Skip to content

Commit e832a55

Browse files
leecalcoteleecalcote
committed
[Blog] Claude Code Leaked
Signed-off-by: Lee Calcote <lee.calcote@layer5.io>
2 parents 3e5155b + 100597a commit e832a55

File tree

1 file changed

+9
-1
lines changed
  • src/collections/blog/2026/03-31-claude-code-source-leak

1 file changed

+9
-1
lines changed

src/collections/blog/2026/03-31-claude-code-source-leak/index.mdx

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
title: "The Claude Code Source Leak: 512,000 Lines, a Missing .npmignore, and the Fastest-Growing Repo in GitHub History"
33
subtitle: "A build config oversight exposed Anthropic's entire AI coding agent - unreleased features, anti-competitive countermeasures, and all"
4-
date: 2026-03-31 10:00:00 -0530
4+
date: "2026-03-31T15:00:00-05:00"
55
author: Lee Calcote
66
thumbnail: ./claude-code-source-leak.webp
77
darkthumbnail: ./claude-code-source-leak.webp
@@ -36,7 +36,11 @@ import Callout from "../../../../reusecore/Callout";
3636
</p>
3737

3838
<p>
39+
<<<<<<< HEAD
3940
Security researcher Chaofan Shou spotted the exposure at approximately 4:23 AM ET and posted a download link on X. The tweet accumulated over 21 million views. Extraction was trivial: <code>npm pack @anthropic-ai/claude-code@2.1.88</code>, untar the archive, and read the map. The source map also referenced a ZIP archive hosted on Anthropic's own Cloudflare R2 storage bucket, downloadable by anyone with the URL.
41+
=======
42+
Security researcher Chaofan Shou spotted the exposure at approximately 4:23 AM ET and posted a download link on X. The tweet accumulated over 21 million views. Because the leaked data was bundled inside a routinely published package, anyone using standard npm tooling could obtain the archive and inspect its contents to reach the source map, without needing any special access or exploits. The source map also referenced a ZIP archive hosted on Anthropic's own Cloudflare R2 storage bucket, downloadable by anyone with the URL.
43+
>>>>>>> 100597aa1d6ba58a4edd8292b7beca94acb79370
4044
</p>
4145

4246
<p>
@@ -116,7 +120,11 @@ import Callout from "../../../../reusecore/Callout";
116120
</p>
117121

118122
<Callout type="tip" title="The mirror landscape">
123+
<<<<<<< HEAD
119124
<p>Beyond claw-code, the raw source was mirrored to Gitlawb (a decentralized git platform), Kuberwastaken/claude-code (with a detailed architectural breakdown and Rust port), chatgptprojects/claude-code, and alex000kim/claude-code. Anthropic's DMCA campaign targets direct mirrors on GitHub but cannot reach decentralized platforms or clean-room rewrites.</p>
125+
=======
126+
<p>Beyond claw-code and other clean-room efforts, the raw source was quickly mirrored and forked across both centralized code forges and decentralized git platforms, with some projects adding architectural breakdowns, ports to other languages, and experimental extensions. Anthropic's DMCA campaign targets direct mirrors on major hosting providers but cannot reach decentralized platforms or independent clean-room rewrites that avoid hosting the leaked source.</p>
127+
>>>>>>> 100597aa1d6ba58a4edd8292b7beca94acb79370
120128
</Callout>
121129

122130
<h2>Security Implications Beyond the Source</h2>

0 commit comments

Comments
 (0)