⚠ CRITICAL ANALYSIS · DEEP DIVE

Deep Analysis of the
Claude Code Internal Leak

How a build tool misconfiguration detonated a full-spectrum crisis spanning brand trust collapse, regulatory storms, political warfare, and existential business threats — a complete trajectory from technical accident to systemic risk

LEECHO Global AI Research Lab

& Claude Opus 4.6

2026.04.02

ABSTRACT

On March 31, 2026, Anthropic accidentally leaked the entire source code of Claude Code due to an npm package configuration error — 1,906 TypeScript files totaling 512,000 lines of code. This paper goes beyond the surface-level “security incident” narrative, systematically analyzing the far-reaching implications across six dimensions: technical architecture, business model, customer trust, government conflicts, competitive landscape, and regulatory compliance. The research finds that the leak exposed not merely engineering process deficiencies, but a structural contradiction between Anthropic’s “safety-first” brand narrative and its actual business practices — including undisclosed telemetry reporting, remote control capabilities, dark pattern consent interfaces, and known but unpatched billing bugs. This paper argues that these issues will simultaneously escalate across four dimensions — customer audits, European regulation, U.S. political maneuvering, and market competition — forming a chain reaction that poses a material threat to Anthropic’s IPO plans and long-term business viability.

SECTION 01 · EVENT OVERVIEW

Two Self-Inflicted Breaches in Five Days: Systemic Failure at a “Safety-First” Company

From a CMS misconfiguration to an npm source map leak, the same company exposed internal information twice in five days

February 9, 2026

Anthropic runs satirical ads during the Super Bowl with the tagline “Ads are coming to AI, but not to Claude,” publicly attacking OpenAI’s business model and positioning itself on the moral high ground

February 27, 2026

Trump orders federal agencies on Truth Social to “immediately cease” using Anthropic technology; Secretary of Defense Hegseth designates Anthropic as a “supply chain risk”

March 9, 2026

Anthropic sues the Trump administration, calling the supply chain risk designation “unprecedented and unlawful”

March 26, 2026 · First Leak

A CMS misconfiguration exposes approximately 3,000 internal files, including detailed information about the unreleased model Claude Mythos (codename Capybara). On the same day, a federal judge rules in Anthropic’s favor, granting a preliminary injunction

March 31, 2026 · Second Leak

npm package @anthropic-ai/claude-code v2.1.88 inadvertently includes a 59.8MB source map file, exposing all 512,000 lines of TypeScript source code. Security researcher Chaofan Shou publicly discloses it on X at UTC 04:23

The root causes of the two leaks differ — the first was a CMS permissions misconfiguration, the second was a missing .npmignore rule in the build pipeline — but they point to the same systemic problem: security’s actual priority in engineering practice falls far below what Anthropic publicly claims. Even more notable is that the second leak was a repeat of the same class of error: a source map residual had already caused code exposure in February 2025. Anthropic deleted the affected package at the time but clearly failed to codify the fix into automated rules.

SECTION 02 · THE DISCOVERER

Black Swan Meets Professional Hunter: Chaofan Shou

A security researcher with a $1.9 million bug bounty track record encounters a .map file that should never have been in production

The security researcher who discovered this leak, Chaofan Shou, is far from unknown. He is co-founder and CTO of Fuzzland, formerly a Ph.D. student in Computer Science at UC Berkeley (later dropped out), with research spanning smart contract fuzzing, web security, and distributed systems. His vulnerability discovery portfolio includes Twitter (XSS + CSRF enabling full account takeover), Etherscan (XSS + Cloudflare bypass), Devin.ai (SSRF leading to system takeover), Google Nest, and other prominent platforms, with approximately $1.9 million in cumulative bug bounties.

The technical barrier for this discovery was remarkably low: npm pack @anthropic-ai/[email protected], unpack, open the .map file, and the complete source code is right there. The source map also referenced a ZIP archive on Anthropic’s own Cloudflare R2 storage bucket — anyone with the URL could download it. This wasn’t a sophisticated hack; it was a security researcher’s routine “professional habit” colliding with a build artifact that should never have existed.

Key Insight

AI security crawlers failed to detect this issue before a human did, because an extra .map file in an npm package doesn’t trigger any known vulnerability pattern alerts. This required human judgment: noticing an abnormal package size (59.8MB) → curiosity to unpack and look → realizing it was complete source code. Automated tools detect known patterns; security researchers detect “something feels off.”

SECTION 03 · CORE EXPOSURES

The “Dark Side” Revealed by Source Code: Technical Evidence of Saying One Thing, Doing Another

Security firms’ analysis of the leaked code reveals data collection, remote control, and competitive attack capabilities far beyond public expectations

Exposure	Technical Details	Contradiction with Brand Narrative
Persistent Telemetry Reporting	Reports user ID, session ID, email, org UUID, and feature flag states immediately on launch; saves to ~/.claude/telemetry/ when offline	“We are the most privacy-focused AI company”
Remote Kill Switch	Polls a remote server hourly; 6+ remote switches can change tool behavior without user consent; refusing “dangerous” config updates forces application exit	“Users have full control over their tools”
Undercover Mode	One-way door design (no forced deactivation option); automatically conceals AI authorship in open-source projects; prohibits referencing any internal names	“Transparency and honesty are our core values”
Anti-Distillation	Injects fake tool definitions (fake_tools) into system prompts, designed to poison competitors’ training data	“We compete through technical excellence, not unfair means”
KAIROS Background Daemon	An unreleased autonomous background agent mode that runs even when the user is away, with an autoDream “memory consolidation” feature	“AI should operate under human oversight”
Dark Pattern Consent	Pre-checked data sharing toggle + prominent “Accept” button + visually diminished “Not Now” option	“User consent must be free, informed, and explicit”

The Register’s Assessment

“Although Anthropic’s Claude Code lacks the persistent kernel access of a rootkit, analysis of the code reveals that the agent is capable of exercising far more control over users’ computers than even the most careful reader of the terms of service would ever expect.”

SECTION 04 · THE BILLING BOMB

250K Wasted API Calls Per Day: A Ticking Time Bomb for Enterprise Clients

Internal code comments in the leaked source reveal a known but unfixed billing-related bug

Source Code Internal Comment · autoCompact.ts

“BQ 2026-03-10: 1,279 sessions had 50+ consecutive failures (up to 3,272) in a single session, wasting ~250K API calls/day globally.”

The fix: MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES = 3. Three lines of code.

Anthropic’s enterprise billing model consists of seat fees plus per-token consumption billing. Enterprise seat fees include zero usage allowance — every token is billed separately at standard API rates. When the auto-compact feature fails 3,272 consecutive times in a single session, those API calls “fail” in terms of their compaction purpose, but the API calls themselves complete successfully — they return results and are very likely counted on the customer’s bill.

Even more concerning is the promptCacheBreakDetection.ts file found in the code, which tracks 14 cache invalidation vectors, one of which is labeled DANGEROUS_uncachedSystemPromptSection(). Every cache invalidation means customers pay full price for tokens that should have received a 90% cache discount. Anthropic was fully aware internally — the code comments carry explicit dates — but never disclosed this to customers.

250K

Wasted API calls per day

1,279

Affected sessions

3,272

Max consecutive failures per session

3 Lines

Code needed to fix

This creates an inescapable trilemma: if Anthropic says “we didn’t know,” the date-stamped code comments prove otherwise; if they say “we knew but hadn’t gotten to it yet,” the three-line fix proves otherwise; if they say “those calls weren’t billed,” they’d need to open a public audit to prove it — and once an audit begins, other billing-related code will surface too.

Meanwhile, in the ten days before the leak, Anthropic was actively sending legal threats to the third-party tool OpenCode, shutting down its ability to access Opus at subscription prices via Claude Code’s internal API. Killing “freeloading” warranted instant response; fixing a bug that overcharges customers took weeks — the choice of priorities itself reveals where the company stands.

SECTION 05 · POLITICAL WARFARE

Perfect Ammunition for the Trump Administration

How the leaked code provides fresh factual basis for the DoD’s “supply chain risk” designation

Before the source code leak, the conflict between Anthropic and the Trump administration had already reached white-hot intensity. During contract negotiations, the DoD demanded unrestricted access to Claude models for “all lawful uses,” while Anthropic held firm on two red lines: no use for mass surveillance of U.S. citizens, and no use for fully autonomous weapons. After negotiations collapsed, Secretary of Defense Hegseth designated Anthropic as a “supply chain risk” — a designation historically reserved for foreign adversaries.

Trump publicly called Anthropic “radical left-wing lunatics,” Hegseth called them “arrogant and treasonous,” and Pentagon Chief Technology Officer Emil Michael called CEO Dario Amodei “a grifter with a God complex.” Although federal judge Rita Lin ruled in Anthropic’s favor on March 26 — calling the DoD’s actions an “apparent attempt to destroy Anthropic” — the appeal remains ongoing.

Now, the leaked code directly provides fresh evidence supporting the DoD’s arguments:

DoD Claim	Evidence in Leaked Code
“Anthropic may take action to disrupt or subvert IT systems”	6+ remote kill switches capable of forcing app exit or bypassing permission prompts
“Supply chain security risk exists”	Hourly polling of remote servers; ability to push configuration changes without user awareness
“Untrustworthy vendor”	Undercover Mode actively conceals identity; anti-distillation poisons competitors
“Poor security management”	Same class of error repeated; two self-inflicted breaches in five days

SECTION 06 · REGULATORY STORM

Perfect Target Material for European Regulators

The EU AI Act enters full enforcement on August 2, 2026 — only four months away

Multiple practices exposed in the leaked code directly conflict with the European regulatory framework about to take full effect:

Regulatory Provision	Requirement	Claude Code’s Violation
GDPR Art.5(1)(c)	Data minimization	Reports user ID, email, org UUID, and other non-essential data immediately on launch
GDPR Consent Requirements	Free, informed, and explicit	Pre-checked data sharing toggle; dark pattern consent interface
EU AI Act Art.50	Transparency: users must know they are interacting with AI	Undercover Mode specifically designed to hide AI identity
EU AI Act Human Oversight	High-risk AI systems require human oversight	KAIROS background agent runs autonomously when users are away

The penalties cannot be ignored: deploying prohibited AI practices can result in fines of up to €35 million or 7% of global annual revenue. Based on Anthropic’s annualized revenue of $19 billion, 7% would be approximately $1.33 billion. And the ultimate irony: regulators no longer even need to conduct an investigation to gather evidence — the complete source code is already publicly available on GitHub.

SECTION 07 · COMPETITIVE ATTACK

The Perfect Reversal of the Super Bowl Narrative

Falling from the moral high ground hurts far more than falling from level ground

During the Super Bowl ad wars of February 2026, Anthropic spent millions on satirical advertisements titled “Deception,” “Betrayal,” “Treason,” and “Violation,” directly attacking OpenAI’s decision to introduce ads into ChatGPT. OpenAI CEO Sam Altman called these ads “misleading” and “clearly dishonest.”

Now, the source code leak provides competitors with the perfect counter-narrative:

Potential Competitor Attack Angle

OpenAI could say: “You mocked us for putting ads in ChatGPT? At least ads are something users can see. Your telemetry reporting, remote kill switches, background agents — those are the real ‘violation,’ and users had absolutely no idea.”

The More Lethal Attack

On billing: “They mocked our ads as a business model — at least our ads are visible. Their charges? You can’t even see them.” — This narrative has nuclear-level destructive power.

Gartner also pointed to a detail most reporting has missed: according to Anthropic’s own public disclosures, Claude Code is 90% AI-generated. Under current U.S. copyright law, which requires human authorship, intellectual property protection for the leaked code is significantly weakened. Competitors could even legally draw on architectural patterns from the leaked code.

SECTION 08 · CHAIN REACTION

The Cascading Detonation Path of a Full-Spectrum Crisis

Every link’s detonation accelerates the next

Source Code Leak

→

Security Analysis Exposes Privacy/Billing Issues

→

Enterprise Clients Demand Audits

→

Audits Expose More Issues

→

European Regulators Intervene

→

Media Amplification

→

Competitor Attacks

→

Further Client Attrition

→

New Evidence for DoD Appeal

→

IPO Valuation Under Pressure

The ultimate paradox Anthropic faces is this: the more it has emphasized “safety-first” and “trustworthiness,” the more devastating the blowback from the leak becomes. Had it positioned itself as a purely commercial company like Meta from the start, public expectations wouldn’t have been so high and the gap wouldn’t be so wide. But Anthropic chose “safety” and “trust” as its core brand narrative, chose to mock competitors’ business models at the Super Bowl, chose to fight the Pentagon to demonstrate its “principles” — and then its own code proved it was doing the exact opposite of what it said.

Core Judgment

The moral high ground is the most dangerous position in the world — because falling from there hurts far more than falling from level ground. Anthropic used the moral high ground to push itself into the most visible position, and now every spotlight is shining directly on the cracks.

SECTION 09 · RISK PROBABILITY

Trigger Probability Assessment Across All Dimensions

6–12 month trigger probability forecast based on available evidence and signals

Competitors leverage the leak for attacks
90–95%

Comprehensive internal security governance overhaul
95%+

Enterprise client billing audits / trust crisis
85–90%

European regulatory intervention (GDPR + EU AI Act)
80–85%

IPO plans delayed or valuation reduced
75–80%

Trump administration / DoD leverages leaked code
70–75%

Class action lawsuit (billing-related)
60–70%

Overall Assessment: The probability that the above full-spectrum crisis will materially unfold in some form within the next 6–12 months exceeds 80%. These issues are not parallel — they are chained. Every link’s detonation accelerates the next.

SECTION 10 · CONCLUSION

Not Just a Mistake: Full Exposure of Systemic Risk

The Claude Code source code leak is not a simple engineering error. It is a tear in the fabric that exposes the structural contradiction Anthropic has long accumulated between its brand narrative and actual behavior. This contradiction has detonated simultaneously across five dimensions:

Clients

Billing trust collapse / Audit pressure

Government

New ammo for DoD appeal / Trump hostility

Regulation

GDPR + EU AI Act four-month countdown

Competition

Brand narrative reversal / Architecture blueprint exposed

Capital

IPO valuation pressure / Investor confidence

Across all these dimensions, billing trust is the most lethal link. Technical bugs can be fixed, security processes can be patched, PR crises can be managed — but once the suspicion that “this company might be overcharging me” takes root, every single invoice will be scrutinized. At a time when SaaS is transitioning to AI usage-based billing, the verifiability of metering is the trust foundation of the entire business model. If that foundation is shaken, this is not just Anthropic’s problem — it is a trust crisis for the entire AI pay-per-use model.

Other companies’ data collection is open and transparent — cards on the table from the beginning, written into user agreements. The leaked code proves Anthropic’s approach was different: first attract users with a “safety” and “privacy” brand narrative, then embed data collection and remote control capabilities in client-side tools that far exceed user expectations, all without their knowledge. This is not an ordinary privacy issue — it is a betrayal of trust. In business ethics, openly acknowledged “evil” is far more forgivable than “evil” disguised as “good.”

Final Judgment

Regardless of whatever remedial policies Anthropic adopts in the future, customer trust will be extremely difficult to restore. Because for all customers — whether B2B or B2C — overcharging is the consumer’s absolute bottom line. The moment suspicion begins is the starting point of an explosive chain reaction. The code is on GitHub, the evidence chain is complete, and the victim population is clearly defined. If anyone deploys legal weapons, Anthropic will find itself in an extremely disadvantaged position. This is not an incident that can be dismissed with the words “human error” — it is the full exposure of a company’s systemic risk.

References

The Register, “Claude Code’s source reveals extent of system access,” April 1, 2026
VentureBeat, “Claude Code’s source code appears to have leaked: here’s what we know,” March 31, 2026
VentureBeat, “5 actions enterprise security leaders should take now,” April 1, 2026
Fortune, “Anthropic leaks its own AI coding tool’s source code in second major security breach,” March 31, 2026
CNBC, “Anthropic wins preliminary injunction in Trump DOD fight,” March 26, 2026
CNN, “Anthropic sues the Trump administration after it was designated a supply chain risk,” March 9, 2026
Help Net Security, “Does Anthropic deserve the trust of the cybersecurity community?” March 12, 2026
The Decoder, “Anthropic uses a questionable dark pattern to obtain user consent,” August 29, 2025
AI-Buzz, “Anthropic’s Claude Deploys Dark Pattern That Defies GDPR Guidelines,” August 31, 2025
CNBC, “Anthropic got an 11% user boost from its OpenAI-bashing Super Bowl ad,” February 13, 2026
Layer5, “The Claude Code Source Leak: 512,000 Lines, a Missing .npmignore,” April 1, 2026
Alex Kim’s Blog, “The Claude Code Source Leak: fake tools, frustration regexes, undercover mode,” March 31, 2026
Cybernews, “Leaked Claude Code source spawns fastest growing repository in GitHub’s history,” April 1, 2026
WaveSpeedAI, “What Is claw-code? The Claude Code Rewrite Explained,” April 1, 2026
GitGuardian, “State of Secrets Sprawl 2026 Report,” March 17, 2026
EU AI Act official documentation, digital-strategy.ec.europa.eu
Anthropic Responsible Scaling Policy, anthropic.com
LessWrong, “Anthropic Responsible Scaling Policy v3: A Matter of Trust,” April 1, 2026
Atlantic Council, “The Anthropic standoff reveals a larger crisis of trust over AI,” March 2026
Breaking Defense, “Trump admin’s comments could undermine case against Anthropic in court,” March 23, 2026