What they're not telling you: I use Claude Code daily, so when Chaofan Shou noticed earlier today that Anthropic had shipped a .map file alongside their Claude Code npm package, one containing the full, readable source code of the CLI tool, I immediately wanted to look inside. The package has since been pulled, but not before the code was widely mirrored, incluiding myself and picked apart on Hacker News . This is Anthropic’s second accidental exposure in a week (the model spec leak was just days ago), and some people on Twitter are starting to wonder if someone inside is doing this on purpose.
I'm not going to frame this as a government secrets story—because it isn't one, and that's precisely the problem with how we're categorizing corporate security failures these days. Anthropic's Claude Code leak via a source map is a garden-variety developer ops failure. Sloppy. Embarrassing. But let's be clear what it actually is: a company that built AI tooling left debug artifacts in production npm packages. This happens weekly in Silicon Valley. The difference here is the opacity. What *should* trigger investigation is why Anthropic's security posture allowed this. Were there code reviews? Change controls? Or did the move to rapid releases override basic CI/CD hygiene? We don't know because Anthropic—unlike traditional tech vendors—faces minimal disclosure obligations. The real story isn't the leak itself. It's that a company training frontier AI models operates with virtually no external accountability mechanisms. No SOC 2 audits made public. No mandatory security disclosures. No regulatory oversight. This belongs in corporate malfeasance coverage, not government secrets. Conflating the two dilutes what actual classified information leaks look like—and gives Anthropic plausible deniability that this was somehow political rather than operational incompetence.
What the Documents Show
Probably not, but it’s a bad look either way. The timing is also hard to ignore: just ten days ago, Anthropic sent legal threats to OpenCode , forcing them to remove built-in Claude authentication because third-party tools were using Claude Code’s internal APIs to access Opus at subscription rates instead of pay-per-token pricing. That whole saga makes some of the findings below more pointed. So I spent my morning reading through the HN comments and leaked source. Here’s what I found, roughly ordered by how “spicy” I thought it was.
Follow the Money
In claude.ts (line 301-313) , there’s a flag called ANTI_DISTILLATION_CC . When enabled, Claude Code sends anti_distillation: ['fake_tools'] in its API requests. This tells the server to silently inject decoy tool definitions into the system prompt. The idea: if someone is recording Claude Code’s API traffic to train a competing model, the fake tools pollute that training data. It’s gated behind a GrowthBook feature flag ( tengu_anti_distill_fake_tool_injection ) and only active for first-party CLI sessions. This was one of the first things people noticed in the HN thread.
What Else We Know
Whether you see this as smart defensive engineering or anti-competitive behavior probably depends on which side of the distillation debate you’re on. There’s also a second anti-distillation mechanism in betas.ts (lines 279-298) : server-side connector-text summarization. When enabled, the API buffers the assistant’s text between tool calls, summarizes it, and returns the summary with a cryptographic signature. On subsequent turns, the original text can be restored from the signature. If you’re recording API traffic, you only get the summaries, not the full reasoning chain. How hard would it be to work around these?
Primary Sources
- Source: Hacker News
- Category: Government Secrets
- Cross-reference independently — don't take our word for it.
Disclosure: NewsAnarchist aggregates from public records, API feeds (Federal Register, CourtListener, MuckRock, Hacker News), and independent media. AI-assisted synthesis. Always verify primary sources linked above.