Anthropic Leaked Claude Code, Then DMCA’d the Internet

Exhibit A: Ship the .map, ship the brain

On March 31, Anthropic pushed @anthropic-ai/[email protected] to npm. Inside the tarball was a 59.8 MB JavaScript source map that pointed at the full, unminified, comment-laden TypeScript tree. 1,906 files. Roughly 513,000 lines of code. A cleanroom-dream worth of closed-source agentic plumbing, hosted on Anthropic’s own public R2 bucket, a curl away.

The person who spotted it was Chaofan Shou (@Fried_rice), a security researcher interning at Solayer Labs. He posted about it at 4:23 a.m. Eastern on March 31. Decrypt clocked roughly 16 million views on the thread within a day. By the time the sun came up in San Francisco, there were mirrors. By lunch, there were rewrites. By dinner, one of them (nirholas/claude-code) was racking up stars faster than any repo in GitHub history — the Python clean-room fork claw-code cleared 30,000 stars before Anthropic could finish writing the word “DMCA.”

Anthropic’s own line, to TechCrunch: “This was a release packaging issue caused by human error, not a security breach.” Technically correct. And also the kind of release-packaging issue a --dry-run and a .npmignore are supposed to prevent. This isn’t some exotic build pipeline — it’s npm publish. The tool ships with a flag (--dry-run) whose entire reason for existing is “what am I about to put on the internet.” Somebody didn’t run it.

The kicker: the leaked tree had an Undercover Mode subsystem — a whole scaffolding built specifically to stop Claude Code from accidentally revealing Anthropic’s internal codenames. A leak-prevention system leaked inside the leak. You cannot write this.

Exhibit B: The DMCA carpet bomb

Anthropic’s legal team went full firehose. On March 31 they filed a DMCA notice against the nirholas/claude-code fork network on GitHub. GitHub’s tooling, when pointed at a fork network with more than 100 repos, is effectively a nuke: it disables the parent and every fork in one shot.

Result: 8,100 repositories disabled. Most of them had nothing to do with the leaked source. A huge chunk were forks of Anthropic’s own public anthropics/claude-code repo — the legitimate, open, MIT-licensed one. Developers who’d forked the public repo to tweak a skill or fix a typo woke up to a DMCA notice on their GitHub account. The “reputational threat” issue on Anthropic’s own repo reads like a support ticket from hell.

Enter Gergely Orosz, author of The Pragmatic Engineer — not a person you want on your case. He went public fast:

“OK, this is not April fool’s: Anthropic seems to be issuing mass DMCA requests on code that are legit forks of Anthropic’s own (open!) ‘claude code’ repo. This is looking terrible on Anthropic. Btw it’s also breaking of the law to file a DMCA on something that never broke it.”

— Gergely Orosz, @GergelyOrosz

That landed. Anthropic’s head of Claude Code, Boris Cherny, came out on social with the corporate version of “my bad”: “This was not intentional, we’ve been working with GitHub to fix it. Should be better now.” Anthropic’s Thariq Shihipar called it “a communication mistake.” On April 1, Anthropic filed a retraction for all notices except one repo and 96 listed forks.

TechCrunch (April 1 write-up) got a statement from Anthropic calling the over-broad sweep “unintentionally affected more repositories than expected.” Fine — I buy that nobody at Anthropic woke up wanting to pick a fight with random developers. The GitHub fork-network takedown UI is a genuinely terrible weapon to put in anyone’s hands.

But the reason that weapon was in anyone’s hands at all is that somebody at Anthropic fat-fingered an npm publish. You don’t get to file 8,100 takedowns on Monday if your build pipeline didn’t leak the crown jewels on Sunday.

The pattern: three-strikes week for Anthropic ops

I don’t love piling on a company I otherwise respect. But we’re four days into April and Anthropic’s operations team has now produced three unforced errors in a row:

• They quietly gutted prompt caching and didn’t tell paying users until the bills came in.
• They charged a dev $180 while he was out of office and ghosted him for a month.
• Now they’ve npm-published their closed-source crown jewels and DMCA’d their own users while trying to clean it up.

The model team is cooking. The research team is arguably the best in the world right now (see the Mythos velvet-rope piece — they literally built something so good they’re scared to release it). But the ops side — the boring stuff where you do the things that stop you from embarrassing yourself — is having a week.

What to actually take from this

Two things, one for Anthropic, one for us.

For Anthropic: the leak was a process failure that any serious shop checks for with a pre-publish script and a staging dry run. The DMCA blast-radius was a policy failure — somebody signed off on a “nuke this fork network” button without reading the blast radius label. Neither is a vibes problem. Both have playbooks. Run them.

For everyone else: stop treating the npm registry like a CDN you control. The same week Anthropic leaked Claude Code, an axios-themed malicious campaign was quietly shipping RATs into production dependencies. npm is a chaos surface. If you’re on the publishing side, you put --dry-run in your release checklist and you commit a real .npmignore. If you’re on the consuming side, you pin versions, you review diffs, and you assume every package is one typo away from being either a leak or a weapon.

Rating for this week in Anthropic ops: 2.5/10. Model team carrying a heavy stretcher.

Anthropic is still shipping the most interesting AI research in the world. That’s also why this week stings. When you’re the adult in the AI room, the room notices when you spill the drink.

Sources: TechCrunch · Decrypt · GitHub DMCA filing · GitHub DMCA retraction · Reputational-threat issue · Orosz on X · Chaofan Shou (@Fried_rice) · Layer5 analysis.