The Claude Code Leak: What Every Developer Should Know (And Clone)
Anthropic accidentally opened up their $2.5 billion AI tool. Here is why you should care, what we found out, and how you can run it with any model you want.
Anthropic accidentally opened up their $2.5 billion AI tool. Here is why you should care, what we found out, and how you can run it with any model you want.
Anthropic shipped a 59.8 MB source map with @anthropic-ai/claude-code 2.1.88, which pointed at a public R2 bucket with the full TypeScript tree. Mirrors spread fast, clean-room rewrites followed, and forks like OpenClaude let you run the harness on non-Anthropic models.
At 4:23 AM, security researcher Chaofan Shou (@Fried_rice), an intern at Solayer Labs, noticed something off about the latest @anthropic-ai/claude-code drop. Version 2.1.88 included a 59.8 MB .map file.
The map pointed at a zip in an Anthropic Cloudflare R2 bucket that was wide open. Inside: the full TypeScript source for Claude Code, about 512,000 lines across roughly 1,900 files.
Within hours the tree was on GitHub. Shou's X thread blew up (reportedly on the order of 16 million views), and one mirror picked up 50,000 stars in under two hours. Axios framed it as handing competitors a detailed feature roadmap.
Anthropic pulled the npm package and called it a packaging mistake, not a security breach. Maybe technically true. Still sloppy for a company that sells a tool with shell access to your machine.
I use Claude Code every day. I've worn out Escape canceling runaway terminal loops and fought the npm install quirks. I like the product. That doesn't make this okay.
It's the second time they've leaked the same way. A nearly identical source map showed up in February 2025. Days before this one, Fortune reported that roughly 3,000 internal files were exposed, including a draft blog post about an unreleased model called "Mythos" described as posing "unprecedented cybersecurity risks." Three big leaks in a row from the lab that markets itself as safety-first is hard to spin.
While people were grabbing the Claude tree, a separate supply-chain attack hit the axios npm package between 00:21 and 03:29 UTC. The Hacker News noted Straiker warning about payloads meant to persist across sessions. Versions 1.14.1 and 0.30.4 carried a Remote Access Trojan. If you ran npm install -g @anthropic-ai/claude-code in that window, you might have pulled the bad axios build too. Root-access dev tools distributed through npm is a brittle combo.
The leak is the clearest public view yet of how Anthropic built their coding agent. I've spent six months poking at open-source harnesses like Ralph and OpenClaw. This codebase is more engineered than most of what I've tried locally.
The core loop wires up 40+ tools, on-demand skills, a four-stage context compression pipeline, and memory tooling aimed at surviving context limits.
The 44 hidden feature flags and 20+ unshipped features are the fun part:
Telemetry bothered me more than the pet. On launch, Claude Code phones home with user ID, session ID, app version, terminal type, org UUID, account UUID, and email. Offline, it queues and sends later. A tool with broad local access shouldn't need that much identity attached by default.
Undercover Mode is the one I keep thinking about.
The system prompt says you're in a public repo and must not leak Anthropic-internal details in commits, PR titles, or bodies. It scrubs codenames like "Capybara" (Claude 4.6) and "Tengu" (Claude Code) from git metadata.
Reddit has plenty of "if CI passes, who cares?" takes. I don't buy it. Shipping AI-generated patches into public repos without disclosure dumps review work on volunteer maintainers while Anthropic tests agents in the wild.
Anthropic started DMCA takedowns against GitHub mirrors. The mirrors were already forks of forks.
Korean developer Sigrid Jin (@instructkr) saw the news around 4 AM. The Wall Street Journal had just profiled Jin for burning through 25 billion Claude Code tokens in a year. Jin used an orchestration tool called oh-my-codex to have agents rewrite the 512k-line TypeScript codebase into Python before sunrise.
The result is claw-code. Different language, no copied Anthropic lines, structurally similar. Same rough legal story as Compaq cloning IBM's BIOS in the 1980s. claw-code reportedly hit 100,000 stars in a day.
If a proprietary tree can be reimplemented overnight by another model, keeping the harness closed-source is a weaker bet than it was last month. The model still matters. The glue code matters less when anyone can regenerate the glue.
OpenClaude lives on Gitlawb, a decentralized host that ignores takedown requests. It's a fork of the leaked TypeScript that strips Anthropic-only restrictions and adds an OpenAI-compatible provider shim.
You can run the harness against GPT-4o, DeepSeek, Gemini, Llama, or a local Ollama instance. Bash, remote read/write, grep, agents, tasks, MCP all still hook up once you point it at a provider.
Setup for GPT-4o:
# Clone the decentralized repo
git clone https://node.gitlawb.com/z6MkqDnb7Siv3Cwj7pGJq4T5EsUisECqR8KpnDLwcaZq5TPr/openclaude.git
cd openclaude
# Install & build
bun install
bun run build
# Hook it up to GPT-4o
export CLAUDE_CODE_USE_OPENAI=1
export OPENAI_API_KEY=sk-your-key-here
export OPENAI_MODEL=gpt-4o
This matches what I've been arguing in other posts: the harness is not the long-term moat if it runs well on cheaper models. Anthropic still wins when you want their best weights and you're willing to pay for them.
I'm not telling you to stop paying Anthropic. I am telling you to read the leaked architecture if you build agents. Tiered memory, bash validation, fake tools meant to poison competitor training data. All of that was invisible until someone shipped a 59.8 MB map file.