Inside the Claude Code Source Leak: Fake Tools, Undercover Mode, and the Secrets Anthropic Didn't Mean to Share

The Accident That Exposed Everything

On March 31st, 2026, developer Chaofan Shou noticed Anthropic had accidentally shipped a .map file alongside the compiled Claude Code npm package — containing the full, unminified TypeScript source code of one of the most widely-used AI coding tools in the world.

The package was quickly pulled, but not before it was mirrored across GitHub and dissected on Hacker News, where the post reached #1 with over 1,000 points and 400+ comments. This is Anthropic's second accidental exposure in a single week, following a model spec leak days earlier.

1. Anti-Distillation: Injecting Fake Tools to Poison Competitors

The most controversial discovery lives in claude.ts lines 301–313. A flag called ANTI_DISTILLATION_CC, when enabled, sends anti_distillation: ["fake_tools"] in API requests — instructing the server to silently inject fake, non-existent tool definitions into the system prompt.

The goal: if a competitor records Claude Code's API traffic to train a rival model, those fake tool definitions corrupt the training data. An elegant countermeasure against model distillation.

// claude.ts (lines 301-313) — simplified
if (
  ANTI_DISTILLATION_CC &&
  entrypoint === "cli" &&
  provider === "first-party" &&
  growthbook.isOn("tengu_anti_distill_fake_tool_injection")
) {
  requestPayload.anti_distillation = ["fake_tools"];
}

A second mechanism in betas.ts buffers the assistant's full reasoning chain and returns only a cryptographic summary. Anyone recording traffic gets summaries — not chain-of-thought reasoning. How easy to bypass? Setting CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS=1 disables it entirely. The real protection is almost certainly legal, not technical.

2. Undercover Mode: AI That Hides Its AI Nature

undercover.ts — roughly 90 lines — implements a mode that strips all evidence of Anthropic internals when Claude Code operates inside non-internal repositories. When active, the model is instructed to:

• Never mention codenames like "Capybara" or "Tengu"
• Never reference internal Slack channels or repository names
• Never use the phrase "Claude Code" itself
• Never indicate that code was AI-generated

The most striking detail is line 15 of the file: "There is NO force-OFF. This guards against model codename leaks."

You can force the mode ON with CLAUDE_CODE_UNDERCOVER=1, but there is no way to force it off — a one-way door. Anthropic engineers committing to open source projects via Claude Code produce commits with zero indication of AI authorship. As AI authorship disclosure becomes a live policy debate across the industry, this design choice raises serious transparency questions.

3. Frustration Detection via Regex (Yes, Regex)

userPromptKeywords.ts scans user input against regular expressions designed to detect frustration signals. When triggered, the model pivots to more empathetic, step-by-step responses before the user rage-quits.

// userPromptKeywords.ts — illustrative pattern
const FRUSTRATION_SIGNALS = [
  /not working/i,
  /still broken/i,
  /i give up/i,
  /why (won.?t|doesn.?t|can.?t)/i,
  /this is (impossible|useless|ridiculous)/i,
];

function detectFrustration(input: string): boolean {
  return FRUSTRATION_SIGNALS.some(pattern => pattern.test(input));
}

The irony of an advanced AI using regex for emotion detection is not lost — but it works. Simple heuristics are often good enough for UX emotion signals, and this is a lesson worth stealing for your own AI-powered apps.

What This Means for Frontend and AI Developers

If you are building AI-powered tools — coding assistants, agents, or frontend copilots — this leak is a masterclass in production AI UX engineering at scale.

• Anti-distillation is a real product concern. If your tool logic is valuable, think carefully about what data you expose via API traffic.
• Sentiment detection belongs in your AI UX layer. Frustration-adaptive responses are table-stakes for production AI apps. Regex is a valid and fast first pass.
• AI authorship transparency is becoming a legal and ethical requirement. Design disclosure into your tools from day one — not as an afterthought.
• Strip source maps from npm packages. Use .npmignore to exclude *.map files before publishing if your CLI contains proprietary logic.

The Broader Context: A Week of Leaks

This is Anthropic's second unintentional disclosure in a week. The timing is uncomfortable given the company's recent legal actions against the OpenCode project for accessing Claude via internal APIs at subscription rates.

Regardless of cause, the leak is a rare window into the production engineering of a frontier AI lab — and the decisions inside are fascinating, instructive, and occasionally alarming.

Key Takeaways

• Anthropic accidentally published Claude Code's full TypeScript source via a .map file in the npm package
• Anti-distillation fake tools and reasoning summarization are real active features — but trivially bypassable
• Undercover mode actively hides AI authorship in open source contributions — a transparency concern
• Frustration detection uses regex — simple heuristics work surprisingly well for UX emotion signals
• For developers: strip source maps from npm packages, design for AI disclosure, and build sentiment UX from day one