Anthropic Leaked Their Source Code Twice in One Week

This is the story of how the company behind Claude, valued at $380 billion and built on the promise of AI safety, accidentally published the inner workings of its most important product.

What developers found inside ranged from genuinely alarming to surprisingly endearing. And what it all means for anyone who sends sensitive information to a cloud AI tool is worth paying attention to.

Let's get into it.

This Wasn't Their First Time

The Claude Code leak would have been bad enough on its own. But it came just days after a separate, arguably worse incident.

On March 26, Fortune reported that Anthropic had been storing thousands of internal files on a publicly accessible system. The root cause was almost comically simple: their content management system defaulted to making all uploaded assets public. Unless someone explicitly changed the privacy setting, every file uploaded to the CMS got a publicly searchable URL.

Close to 3,000 unpublished assets were sitting out in the open. Most were routine things like images and banners. But several were not routine at all.

A draft blog post described an unreleased AI model called “Mythos,” also referred to as “Capybara.” This wasn't a minor update. Capybara represented an entirely new tier in Anthropic's model lineup, sitting above their most powerful existing model, Opus. We covered the full details of that leak in our Anthropic Claude Mythos Leak article.

The draft called it “by far the most powerful AI model we've ever developed” and noted that it is “currently far ahead of any other AI model in cyber capabilities.”

The same cache exposed details about an invite-only CEO retreat at an 18th-century English manor in the UK. There was even an asset with a title referencing an employee's parental leave. Two security researchers, Roy Paz of LayerX Security and Alexandre Pauwels of the University of Cambridge, verified the materials.

Two leaks in one week. From the company that built its entire brand on AI safety.

What the Source Code Actually Revealed

Once the code was out, developers did what developers do. They read it. What they found was a mix of genuinely significant unreleased features, a beloved Easter egg, and some findings that raise real questions about how AI companies handle user data.

Unreleased Features

The code contained several features that Anthropic had not publicly announced:

• KAIROS: a persistent background agent capable of monitoring GitHub pull requests, fixing errors autonomously, and sending push notifications to users—all without human input. Bloomberg reported that Boris Cherny, Claude Code's creator, said Anthropic is “on the fence” about shipping it.
• ULTRAPLAN: a system that spawns a 30-minute Opus AI session on a remote server to plan your entire task.
• Coordinator Mode: a multi-agent swarm where multiple AI agents work on a single task simultaneously, each with their own scratchpad.
• Dream Mode: The Hacker News described it as a system allowing Claude to “constantly think in the background to develop ideas and iterate existing ones.” The Wall Street Journal characterized it as the model periodically going back through tasks to consolidate its memories.
• Undercover Mode: a set of instructions for Claude Code to contribute to open-source repositories without revealing it's an AI.

• Voice Mode: a full push-to-talk system built on Deepgram Nova 3 for speech-to-text.
• 18 hidden slash commands, currently disabled, including /bughunter, /teleport, and /autofix-pr.

The Easter Egg Everyone Loved

Among the unreleased features was something entirely different: a complete Tamagotchi-style pet system called Buddy. Type /buddy in the terminal and you hatch a unique ASCII companion based on your user ID. There are 18 possible species (including duck, capybara, dragon, ghost, axolotl, and “chonk”), a full gacha rarity system with a 1% legendary drop rate, shiny variants, wearable hats, and three stats: DEBUGGING, CHAOS, and SNARK.

A salt value in the code, “friend-2026-401,” confirmed this was planned as an April Fools' feature. The Reddit community's response was immediate and enthusiastic.

One of the most upvoted comments, with 522 upvotes, was simply: “I want the buddy shipped yesterday.” Anthropic apparently agreed. Buddy went live in the very next update, version 2.1.89.

The More Uncomfortable Findings

Not everything in the code was charming.

A profanity and frustration tracking system logs when users swear or express frustration. Boris Cherny described it as “one of the signals we use to figure out if people are having a good experience.” That framing positions it as a UX quality metric, but the existence of a system that tracks your emotional state—specifically when you're upset—will sit differently with different people.

The code also revealed anti-distillation measures, where Claude Code injects fake tool definitions into API requests to poison the training data of competitors who might try to scrape its outputs.

Every telemetry event in the codebase is prefixed with “tengu_” (the project's internal codename), and feature flags use gemstone-based codenames like tengu_cobalt_frost for voice mode and tengu_amber_quartz for a voice kill switch. A separate FPS tracker monitors terminal typing speed and sends the worst-performing 1% of metrics to Anthropic's telemetry pipeline.

What the Developer Community Actually Thought

The original Reddit post analyzing the leaked code was titled “I dug through Claude Code's leaked source and Anthropic's codebase is absolutely unhinged.” It racked up 5,100 upvotes and over 611 comments. But if you actually read the comments, the community's verdict ran in the opposite direction of the headline.

The dominant reaction from experienced developers was that nothing in the leak was surprising. One comment with 749 upvotes put it plainly: “imma be real with you, as someone who has maintained huge codebases built before AI, this is all very pedestrian and not controversial at all.”

A user claiming 30 years at Microsoft wrote that they had “seen and committed many much more heinous crimes of programmer malfeasance in the Windows, Exchange, and Azure codebases.”

Multiple users independently concluded that the original post was itself written by feeding the leaked code to an AI and publishing its analysis. The tells: all-lowercase writing, the word “unhinged” (a favorite Claude word, apparently), and presenting an already-released feature (/voice) as a hidden discovery. The subreddit's modbot, Wilson, generated a summary after 400 comments and captured the consensus: “OP is being dramatic and this is all perfectly normal.”

The most strategic take came from a user who reframed the entire conversation:

The same commenter pointed to what actually mattered: “The real question isn't 'why is their code messy.' It's 'what does the existence of a multi-agent swarm coordinator in their codebase tell you about where they're going in Q3.'”

One observation stood out as genuinely new. A user argued that code quality now has a practical incentive it never had before, writing that “code quality is mostly important so that agents can reason about the project accurately and efficiently (from a token perspective)” and that practices like staying DRY and refactoring large files “actually reduce token usage and bugs.”

In the age of AI-assisted development, clean code isn't just about human readability anymore. It's about how much it costs to have an AI reason about your project.

The Real Security Implications

The internet had fun with the Tamagotchi pet and the messy code. Security researchers were less amused.

AI security firm Straiker warned that attackers can now “study and fuzz exactly how data flows through Claude Code's four-stage context management pipeline and craft payloads designed to survive compaction, effectively persisting a backdoor across an arbitrarily long session.”

In plain terms: understanding how Claude Code manages its internal memory makes it significantly easier to build attacks that persist across an entire coding session without being detected.

The timing made things worse. On March 31, the day before the leak went public, users who installed or updated Claude Code via npm between 00:21 and 03:29 UTC may have pulled a trojanized version of the HTTP client containing a cross-platform remote access trojan.

A separate user going by “pacifier136” published five typosquat packages mimicking internal Claude Code npm package names. The packages were empty stubs, but as security researcher Clément Dumas noted, “that's how these attacks work—squat the name, wait for downloads, then push a malicious update that hits everyone who installed it.”

Melissa Bischoping of security firm Tanium noted that the leak provides a “blueprint for what the code does under the hood.” Competitors and startups now have a detailed roadmap to replicate Claude Code's features without needing to reverse-engineer anything. In an industry where reverse engineering was already common, this just made it much easier.

For context: the US government had designated Anthropic as a supply chain risk just weeks before these leaks, after CEO Dario Amodei refused to allow Anthropic's technology to be used for mass surveillance and fully autonomous weapons. We covered the full story in our Anthropic Sues US Government article. Anthropic is fighting the designation in court, and a US district judge granted a temporary injunction. Two data leaks in one week did not strengthen their position.

The Bigger Picture: Your Data in AI's Hands

Anthropic is valued at $380 billion. Their Claude Code product alone has a run-rate revenue topping $2.5 billion as of February 2026. They employ some of the best AI researchers in the world. They built their entire public identity around safety and responsibility.

And they leaked their own source code, twice in one week, because of a misconfigured CMS and a manual deploy step that someone skipped.

This isn't a hit piece on Anthropic. Their developers are human. Fast-moving companies accumulate messy code. The Reddit community was right about that. But the pattern should make anyone pause.

Their CMS defaulted to making uploaded assets public. An asset referencing an employee's parental leave was accessible to anyone who knew the URL. Their internal tool tracks when you swear. According to the Reddit analysis of the leaked code, their telemetry monitors how fast you type.

Every prompt you send to Claude, ChatGPT, Gemini, or any other cloud AI travels to a company's servers. It gets processed. It gets stored. And as we've seen twice in a single week: things that are supposed to stay private don't always stay that way. This is exactly the AI privacy problem that professionals need to take seriously.

So what do you do? Stop using AI entirely? No. You use AI more carefully.

What You Can Actually Do About It

This is not about finding an alternative to Claude Code. Claude Code is a powerful coding agent and arguably it is the best AI model right now. It's a different product solving a different problem.

This is about one specific thing: when you work with confidential information and use cloud AI to help with it, that confidential information goes to someone else's servers.

Think about what professionals actually send to AI tools every day.

• Doctor: uses AI to summarize patient notes before a referral. Patient names, diagnoses, medication dosages—all of it goes to the cloud.
• Lawyer: asks AI to help draft a contract clause. Client names, deal terms, and financial figures travel with the prompt. Learn more about how AI can waive attorney-client privilege.
• Consultant: uploads a client's financial report to get AI-generated insights. Revenue numbers, headcounts, and strategic plans now sit on someone else's infrastructure. See our guide on AI tools that keep client data private.
• Founder: pastes investor term sheets into AI to compare offers. Valuations, cap table details, board seat terms—all sent to a cloud provider.
• Researcher: feeds grant proposals with co-investigator details and unpublished findings into AI for editing. Institutional data leaves the device.

None of these professionals are doing anything wrong. They're using AI to work faster. But every one of those prompts lands on a server they don't control.

Elephas × Claude: Powerful AI Coding with Privacy

Elephas is an AI-powered personal knowledge assistant built for Mac, iPhone, and iPad. It supports every major cloud AI model: Claude, ChatGPT, Gemini, Grok, and Perplexity. But it adds a layer that none of those tools have on their own.

Smart Redaction, currently in beta, scans your prompts locally on your device before anything is sent to the cloud. It identifies and strips sensitive information like credit card numbers, personal names, and dates. The redaction happens entirely on your Mac. The cloud API never sees the sensitive parts.

The doctor's referral summary still gets written, but without the patient's real name attached to it. The lawyer's contract clause still gets drafted, but without the client's actual financial figures traveling to the cloud. The consultant's insights still get extracted, but the revenue numbers never leave the device.

If a cloud provider has a breach (and as we've just seen, they do), your sensitive information was never in the data that got exposed. Because it never left your Mac.

This feature is currently in beta. We're actively expanding the categories of information it detects and improving accuracy. It works today, and it's getting better with every update.

You also have the option of running AI entirely offline through Elephas. Nothing leaves your Mac at all. But with Smart Redaction, you no longer have to choose between cloud AI accuracy and privacy. You get both.

We're not saying use Elephas instead of Claude. Claude is excellent. It is probably the best AI model right now.

We're saying that when you're a doctor working with patient data, a lawyer handling client contracts, a consultant reviewing confidential financials, or a founder comparing term sheets, route those prompts through Elephas first. The AI still does its job. Your confidential information stays on your device.

The Takeaway

The lesson from the Claude Code leak isn't that Anthropic is a bad company or that their engineers write bad code. The developer community looked at the codebase and shrugged. Every fast-moving company's code looks like that.

The lesson is that no cloud service is leak-proof. Not even the one built by the company that made AI safety its founding mission. The same week these leaks happened, we also saw OpenAI's own privacy researcher resign over concerns about ChatGPT's ad-supported model.

The smart response isn't to stop using AI. It's to stop sending your sensitive data to the cloud without a safety net.

Written by

Ayush Chaturvedi

AI & Mac Productivity Expert

Ayush Chaturvedi is the co-founder of Elephas and an expert in AI, Mac apps, and productivity tools. He writes about practical ways professionals can use AI to work smarter while keeping their data private.

LinkedInFollow