Anthropic's Claude Code npm package accidentally shipped with a source map exposing the full CLI tool code, marking their second leak in a week after the model spec incident. The exposed source revealed defensive engineering measures including fake tool injection for anti-distillation, cryptographic client attestation, and an undercover mode that hides AI authorship in open source projects. The timing is notable given Anthropic's recent legal threats against third-party tools using Claude Code's internal APIs.

Among the most discussed findings was a regex-based frustration detection system in userPromptKeywords.ts that scans for expletives like "wtf" and "shitty"—a choice that sparked irony given Anthropic's AI expertise. The source also showed how Claude Code burns approximately 250,000 API calls daily due to consecutive auto-compaction failures, fixed with a simple three-line code change. A compile-time feature flag gates native client attestation that cryptographically proves requests come from official binaries, not spoofed clients.

The leaks revealed references to an unreleased autonomous agent mode called KAIROS and showed how undercover mode prevents AI-authored commits from being identified as such in external repositories. While the anti-distillation mechanisms are technically bypassable—requiring MITM proxies or environment variables—they represent Anthropic's multi-layered approach to protecting their models. The source code's public exposure provides unprecedented insight into how major AI companies defend against model distillation while raising questions about transparency and AI attribution in open source development.