claw-code Hits 100K Stars After Claude Code Npm Leak
A missing .npmignore entry in Claude Code 2.1.88 exposed 512,000 lines of TypeScript source, spawned the fastest-growing GitHub repo ever, and revealed unshipped features Anthropic never announced.
6 min read
On March 31, Anthropic published a statement describing the accidental exposure of Claude Code's full TypeScript source as "a release packaging issue caused by human error, not a security breach." No customer data, no credentials, no model weights. They were rolling out measures to prevent a repeat.
That framing isn't wrong, exactly. But it's also not the whole picture.
TL;DR
| Claim | Anthropic: routine packaging error, no sensitive data exposed |
| Our Take | The leaked code uncovered a 24/7 background agent mode, anti-distillation traps, and 44 unshipped feature flags - none of which are "not sensitive" in the usual sense |
| Side effect | claw-code, a Rust rewrite of the leaked architecture, hit 100K GitHub stars in a single day - reportedly the fastest any repository has ever crossed that threshold |
| DMCA | Anthropic's takedown notices swept 8,100+ repos and accidentally hit forks of Anthropic's own public repos; Boris Cherny later retracted the bulk of them |
What They Showed
The incident traces back to Claude Code version 2.1.88, published to npm on March 31. Bun - the runtime Claude Code uses - generates source maps by default, embedding original TypeScript source directly in the sourcesContent field. Someone forgot to exclude cli.js.map before publishing. That file was 60 MB and contained roughly 1,900 TypeScript files totalling 512,000+ lines of code.
Security researcher Chaofan Shou spotted it the same day and the story landed on The Register. By the time Anthropic pulled the package, it had already been downloaded more than 50,000 times and mirrored across GitHub.
Screenshot showing the Claude Code source code exposure via the leaked npm source map.
Source: bleepingcomputer.com
Anthropic's response moved in two phases. First, the company filed a DMCA notice targeting a GitHub repo named nirholas/claude-code. GitHub's policy for large fork networks - the notice listed 97 specific forks and triggered a broader takedown that swept 8,100+ repositories in the network. That included forks of Anthropic's own legitimate public repositories. Boris Cherny, Anthropic's head of Claude Code, confirmed the overreach and retracted most of the notices on April 1.
The GitHub DMCA enforcement notice that disabled over 8,100 repositories, later partially retracted.
Source: bleepingcomputer.com
What We Tried
The raw source map is gone from npm. The GitHub forks targeted by the DMCA are mostly disabled. Reproducing the exposure now requires either a cached copy or the npm package itself from a registry mirror.
What's not gone is the analysis. The Engineers Codex published a detailed architecture breakdown based on code they looked at before it was pulled. Multiple researchers independently confirmed findings before the windows closed.
| Aspect | What was needed to reproduce |
|---|---|
| Access the source | npm install @anthropic-ai/[email protected] (no longer available) |
| Extract source | Open node_modules/@anthropic-ai/claude-code/cli.js.map, read sourcesContent field |
| Cost | Free, zero API access needed |
| Time window | ~12-24 hours before npm package removed |
| Skills required | Basic Node.js / JSON parsing |
The architecture findings confirmed what anyone who had studied Claude Code's behavior had suspected. The runtime is Bun. The terminal UI runs React with Ink. Zod v4 handles validation across. OpenTelemetry and gRPC are lazy-loaded to keep startup fast. The query engine alone spans 46,000 lines.
One file, print.ts, is 5,594 lines long. Inside it sits a single function that runs to 3,167 lines at 12 levels of nesting. The comments all through the codebase read more like prompts written for AI agents to consume than documentation written for human engineers.
What the code contained beyond the obvious
The 44 feature flags embedded in the source are where things get interesting. More than 20 unshipped features are gated behind them. The most striking one is codenamed KAIROS - described internally as a "Proactive" mode.
The KAIROS system runs as a persistent background agent, evaluating "heartbeat" prompts asking whether there's "anything worth doing right now?" It has access to exclusive tools including push notifications, file delivery, and pull request subscriptions. A function called autoDream runs nightly to consolidate learning across sessions. The system aims to run through Friday-to-Monday cycles without user interaction.
This isn't how Anthropic has described Claude Code publicly.
The code also contains what look like anti-distillation mechanisms: fake tool definitions injected into system prompts as decoys, designed to corrupt competitor training runs that scrape Claude Code's API responses. There are also references to an autonomous payment system, though the implementation appears early-stage.
None of this is "customer data." But calling it non-sensitive stretches the word.
The Gap
The disconnect between Anthropic's framing and what the leak actually showed played out visibly in the community response.
The claw-code repository, created March 31, showing the star milestone that reportedly broke GitHub records.
Source: 36kr.com
The same day the leak broke, a developer named Sigrid Jin published claw-code - a clean-room Rust rewrite of the Claude Code architecture, built using oh-my-codex as an orchestration layer. Jin's stated goal was to reimplement the structural patterns without copying Anthropic's proprietary source, sidestepping copyright liability.
Claw-code crossed 100,000 GitHub stars in a single day. As of April 2 the repo sits at 119,000 stars and 102,000 forks. By any measure tracked publicly, that crossing speed has no precedent on GitHub.
The timing matters. The community wasn't just reacting to the architecture - they were reacting to the DMCA overreach. Anthropic's attempt to pull the code back triggered the Streisand effect at scale. Developers who had never paid attention to Claude Code's internals suddenly had a detailed architecture analysis in their feeds and a Rust rewrite to contribute to.
This isn't the first npm packaging failure to create a security moment for AI developer tooling. The Cline npm supply chain attack earlier this year showed how thin the margin is between a developer tool and a distribution vector. Claude Code has had prior RCE and API key theft vulnerabilities that put its security posture under scrutiny before this incident.
The DMCA's unintended catalog
There's an ironic detail buried in Anthropic's takedown notice. By listing 97 specific forks and asserting "the entire repository is infringing," Anthropic effectively created a public, timestamped catalog of mirror locations that GitHub's DMCA filing system preserves permanently. The notice itself is a public record. Anyone who wants to know which repos held copies of the leak can read the filing directly.
The DMCA process also uncovered that Anthropic's enforcement infrastructure doesn't distinguish between repositories holding leaked source and repositories that just share a fork network origin. That's a gap worth noting for any company using GitHub's DMCA tools for emergency takedowns.
Anthropic got the technical characterization right: no customer data, no credentials, no model weights. What the packaging error exposed was something different - the internal roadmap for where Claude Code is going, written in 512,000 lines of TypeScript for an audience that wasn't supposed to see it yet. Claw-code's 100,000-star day is a data point about what developers do with that kind of information when it lands in public.
Sources: The Register · TechCrunch · BleepingComputer · Engineers Codex · Engadget · GitHub DMCA notice · claw-code on GitHub
