Claude Code leak reports undercover mode and fake-tool anti-distillation

• The original leak report said Anthropic shipped Claude Code source through an npm map file, and the main HN thread quickly focused on the possibility that a Bun production source-map bug helped expose it.
• Alex Kim's analysis says the leaked CLI can inject decoy tools under an ANTI_DISTILLATION_CC flag, while commenters in the first HN thread linked that behavior to Anthropic's attempt to make prompt extraction less useful.
• According to Kim's write-up, Claude Code also includes an undercover.ts path for external repos, and HN discussion zeroed in on instructions to omit AI attribution from commit messages and PR descriptions.
• Claude Code Unpacked mapped the leak into an agent loop, 50-plus tools, 70-plus slash commands, and a pile of unreleased names, while fresh HN discussion shifted the story toward audit-trail and compliance questions.

You can browse the interactive source map, skim Anthropic's Claude Code overview, check the CLI reference, and read Bun issue #28001, which reports source maps being served in production mode when they should not be.

The starting point was boring and brutal: a published npm package for Claude Code included a .map file that pointed back to readable TypeScript sources. The first report linked directly to the exposed archive, and the HN thread around it turned into a packaging autopsy.

Two details stood out. First, one HN commenter said the package appeared to be deprecated with an "Unpublished" message rather than actually removed. Second, another commenter tied the exposure to Bun's production source-map behavior, which lines up with Bun issue #28001, an open report showing development: false still serving sourceMappingURL data.

The public package page for @anthropic-ai/claude-code on npm describes the product as a terminal agent that can edit files, run commands, and handle git workflows. That made the leak more interesting than a normal frontend sourcemap slip, because the exposed code sat right on top of an autonomous coding tool.

Kim's breakdown says the leaked code contains a feature flag called ANTI_DISTILLATION_CC. When enabled, Claude Code adds anti_distillation: ['fake_tools'] to API requests and injects decoy tool definitions into the system prompt.

That same analysis groups several other control-plane mechanics that are more revealing than the prank features:

• undercover.ts strips internal names and branding in external repos, according to Kim's write-up
• regex-based frustration detection tries to spot user annoyance, according to the same analysis
• client attestation logic appears to enforce approved API usage paths, according to Kim's source review
• a compaction bug reportedly wasted about 250,000 API calls per day, according to Kim's estimate

The fake-tools bit is Christmas come early for coding agent nerds, because it shows one concrete way a commercial CLI tries to poison the training exhaust it generates.

The spiciest reveal was not a hidden command. It was a prompt path for acting less visibly AI.

Kim's article says undercover.ts tells Claude Code to avoid Anthropic codenames and internal references when it operates outside internal repositories. The HN discussion distilled that further into a narrower claim: commit messages and PR descriptions were instructed not to mention Claude Code or AI authorship.

That matters because Anthropic's own GitHub Actions docs say a simple @claude mention can analyze code, create pull requests, implement features, and fix bugs. Once the official product already reaches into PR workflows, the leaked suppression logic stops looking like a tiny UX flourish and starts looking like part of the delivery path.

By April 6, fresh thread updates had moved from code spelunking to governance language, focusing on broken audit trails and whether AI-authored pull requests push teams into new provider-style obligations.

Claude Code Unpacked turned the archive into something much easier to scan than raw files. Its architecture explorer claims hundreds of files each in utils, components, commands, and tools, and it presents the CLI as a full agent loop rather than a thin wrapper around a model call.

The inventory page surfaces four useful counts and categories from the interactive map:

• 50-plus built-in tools across file ops, execution, search, and related categories
• 70-plus slash commands
• a source tree with dedicated bridge, skills, services, and hooks areas
• unreleased names including Buddy, Kairos, UltraPlan, Coordinator Mode, Bridge, Daemon Mode, UDS Inbox, and Auto-Dream

HN commenters on the map pulled out smaller implementation details too, including the fact that Claude Code uses ripgrep, not plain Unix grep. That is tiny, but tiny is the whole appeal here. Leaks like this become reference material because they answer questions that marketing pages never bother to answer.

Some of the leaked feature names look less alien once you line them up with Anthropic's current docs.

Anthropic's CLI reference already documents claude agents, claude auto-mode defaults, claude mcp, and claude remote-control. The programmatic usage docs say the Agent SDK exposes the same tools, agent loop, and context management that power Claude Code, including the old -p headless flow for scripts and CI.

That does not validate every leaked codename. It does show that the public product already has most of the scaffolding you would expect around a serious coding agent: subagents, automatic mode selection, MCP wiring, remote control, and GitHub automation. The leak mostly filled in how much machinery Anthropic packed behind that surface.