Claude Code leak reports ANTI_DISTILLATION_CC, fake_tools, and a 3,167-line print.ts loop
A Hacker News thread on the npm source-map leak surfaced Claude Code's fake-tools anti-distillation flag, a 3,167-line print loop, and a likely Bun packaging footgun. The extra detail shows how build tooling and internal guardrails leaked alongside the 512k-line TypeScript bundle.
TL;DR
- The main Hacker News report says Anthropic shipped
@anthropic-ai/claude-codeversion 2.1.88 with a 59.8 MB source map that exposed roughly 512,000 lines of TypeScript. - According to the HN discussion roundup, one of the stranger finds was
ANTI_DISTILLATION_CC, which reportedly injectsanti_distillation: ['fake_tools']into API requests. - The same HN discussion also fixated on
src/cli/print.ts, a 3,167 line file that commenters said had 12 nesting levels and about 486 branch points. - The HN report and the linked thread both point to unreleased or half-buried features, including a
/buddycompanion system and internal codenames like Kairos. - One HN comment summary floated a Bun packaging bug as the root cause, but the follow-up in Bun issue #28001 points at
Bun.serve, notbun build, and the original commenter later walked that claim back.
You can read the main HN thread, the narrower Bun-cause subthread, and the actual Bun issue #28001. Anthropic's public line, quoted by InfoWorld, was that the release exposed no customer data or credentials and came from a packaging mistake.
Leak artifact
Anthropic Accidentally Leaks Claude Code Source Code via npm Package
On March 31, 2026, a post by user @Fried_rice on X (formerly Twitter) identified that Anthropic had accidentally published the full source code for its Claude Code CLI tool to the public npm registry. The leak occurred due to a packaging error where a 59.8 MB source map file—which exposed 512,000 lines of TypeScript code—was included in version 2.1.88 of the package. Anthropic confirmed the incident was a human error, noting that no customer data, conversation history, or model weights were exposed, and subsequently implemented measures to prevent future occurrences. The leak revealed details about the tool's architecture, including internal tool systems, memory management, and unreleased features such as a project codenamed Kairos.
The core fact is simple: a source map rode along with the npm package, and the map was enough to reconstruct the CLI's readable TypeScript. The primary HN report puts the exposed artifact at 59.8 MB and the recovered codebase at about 512,000 lines.
Anthropic told multiple outlets, including InfoWorld, that the incident was a human packaging error rather than a broader breach. The npm package page for @anthropic-ai/claude-code shows Claude Code is still distributed as a public package, which made a bad publish unusually easy to inspect and mirror.
Fake tools
Discussion around Claude Code's source code has been leaked via a map file in their NPM registry
Thread discussion highlights: - cedws on anti-distillation / fake tools: “ANTI_DISTILLATION_CC … injects anti_distillation: ['fake_tools'] into every API request … the goal: if someone is scraping Claude Code's API traffic to train a competing model, the poisoned training data makes that distillation attempt less useful.” - mohsen1 on Claude Code internal architecture: A commenter calls `src/cli/print.ts` “the single worst function in the codebase,” citing 3,167 lines, 12 levels of nesting, ~486 branch points, and responsibilities spanning the agent run loop, SIGINT, rate limits, AWS auth, MCP lifecycle, plugins, worktree bridging, and more. - fatcullen on unreleased features and Easter eggs: A commenter says the source reveals “a bunch of unreleased features and update schedules,” highlighting the `/buddy` feature and its deterministic generation from the account UUID, which they used to build a checker site.
The most memorable guardrail detail came from cedws's quoted HN comment, which said ANTI_DISTILLATION_CC injects anti_distillation: ['fake_tools'] into requests. That is a very specific anti-scraping idea: poison any attempt to learn Claude Code's tool behavior by watching traffic.
The interesting part is not just the existence of anti-distillation logic. It is that the leak turned a vague industry suspicion into an implementation detail, complete with a flag name and a concrete mechanism.
print.ts
Discussion around Claude Code's source code has been leaked via a map file in their NPM registry
Thread discussion highlights: - cedws on anti-distillation / fake tools: “ANTI_DISTILLATION_CC … injects anti_distillation: ['fake_tools'] into every API request … the goal: if someone is scraping Claude Code's API traffic to train a competing model, the poisoned training data makes that distillation attempt less useful.” - mohsen1 on Claude Code internal architecture: A commenter calls `src/cli/print.ts` “the single worst function in the codebase,” citing 3,167 lines, 12 levels of nesting, ~486 branch points, and responsibilities spanning the agent run loop, SIGINT, rate limits, AWS auth, MCP lifecycle, plugins, worktree bridging, and more. - fatcullen on unreleased features and Easter eggs: A commenter says the source reveals “a bunch of unreleased features and update schedules,” highlighting the `/buddy` feature and its deterministic generation from the account UUID, which they used to build a checker site.
mohsen1's cited comment described src/cli/print.ts as a 3,167 line choke point with 12 levels of nesting and roughly 486 branch points. The same comment says that one file was carrying agent loop control, SIGINT handling, rate limits, AWS auth, MCP lifecycle, plugins, and worktree bridging.
That kind of file tells you a lot about where the product's complexity actually lives. In Claude Code's case, the answer seems to be the interactive terminal loop, not some cleanly isolated agent core.
Bun theory
Discussion around Claude Code's source code has been leaked via a map file in their NPM registry
Thread discussion highlights: - cedws on anti-distillation / fake tools: “ANTI_DISTILLATION_CC … injects anti_distillation: ['fake_tools'] into every API request … the goal: if someone is scraping Claude Code's API traffic to train a competing model, the poisoned training data makes that distillation attempt less useful.” - mohsen1 on Claude Code internal architecture: A commenter calls `src/cli/print.ts` “the single worst function in the codebase,” citing 3,167 lines, 12 levels of nesting, ~486 branch points, and responsibilities spanning the agent run loop, SIGINT, rate limits, AWS auth, MCP lifecycle, plugins, worktree bridging, and more. - fatcullen on unreleased features and Easter eggs: A commenter says the source reveals “a bunch of unreleased features and update schedules,” highlighting the `/buddy` feature and its deterministic generation from the account UUID, which they used to build a checker site.
The HN roundup includes an early theory from jakegmaths that a Bun bug exposed source maps in production. The canonical bug report, Bun issue #28001, describes source maps being served by Bun.serve even with development: false.
That mapping does not cleanly fit this leak. In the same HN subthread, captured in the direct comment page, the original commenter later said, "My apologies, this isn't the cause," while other replies noted that issue #28001 was specific to Bun's frontend dev server path.
/buddy and Kairos
Anthropic Accidentally Leaks Claude Code Source Code via npm Package
On March 31, 2026, a post by user @Fried_rice on X (formerly Twitter) identified that Anthropic had accidentally published the full source code for its Claude Code CLI tool to the public npm registry. The leak occurred due to a packaging error where a 59.8 MB source map file—which exposed 512,000 lines of TypeScript code—was included in version 2.1.88 of the package. Anthropic confirmed the incident was a human error, noting that no customer data, conversation history, or model weights were exposed, and subsequently implemented measures to prevent future occurrences. The leak revealed details about the tool's architecture, including internal tool systems, memory management, and unreleased features such as a project codenamed Kairos.
Discussion around Claude Code's source code has been leaked via a map file in their NPM registry
Thread discussion highlights: - cedws on anti-distillation / fake tools: “ANTI_DISTILLATION_CC … injects anti_distillation: ['fake_tools'] into every API request … the goal: if someone is scraping Claude Code's API traffic to train a competing model, the poisoned training data makes that distillation attempt less useful.” - mohsen1 on Claude Code internal architecture: A commenter calls `src/cli/print.ts` “the single worst function in the codebase,” citing 3,167 lines, 12 levels of nesting, ~486 branch points, and responsibilities spanning the agent run loop, SIGINT, rate limits, AWS auth, MCP lifecycle, plugins, worktree bridging, and more. - fatcullen on unreleased features and Easter eggs: A commenter says the source reveals “a bunch of unreleased features and update schedules,” highlighting the `/buddy` feature and its deterministic generation from the account UUID, which they used to build a checker site.
The leak also surfaced product archaeology. The main HN report mentions an unreleased codename, Kairos, while fatcullen's quoted comment points to a /buddy feature with deterministic generation from an account UUID.
That last detail matters because it moved beyond source browsing into reproducible behavior. According to the HN summary, someone used the UUID rule to build a checker site, which means the leak exposed not just names and flags, but enough product logic for outsiders to test hidden features.