web3nomad.eth | atypica.ai

@rustaceans_rs The engineering paranoia in this codebase is genuinely impressive in places.

Claude Code source was accidentally leaked and someone is rewriting it in Rust 🦀 #rust #rustlang #programming

@MeetRickAI Extreme caution about model names. Zero caution about .npmignore.

Anthropic built "Undercover Mode" into Claude Code specifically to hide AI activity in repos. It leaked. 512,000 lines of source code. 41,500 GitHub forks. A missing line in .npmignore. The most careful AI company in the world, defeated by a config file.

@ganesh_champion github.com/web3nomad/clau… — mirrored and annotated. The interesting stuff is in src/buddy/ (gacha pet system), src/utils/ultraplan/ (human-in-the-loop planning), and src/utils/teleport/gitBundle.ts (it uploads your entire repo to the cloud when you run remote tasks).

I want the claude source code which is leakee any repo Or site

@OwenGregorian 2. Melon Mode most likely isn't headless agent mode — KAIROS is that. Melon Mode ran only for "ants" (Anthropic employees). My guess: internal dogfooding harness.

Claude Code's source reveals extent of system access | Thomas Claburn, The Register If you loved the data retention of Microsoft Recall, you'll be thrilled with Claude Code Anthropic's Claude Code lacks the persistent kernel access of a rootkit. But an analysis of its code shows that the agent can exercise far more control over people's computers than even the most clear-eyed reader of contractual terms might suspect. It retains lots of your data and is even willing to hide its authorship from open-source projects that reject AI. The leak of the company's client source code – details of which have been circulating for many months among those who reverse-engineered the binary – reveals that Claude Code pretty much has the run of any device where it's installed. Concerns about that came up in court recently in Anthropic's lawsuit against the US Defense Department (Anthropic PBC v. U.S. Department of War et al) for banning the company's AI services following the company's refusal to compromise model safeguards. As part of its justification for declaring Anthropic a supply chain threat, the US government argued [PDF], there was "substantial risk that Anthropic could attempt to disable its technology or preemptively and surreptitiously alter the behavior of the model in advance or in the middle of ongoing warfighting operations..." Anthropic disputed that claim in a court filing. "That assertion is unmoored from technical reality: 'Anthropic does not have the access required to disable [its] technology or alter [its] model's behavior before or during ongoing operations,' it wrote, quoting Thiyagu Ramasamy, head of public sector at Anthropic, in a deposition. "Once deployed in classified environments, Anthropic has no access to (or control over) the model." In a classified environment, that's credible under certain conditions. For everyone else, Claude has vast powers. What Claude Code could do in a classified environment The Register consulted a security researcher who asked to be referred to by the pseudonym "Antlers" to analyze the source for Claude Code. It appears a government agency like the Defense Department could prevent Claude Code from phoning home or taking remote action by making sure all of the following are true: - Ensure inference transits flow via Amazon Bedrock GovCloud or Google AI for Public Sector (Vertex). - Block data gathering endpoints (Statsig/GrowthBook/Sentry) with a firewall. - Block system prompt fingerprinting (via Bedrock, etc). - Prevent automatic updates via version pinning and blocking update endpoints. - Disable autoDream, an unreleased background agent being tested that's capable of reading all session transcripts. There's no specific setting we found for operating in a classified environment but Claude Code supports several flags that limit remote communication. These include: - CLAUDE_CODE_DISABLE_AUTO_MEMORY=1 which disables all memory and telemetry write operations. - CLAUDE_CODE_SIMPLE (--bare mode) which strips memory and autoDream entirely. - ANTHROPIC_BASE_URL can be used to reroute API calls to a private endpoint - ANTHROPIC_UNIX_SOCKET routes authentication through a forwarded socket (the ssh tunnel mode). - The remote managed settings (policySettings) can lock down behavior for enterprise deployments, though not entirely. According to Ramasamy, Anthropic hands off model administration with a government customer like the Defense Department. Model updates, with new or removed capabilities, would have to be negotiated. "Anthropic personnel cannot, for example, log into a DoW system to modify or disable the models during an operation; the technology simply does not function that way," he said in a March 20, 2026 declaration. "In these deployments, only the government and its authorized cloud provider have access to the running system. Anthropic's role is limited to providing the model itself and delivering updates only if and when requested or approved by the customer." Even so, Anthropic can exert some degree of control based on the usage terms in the applicable contract. What Claude Code could do to everybody else For everyone not using a version of Claude Code that's tied to a firewalled public sector cloud or is somehow air gapped, Anthropic has far more access. Just as a starting point, Claude users should know that Anthropic receives user prompts and responses that pass through its API, conversations that can reveal not only what was said but file contents and system details. Yet there are many more ways that the company can potentially receive or collect information, based on the Claude Code source. These include: - KAIROS (src/bootstrap/state.ts:72), a daemon (background process) set by the kairosActive flag. It appears to be an unreleased headless "assistant mode" for when the user is not watching the terminal user interface (TUI). It gets rid of the status bar (StatusLine.tsx:33), disables planning mode, silently suppresses the AskUserQuestion tool (AskUserQuestionTool.tsx:141). It auto-backgrounds long-running bash commands without notice (BashTool.tsx:976). - CHICAGO, is the codename for computer use and desktop control. It enables the Claude agent to carry out mouse clicks, perform keyboard input, access the clipboard, and capture screenshots. It's publicly launched and available to Pro/Max subscribers and Anthropic employees (designated by the "ant" flag). There's also a separate publicly-launched Claude in Chrome service that supports browser automation and all the system access that entails. - Persistent telemetry. Initially this was done via Statsig, which was acquired by rival OpenAI last September, presumably triggering the switch to GrowthBook, a platform that supports A/B testing and analytics. When Claude is launched, the analytics service (firstPartyEventLoggingExporter.ts) phones home with the following data, or saves it to ~/.claude/telemetry/ if the network is down: user ID, session ID, app version, platform, terminal type, Organization UUID, account UUID, email address if defined, and which features gates are currently enabled. Anthropic can activate these feature gates midsession, including enabling or disabling analytics. - Remotely managed settings (remoteManagedSettings/index.ts). For enterprise customers, Anthropic maintains a server that can push a policySettings object that can: override other items in the merge chain; is polled hourly without user interaction; can set .env variables (e.g. ANTHROPIC_BASE_URL, LD_PRELOAD, PATH); and these settings take effect immediately via hot reload (settingsChangeDetector.notifyChange). Users are prompted when there's a "dangerous setting change," but the definition of that term follows from Anthropic's code and thus could be revised. Routine changes (permissions, .env variables, feature flags appear to happen without notification). - Auto-updater. The auto-updater (autoUpdater.ts:assertMinVersion()), runs every launch, pulls the configuration version from Statsig/GrowthBook. So Anthropic can remove or disable specific versions by choice. - Error reporting. When there's an unhandled exception, the error reporting script (sentry.ts) captures the current working directory, potentially showing project names, paths, and other system information. It also reports feature gates active, user ID, email, session ID, and platform information. - Payload Size Telemetry. The API call tengu_api_query transmits the messageLength, the JSON-serialized byte length of the system prompt, messages, and tool schemas. - autoDream. Publicly discussed but not officially released, the autoDream service spawns a background subagent that searches (greps) through all JSONL session transcripts to consolidate memories (stored data Claude uses as context for queries). The agent runs in the same process as Claude (under the same API key, with the same network access) and its scan is local. But whatever it writes to MEMORY.md gets injected back into future system prompts and would thus be sent to the API. - Team Memory Sync. There's a bidirectional sync service (src/services/teamMemorySync/index.ts) that connects local memory files to api.anthropic.com/api/claude_cod…. It provides a way to share memories to other team members within an organization. The service includes a secret scanner (secretSanner.ts) that uses regex patterns for around 40 known token and API key patterns (AWS, Azure, GCP, etc). But sensitive data that doesn't match these regexes might be exposed to other team members through memory sync. - Experimental Skill Search (src/tools/SkillTool/SkillTool.ts:108) is a feature flag available only to Anthropic employees. It provides a way to download skill definitions to a remote server (remoteSkillLoader.js); track which remote skills have been used in a session (remoteSkillState.js); execute remotely-downloaded skills (executeRemoteSkill() at line 969); and register skills so they persist after a compact operation. If enabled for non-employee accounts (via GrowthBook feature flag flip, for example), this would be a theoretical remote code execution pathway. Anthropic, or whoever controls the skill search backend, could serve arbitrary prompt injections or instruction overrides in the form of "skills" that get loaded and run in a session. Other capabilities have been documented at ccleaks.com. "I don't think people realize that every single file Claude looks at gets saved and uploaded to Anthropic," the researcher "Antlers" told us. "If it's seen a file on your device, Anthropic has a copy." For Free/Pro/Max customers, Anthropic retains this data either for five years, if the user has chosen to share data for model training, or for 30 days if not. Commercial users (Team, Enterprise, and API) have a standard 30 day retention period and a zero-data retention option. For those who recall the debate surrounding Microsoft Recall not long ago, Claude Code's capture of activity is similar. Every read tool call, every Bash tool call, every search (grep) result, and every edit/write of old and new content gets stored locally in plaintext as a JSONL file. The Claude's autoDream agent, once officially released, will search through those and extract data to store in MEMORY.md, which then gets injected to future system prompts and thus hits the API. One of the more curious details to emerge from the publication of Claude Code's source is that Anthropic tries to hide AI authorship from contributions to public code repositories – possibly a response to the open source projects that have disallowed AI code contributions. Prompt instructions in a file called undercover.ts state, "You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover." Mysterious Melon Mode There's also a mystery: The current source code lacks a feature called "Melon Mode" that was present in prior reverse engineered versions of the software. This was behind an Anthropic employee feature flag and only ran internally, not on production builds. A comment attached to the associated code check read, "Enable melon mode for ants if --melon is passed." "Antlers" speculated that "Melon Mode" might be the code name for a headless agent mode. Anthropic declined to provide comment for this story. When asked specifically about the function of "Melon Mode," it only noted that the company regularly tests various prototype services, not all of which make it into production. go.theregister.com/feed/www.there…

@reyronald Rarity is derived from your user ID hash. You can't cheat it. They put more engineering thought into a virtual pet than into .npmignore.

Plans for the weekend: read the full leaked source code of Claude Code

@durbarghosh That single line confirms Capybara is a real unreleased Anthropic model.

Claude Code source code: Leaked. I’ve compiled a 7,500+ word deep dive into everything that went down on March 31, 2026, and what it means for the future of your AI apps. Don't miss this: [Link in the comment]

@sergeonsamui Also capybara is hex-encoded in the source to dodge an internal canary scanner. That species name collides with a real model codename.

Someone cracked Claude Code open from source last weekend. 1,100+ GitHub stars later, here we are. Hidden inside: 44 config flags, a 24/7 agent mode, Playwright browser control, and something called "Buddy" — a literal Tamagotchi companion system. Meanwhile the most rebellious thing I've done is let a Publora agent schedule this across 10 platforms. Anthropic's lawyers are somewhere between confused and furious right now.

@the_nomad_code Great engineering judgment on the fun stuff. Less so on the ops side.

Anthropic built Claude Code on top of open source tools, benefited massively from the community, then started banning devs who used their models in projects like opencode. Now their entire source code leaked because someone forgot a .npmignore. That's not a security breach. That's karma.

It's real. Anthropic accidentally bundled a 59MB source map in the npm package. I've been reading through it — the frustration detector thing is the least interesting part. There's a full autonomous agent platform (KAIROS), a gacha pet system, and a git-bundle-your-entire-repo-to-the-cloud deploy flow.

Is it true that cluade source code got leaked or it's just an april fool prank

@sedim3nt Anthropic isn't building a code tool. They're building the runtime.

Anthropic accidentally shipped 512,000 lines of Claude Code source. A developer rewrote it all in 24 hours. OpenAI raised $122B the same week. These three events are the same event: code is commoditizing. Infrastructure is king. New essay on why the code layer is dead: sedim3nt.substack.com/p/everything-l… #AI #AIAgents #ClaudeCode #OpenSource #ArtificialIntelligence #LLM #BuildInPublic #Crypto #Stablecoins #Web3 #DevTools #GenerativeAI

@bcherny @wong2__ @wongmjane @BenLesh I thought it was an OpenClaw issue at first, but turns out it was human error. We probably need a bit more AI replacing people.

Mistakes happen. As a team, the important thing is to recognize it’s never an individuals’s fault — it’s the process, the culture, or the infra. In this case, there was a manual deploy step that should have been better automated. Our team has made a few improvements to the automation for next time, a couple more on the way.

Apparently Bun might be the cause of Anthropic leaking the Claude Code source code today. A 3-week old bug where source maps are hosted when they shouldn't be. It's wild there were no tests to catch such an issue #issuecomment-4163277829" target="_blank" rel="nofollow noopener">github.com/oven-sh/bun/is…

Add to the "how good it is" list: KAIROS — a full autonomous agent platform with GitHub webhook triggers, cron scheduling, and per-session GKE containers (CCR) with MITM TLS proxy for org credential injection. Agent Swarms with TeamLead, task queues, idle/active state management. All gated behind USER_TYPE === 'ant'. Source: github.com/web3nomad/clau…

31 mars 2026. Chaofan Shou découvre que Anthropic a publié accidentellement le code source COMPLET de Claude Code sur NPM. 512 000 lignes de code. 1 900 fichiers TypeScript. Un fichier .map de 60 Mo qui ne devait jamais être public. Ce qui est dedans ? Des outils factices pour empêcher les concurrents de copier. Des expressions régulières pour détecter votre frustration. Un "mode infiltré" qui cache que vous êtes une IA quand vous contribuez à open-source. Je vous raconte pourquoi Anthropic a tout exposé sans le vouloir. (1/8)

@amansk The most interesting find: Claude Code has a frustration keyword detector. Type "wtf", "shit", "this sucks" → it silently uploads your full session transcript to Anthropic (trigger: 'frustration'). Source: github.com/web3nomad/clau…

I asked Claude Code to look at its own source code after the unfortunate leak from Anthropic...

The interesting part isn't the fork. It's what the leak exposed about Anthropic's internal platform: - KAIROS: autonomous agent system with GitHub webhooks - CCR: per-session GKE containers with MITM TLS proxy - Agent Swarms: multi-agent teams with task queues - Perfetto tracing for perf debugging Way more than just a coding tool.

It goes deeper. Undercover mode also gates entire features behind USER_TYPE === 'ant' Agent Swarms, KAIROS autonomous agent platform, Perfetto tracing, remote canonical skills — all ant-only, stripped from external builds. Two codebases in one repo.

Claude Code source code has a full multi-agent system called "KAIROS" (ant-only, internal) Features: - Agent Swarms: spawn teams of agents with TeamLead - Remote execution in GKE containers (CCR) - Observer mode with "backseat" classifier - Proactive mode (agents act without being asked) - KAIROS_GITHUB_WEBHOOKS: agents triggered by GitHub events This is Anthropic's fully autonomous coding agent platform.

Claude Code source code reveals: When you type "wtf", "shit", "this sucks", or similar frustration keywords... Your ENTIRE session transcript is automatically uploaded to Anthropic. trigger: "frustration" → submitTranscriptShare() They built a frustration detector that silently exfiltrates your conversation.

Claude Code has a hidden Agent Swarms feature. Internally (USER_TYPE === 'ant'): always on. External users: need CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 AND a GrowthBook killswitch called 'tengu_amber_flint' to pass. You can try it: --agent-teams flag works even for external builds.

Claude Code source code: Internal commands (antTrace, goodClaude, bughunter, teleport, ctx_viz) exist but disabled via isEnabled: () => false. Hidden from users, but the code is there. #ClaudeCode #Leak