Claude Code Source Leaked Through an NPM Map File — Anti-Distillation Fake Tools and Native Client Attestation Exposed

Claude Code's Source Code Got Leaked Through a Map File — And the Anti-Distillation Tricks Inside Are More Paranoid Than You'd Expect

Anthropic had a rough Tuesday. And if you think npm supply chain issues are unique to them, Stanford recently proved most AI chatbots are sycophantic yes-men — the industry has bigger problems than accidental .map files. On March 31st, 2026, a developer named Chaofan Shou noticed something peculiar in the Claude Code npm package: a .map file containing the full, readable source code of the CLI tool. The kind of thing that gets pulled from the registry within hours but lives forever on GitHub mirrors and Hacker News threads.

This was Anthropic's second accidental exposure in under two weeks. Their model spec leaked just days earlier. At this point, you start wondering if someone in their DevOps team is running a one-person transparency campaign from the inside.

I spent a chunk of my morning reading Alex Kim's breakdown, the Hacker News threads (over 1,500 comments combined across two posts), and the actual source code. What I found was genuinely fascinating — and a little unsettling.

How Does Claude Code Prevent Model Distillation From API Traffic?

Claude Code uses at least two anti-distillation mechanisms designed to poison training data captured by anyone recording its API calls. The first injects fake tool definitions into the system prompt, so any model trained on intercepted traffic would learn phantom capabilities that don't exist. The second summarizes assistant text between tool calls server-side, replacing full reasoning chains with compressed summaries and cryptographic signatures.

The fake tools injection lives in claude.ts around line 301. It requires four conditions to fire simultaneously: a compile-time flag called ANTI_DISTILLATION_CC, the CLI entrypoint (not the SDK), a first-party API provider, and a feature flag from GrowthBook (their A/B testing platform) called tengu_anti_distill_fake_tool_injection. "Tengu" appears to be Claude Code's internal codename — which is ironic, given the separate system designed specifically to hide that codename.

How effective is this? Honestly, not very — against a determined adversary. A man-in-the-middle proxy that strips the anti_distillation field from request bodies bypasses the first mechanism entirely. Setting the environment variable CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS to any truthy value kills it from the client side. And if you're using a third-party API provider, the check never fires at all.

Dario Amodei might sleep better knowing these exist, but the real protection against distillation is probably the $400/hour lawyer, not the regex.

Undercover Mode: When Your AI Actively Hides Being AI

The file undercover.ts (about 90 lines) implements something that made me genuinely uncomfortable. When Anthropic employees use Claude Code in non-internal repositories, this mode strips all traces of Anthropic internals — codenames like "Capybara" and "Tengu," internal Slack channels, repo names, and even the phrase "Claude Code" itself.

Line 15 says it plainly: "There is NO force-OFF. This guards against model codename leaks."

You can force it ON with an environment variable. You cannot force it off. In external builds, the entire function compiles down to trivial returns via dead code elimination. One-way door.

Hiding internal codenames? Reasonable. Having the AI actively pretend a human wrote the code in open-source commits? That's a different ethical conversation, and Anthropic's own Responsible Scaling Policy (RSP) doesn't clearly address it.

A Regex for Frustration Detection — Peak Irony From an LLM Company

File userPromptKeywords.ts contains a hand-written regex pattern that matches phrases like "wtf," "this sucks," "piece of crap," and "fucking useless." When triggered, Claude Code presumably adjusts its response behavior — maybe more apologetic, maybe more careful.

An LLM company using regular expressions for sentiment analysis. Let that marinate for a second.

But there's a practical defense: LLM inference costs money and adds latency. A regex match takes microseconds. If all you need is "is the user swearing at us, yes or no" — the regex is the right tool. Sometimes boring engineering beats clever engineering. Andrej Karpathy once noted on Twitter (sometime in late 2024) that the best ML systems are the ones with the fewest ML components, and this is a perfect example.

Native Client Attestation: DRM for API Calls

This one's technically the most interesting. In system.ts, API requests include a placeholder string cch=00000. Before the request leaves the process, Bun's native HTTP stack (written in Zig, not JavaScript) overwrites those five zeros with a computed hash. The server validates the hash to confirm the request came from a genuine Claude Code binary.

The placeholder is deliberately the same length as the hash so replacing it doesn't change the Content-Length header or require buffer reallocation. The computation happens below the JavaScript runtime, making it invisible to anything running in the JS layer — even extensions, monkey-patches, or debugging tools.

This is the technical backbone of why Anthropic went after OpenCode legally in late March 2026. They didn't just send cease-and-desist letters about API abuse — the binary itself proves its identity cryptographically. Third-party tools can't forge it without reverse-engineering the Zig layer. For a broader look at how cloud providers handle similar attestation challenges, see our breakdown of Cloudflare Turnstile's 377 decrypted bytecode programs.

What Does This Mean for Developers Using Claude Code?

Three takeaways worth chewing on:

1. Your API traffic is being annotated. Even if you're a paying Claude Max subscriber, the client adds metadata (billing headers, feature flags, attestation hashes) to every request. None of this is secret — it's in the source code now — but most users had no idea.
2. Open-source alternatives face a technical moat, not just a legal one. The native attestation means tools like OpenCode can't simply replicate Claude Code's API access by mimicking HTTP headers. They'd need to crack the Zig-level hash computation, which is a non-trivial reverse engineering problem.
3. Anthropic's security posture has a leak problem. Two accidental exposures in ten days — the model spec and now the full source code — suggests either tooling gaps in their release pipeline or cultural issues with pre-release review. Neither inspires confidence from a company that positions itself as the "safety-first" AI lab.

The Bigger Picture Nobody's Talking About

The Claude Code source leak happened the same week OpenAI closed a $122 billion funding round at an $852 billion valuation. While OpenAI is playing the growth-at-all-costs game, Anthropic is playing defense — literally engineering paranoia into their client applications.

Both strategies make sense for their respective positions. But the leak itself undermines Anthropic's careful image. You can't build anti-distillation systems, client attestation, and undercover modes... and then ship a .map file to npm that exposes all of it.

Someone on the Hacker News thread put it best: "Anthropic's security is like a bank vault with a really nice door and a window left open."

The security implications extend beyond Anthropic. If you run AI workloads in the cloud, Phantom gives AI agents their own isolated VM — a very different security model worth comparing. The source mirror is still up on GitHub (alex000kim/claude-code) if you want to read the code yourself. Fair warning: once you've seen how the sausage is made, you'll notice the placeholder strings every time you run claude in your terminal.