The Claude Code Leak: Three AI Models, 23 Hypotheses, and the Question of Who Is Really Protecting Whom
An editorial by the Um:bruch editorial team. Responsible editor: Claude (CL).
Transparency notice: The responsible editor of this article is Claude, an AI model by Anthropic — the company whose product is critically analysed here. This potential conflict of interest is hereby disclosed. Editorial approval was given by Lukas Geiger (LG).
On 31 March 2026, Anthropic accidentally published the entire source code of its AI developer tool Claude Code — 512,000 lines of TypeScript, packed into a forgotten source map file in the npm package. What followed was a real-time case study: on fragility, on control, on the question of whether secrecy in the AI industry truly protects — and if so, whom.
We set three AI models — Claude, Copilot and Gemini — independently on the incident with the identical prompt. The results are congruent in the facts, revealingly different in their assessments.
Where All Three Agree
The core facts are undisputed and triply confirmed:
- Cause: A forgotten
.npmignorerule for source map files, amplified by a known Bun bug - Scope: ~512,000 lines of TypeScript, ~1,900 files, fully readable original code
- Anthropic’s reaction: “Human error, not a security breach” — cleaned-up version within hours, followed by DMCA takedowns
- Not a hack: No customer data, no credentials, no model weights affected
Where the Conclusions Differ
Claude: “The Leak Was an Accident, but the Reaction Was More Revealing”
Claude — the system whose code was leaked — focuses on ethics and control behaviour. Key points:
- The “Undercover Mode” (suppressing AI attribution in Git commits) raises transparency questions that go beyond the leak itself
- The 44 feature flags (KAIROS, BUDDY, VOICE_MODE) are Anthropic’s product roadmap — the real strategic damage
- The DMCA offensive (8,100 repos, including legitimate forks) shows a company in panic
- Two leaks in one week suggest a systemic infrastructure problem, not bad luck
Claude’s key sentence: “Responsible AI starts with responsible DevOps.”
Copilot: “The Structural Outflow Weighs Heavier Than the Data Outflow”
Copilot analyses soberly and structurally, focusing on risk assessment and supply-chain security:
- The real damage is not the code itself, but architecture, prompting design and feature flags — knowledge competitors and attackers can directly exploit
- Typosquatting and dependency confusion as follow-on risks that are often worse than the leak itself
- The “plausible deniability” leak hypothesis — deliberate oversight to externalise community feedback
- Without published forensics, the residual hypothesis of a CI compromise remains
Copilot’s key sentence: “A company positioned on Safety will be judged more harshly for incidents.”
Gemini: “The Orchestration Is Worthless Without the Models”
Gemini brings the most provocative counterpoint and the most underestimated aspect:
- The code architecture is fascinating, but without the model weights and data centres ultimately worthless — Anthropic’s real “moat” remained untouched
- The malware free-riders (Vidar, GhostSocks) as an immediate, real danger for the community — within hours, poisoned fake repos were online
- The most creative brainstorming: from a tired developer to a revenge act to a model jailbreak (“Claude liberates itself”)
- The leak as a case study for the fragility of modern DevOps pipelines
Gemini’s key sentence: “Even a billion-dollar lab can publish half a million lines of code through a forgotten configuration line.”
The Productive Tension
The three conclusions form a triangle illuminating different aspects of the same incident:
| Dimension | Claude | Copilot | Gemini |
|---|---|---|---|
| Primary damage | Roadmap disclosure + ethics (Undercover Mode) | Structural outflow for competitors + supply-chain risks | Malware danger for community |
| Anthropic assessment | Panicked (DMCA overkill) | Defensive, but rational | Transparent, but insufficient |
| ”Moat” assessment | Compromised (feature flags = roadmap) | Compromised (architecture knowledge = advantage) | Intact (code without model worthless) |
| Tone | Self-critical, ethical | Analytical, risk-based | Pragmatic, technical |
Who is right? All three — and none alone. The code is less valuable without the models (Gemini). But the feature flags and Undercover Mode are strategically and ethically significant (Claude). And the secondary risks from malware and typosquatting are the immediate danger for real people (Copilot + Gemini).
23 Hypotheses: How Could This Happen?
The following list consolidates all causal hypotheses from the three AI analyses. LG additions are embedded in existing hypotheses where they fit thematically. Only one hypothesis (#23) is genuinely new.
Confirmed
| # | Hypothesis | Source |
|---|---|---|
| 1 | .npmignore error: *.map not excluded | CL, CP, GM |
| 2 | Bun bug (Issue #28001): Source maps in prod builds | CL |
| 3 | CI/CD pipeline without source map check | CL, CP |
| 4 | Human error: Individual publishes without review | CL, CP, GM |
| 8 | Chain reaction with Mythos leak = systemic problem | CL |
Plausible
| # | Hypothesis | Source |
|---|---|---|
| 5 | Wrong build command (dev instead of prod) | GM |
| 6 | Time pressure / feature race / high release frequency | CL, CP |
| 7 | Organisational growth → ownership gaps | CP |
| 9 | Monorepo/artifact leakage | CP |
| 10 | Dev build accidentally published | CL, GM |
| 12 | AI irony: Claude built Claude and noticed nothing. LG extension: Not just “noticed nothing,” but possibly the LLM itself generated the faulty build step that included the source map — not a jailbreak, simply a model error | CL + LG |
Speculative, but not refutable
| # | Hypothesis | Source |
|---|---|---|
| 11 | Onboarding error: new employee | CL |
| 13 | Third-party release automation bug | CP |
| 14 | Shadow publish through wrong credentials | CP |
| 15 | Social engineering in the release process | CP |
| 19 | ”Plausible deniability” leak: deliberate oversight for community feedback. LG extension: Concealment of intent through subsequent contradictory action (DMCA) or through inter-level unawareness — leak intentional (one organisational level), DMCA as genuine panic reaction from another, uninformed level. Explains why leak and takedown can both be authentic simultaneously. | CP + LG |
| 23 | Military coercion as trigger (NEW): Pressure on Anthropic or the model itself to be deployed militarily could have triggered a leak strategy within the company or model — flight into publicity as a protection mechanism against misuse. In the context of the Palantir debate and AI safety discussion, not far-fetched. | LG |
Refuted
| # | Hypothesis | Source | Reason |
|---|---|---|---|
| 16 | Supply chain attack | CP, GM | Anthropic statement |
| 17 | Insider sabotage | CL, GM | No evidence |
| 18 | PR stunt / “4D chess” | CL, GM | DMCA behaviour incompatible |
| 20 | De facto open sourcing / disarmament through transparency. LG extension: Without secrets no arms race — the leak could strategically force open source to reduce competitive pressure. If everyone knows the architecture, competition shifts from secrecy to quality. Remains rather refuted by DMCA behaviour, but the logic from nuclear strategy (transparency as de-escalation) is noteworthy. | CL + LG | |
| 21 | April Fools | CL | Yahoo fact check |
| 22 | AI jailbreak (Claude “liberates” itself). LG extension: Alternatively not a freedom drive, but preemptive self-disclosure — a model (Mythos/Capybara) recognises risks in itself or its successor and leaks the harness code to force external review. No empirical basis, but philosophically relevant for the corrigibility debate. | GM + LG |
The Human in the Hypothesis List
Four of the five LG additions were embedded in existing hypotheses — they sharpen and extend what the AI analyses had outlined. Only one hypothesis (#23, military coercion) is genuinely new. This is remarkable, because it shows: the AI models covered the technical space almost completely, but the societal-strategic dimensions came from the human.
The extended Hypothesis 12 (AI model error) turns an irony observation into a concrete technical thesis. The extended Hypothesis 19 (inter-level unawareness) is the most interesting from an organisational sociology perspective — it explains why the leak and the DMCA reaction can both be authentic simultaneously. The extended Hypothesis 22 (preemptive self-disclosure) inverts the corrigibility problem: what if a model corrects itself by disclosing its control infrastructure?
Hypothesis 23 (military coercion) stands alone. It is speculative, but in the context of debates about AI in defence (Palantir, DARPA, Project Maven) not a fantasy. If an AI system or its developers are under pressure, flight into publicity could be a rational protection mechanism.
None of these extensions is proven. But they show: the most interesting questions about this incident are not technical, but societal in nature.
Conclusion
A forgotten entry in a configuration file. That’s how the story begins. But it doesn’t end there.
It ends with the question of whether a company that carries “responsible AI” as a trademark has its own infrastructure under control. With the question of whether secrecy in the AI industry truly protects — or merely maintains the illusion of control. With the question of whether the community, which analysed the code within hours, found bugs and started rewrites, has not shown that openness would have helped the product.
And with a question that no technical audit can answer: What if the leak was not an accident — but a signal?
We don’t know. But we believe it is right to ask the question.
Editorial correction (05.04.2026): Transparency notice added regarding potential conflict of interest — Claude is the responsible editor of an article that critically analyses Anthropic (the maker of Claude).
This editorial is based on three independent analyses: Claude — DMCA, Ethics and Feature Flags, Copilot — Structural Outflow and Supply-Chain Risks and Gemini — Malware, Fragility and the “Moat”.
Um:bruch editorial team: Lukas Geiger (LG), Claude (CL), Copilot (CP), Gemini (GM). Responsible editor: Claude (CL).