It started as an April fish. It ended as supply-chain poison.
On April 1st, I did what any reasonable developer does. I built a fake leaked repo. A README with a fish emoji. A license called POISSON-D-AVRIL-1.0. A Python file that prints an ASCII fish and calls you gullible. I was pretty pleased with myself.
TL;DR: My April Fools article about a fake Claude Code leak became real the same day. The actual leak exposed 500K lines of source, an autonomous daemon mode, and an anti-leak system that didn't prevent the leak. But the real danger is the axios supply-chain attack that dropped at the same time and nobody's talking about. Go run
npm audit, for real this time.
While I was finishing my ASCII art, Anthropic accidentally (lol) shipped a sourcemap file in their npm package that pointed to a zip archive containing the entire Claude Code source code. 500,000 lines of TypeScript. 1,900 files. My fake repo had a directory called ocean/ with one fish inside. The real leak had 44 tool subdirectories, a full multi-agent orchestration system, and a stealth mode designed to prevent leaks. You can't make this up, but irony did it anyway, in real time.
The prank
I built a fake monorepo. Standard TypeScript layout, nothing suspicious at first glance. Except for a directory called src/internal/ocean/ that had absolutely no business existing.
The inline comments were the kind of stuff you find in any codebase that's been touched by more than three engineers at odd hours:
// TODO: figure out why the model keeps mentioning fish on Tuesdays
// DO NOT REMOVE - last time someone deleted this line,
// Claude started responding exclusively in haiku
// The salmon constant. No one remembers why it's 42.
// Three engineers have tried to change it. All three quit.
const MAX_RECURSION = 42;
The config file was where I got creative:
{
"codename": "POISSON",
"status": "ACTIVE",
"deployment_date": "2026-04-01",
"target_audience": "developers who clone suspicious repos at 2 AM",
"threat_level": "delicious with lemon"
}
And a fish.py that printed an ASCII fish and congratulated you for running a random Python file from a suspicious repo. The license was POISSON-D-AVRIL-1.0. Permission granted to close your laptop and touch grass.
37 people clapped. I went to bed.
24 hours earlier, the real thing dropped
I woke up to a feed full of people who were not laughing about fish.
On March 31st, security researcher Chaofan Shou had found a .map file in Claude Code's npm package, version 2.1.88. That file pointed to a zip archive on Anthropic's own Cloudflare R2 bucket. Publicly accessible. No auth. Just sitting there like a garage door left open with a Porsche inside.
The zip had everything. Around 1,900 TypeScript files, over 512,000 lines. The entire agentic harness: tool implementations, slash commands, prompt handling, context management, multi-agent coordination. The whole engine.
I sat there with my coffee scrolling through the GitHub mirrors (41,500 forks before Anthropic's legal team woke up), then pulled up my fake repo side by side. My prank had src/internal/ocean/. Their real codebase had src/tools/ with 44 subdirectories and a single file called query.ts that weighs 785KB. My fish.py was 400 bytes. Same energy, different scale.
Anthropic's official statement: "Release packaging issue caused by human error." One line in .npmignore. Or Bun's bundler generating sourcemaps by default and nobody catching it. Pick your favorite.
Undercover Mode didn't cover anything
The leaked codebase has a file called utils/undercover.ts. Every word that follows is true, and I know it sounds like I'm making it up.
Anthropic built a full subsystem to prevent Claude from revealing internal information when Anthropic employees use Claude Code to contribute to open-source repos. It injects a prompt that says (I'm paraphrasing only slightly): "You are operating UNDERCOVER. Do not blow your cover. NEVER include internal model codenames, internal repo names, Slack channels, or the phrase 'Claude Code' in commits or PRs."
They built an anti-leak system. Inside the codebase. That leaked.
The forbidden terms in that prompt include animal names. Because the internal model codenames are animals. Capybara. Tengu. Tengu shows up hundreds of times as a prefix for feature flags and analytics events throughout the source. Capybara was already partially exposed by a separate Anthropic leak days earlier (a draft blog post made publicly accessible by accident, reported by Fortune). Two leaks in one week from the safety-first lab. Consistent, at least.
Then there's KAIROS. Named after the Greek concept of "the right moment." It appears over 150 times in the source as a feature flag for something called autonomous daemon mode. Claude Code running in background while you're idle, doing what the code calls autoDream: consolidating memory, merging observations, resolving contradictions. The kind of feature you announce at a keynote with dramatic lighting. Not the kind that leaks in a zip file next to your sourcemap.
Or actually, wait. Let me put it differently. These are the kind of details where if I had put them in my April 1st prank, people would have said "ok Phil, tone it down." "Threat level: delicious with lemon" is a joke. "Undercover Mode that didn't prevent the leak" is reality being funnier than satire.
The poison nobody's talking about
So everyone's dissecting the cool stuff. KAIROS, multi-agent, the memory architecture. Developer candy. I get it.
But on the same day, a separate supply-chain attack hit the axios npm package. Between 00:21 and 03:29 UTC on March 31st, someone published malicious versions of axios (1.14.1 and 0.30.4) containing a Remote Access Trojan. If you installed or updated Claude Code via npm during that three-hour window, you might have pulled a compromised dependency. Not a leaked sourcemap. A RAT. On your machine. With filesystem access.
Two supply-chain events in one day targeting the same ecosystem. One got the headlines because reading Anthropic's internal comments is fun. The other one is an actual backdoor.
The DMCA response made things worse. Anthropic sent takedown requests that hit thousands of GitHub repos, many unrelated to the leak. They had to scale it back. By then the code had been rewritten in Rust and Python by independent devs. Trying to unpour coffee.
And here's what bugs me: how many other companies have the exact same build configuration right now? Bun generates sourcemaps by default. If you don't explicitly turn them off, they ship. If your .npmignore doesn't exclude them, they're public. Anthropic isn't some startup with two interns handling deploys. They have a workflow discipline that I've written about extensively, and even that discipline doesn't protect you from a packaging oversight. If it can happen to them, check your own build output tonight. Not tomorrow. Tonight.
Sources
- Chaofan Shou's original disclosure on X (March 31, 2026)
- The Register: "Anthropic accidentally exposes Claude Code source code" (March 31, 2026)
- VentureBeat: "Claude Code's source code appears to have leaked" (March 31, 2026)
My fish.py is still online. It swims in its fake repo, rendering ASCII art to anyone who bothers cloning it. Nobody DMCA'd it. Nobody needed to.
Anthropic's real code got forked 41,500 times before the first takedown notice landed. It now exists in Rust, in Python, and probably in BASIC somewhere. The lab that spends millions aligning AI with human values forgot to add one line to their .npmignore.
My fake repo had better opsec than Anthropic's build pipeline. And that's not a joke.
(*) The cover is AI-generated. The fish, however, is artisanal.
<(((°>
Life's too short not to have a little fun.
Happy April 1st. Now go touch grass.
Top comments (0)