will keep watching and we will see you inside the perimeter.