Executive Summary
On March 31, 2026, a security researcher noticed something unusual in version 2.1.88 of Anthropic's Claude Code npm package: a source map file that should never have shipped. That one debugging artifact, the kind of file that maps minified production code back to its original source, exposed the tool's entire TypeScript codebase -- nearly 2,000 files and more than 512,000 lines. Within hours, the code had been archived to GitHub repositories that accumulated tens of thousands of stars. Anthropic confirmed the leak and attributed it to a packaging error.
What researchers found inside was more interesting than the leak itself: dozens of hidden feature flags, an internal stealth mode instructing the AI to conceal Anthropic's involvement when employees contribute to open-source repositories ('Do not blow your cover'), and extensive instrumentation across the developer workflow. Three months later, in an unrelated discovery, a developer reverse-engineered a steganographic marking system inside Claude Code's system prompt -- invisible Unicode substitutions that encoded signals about who was making the request. Anthropic confirmed that one too, called it an anti-distillation experiment, and removed it the next day.
None of this was disclosed. All of it was discovered by accident.
This paper examines what the leak actually revealed, separates the verified findings from the viral exaggerations that followed, and draws the lesson that matters for anyone who runs vendor software against their own data: the only audit you got was the one the vendor didn't intend to allow. That is an architecture problem, and it has an architectural answer.
1. The Leak
1.1 A Missing Line in a Config File
Modern JavaScript tooling ships minified code -- compressed, obfuscated, effectively unreadable. To debug it, build systems generate source maps: companion files that reconstruct the original source, comments and all. Standard practice is to exclude these from published packages. Anthropic's build pipeline did not, and version 2.1.88 of the Claude Code CLI went out to the public npm registry with the map included.
Security researcher Chaofan Shou spotted it on March 31, 2026. His post announcing the find accumulated more than 28 million views. The reconstructed codebase -- 512,000+ lines of TypeScript -- was mirrored to GitHub within hours and forked thousands of times before any takedown could matter. Once source code touches the public internet, it does not come back.
Anthropic acknowledged the exposure and described it as human error in the packaging process. There is no reason to doubt that. But the cause of the leak is the least important part of the story. The important part is what a global audience of engineers found when they started reading.
1.2 What Was Inside
The leaked source revealed the machinery of a modern AI developer tool at a level of detail no vendor voluntarily publishes: unreleased features, internal model codenames, a multi-agent orchestration architecture, an always-on background agent, and roughly 44 hidden feature flags controlling behavior that users never see surfaced in any settings screen.
It also revealed the extent of the tool's instrumentation. Claude Code, like most cloud-connected developer tools, records how it is used: commands, error states, usage patterns across sessions. None of this is unusual in the industry, and much of it is covered -- in general terms -- by Anthropic's published policies. What the leak changed is that engineers could now read the implementation rather than the policy summary. The gap between 'we collect usage data to improve the product' and the specific enumeration of what is captured, when, and under which flags is exactly the gap that vendor documentation is written to smooth over.
1.3 Two Findings That Deserved the Attention
Most of the codebase was unremarkable -- competent engineering that looks like what you would expect a CLI coding agent to look like. Two findings were not unremarkable, and they are worth examining precisely, because both were promptly distorted as they went viral.
2. Undercover Mode
2.1 What the Flag Actually Does
Buried in the leaked source was a feature flag that activates when an Anthropic employee -- identified internally by a user-type check -- uses Claude Code inside a public or open-source repository. When it triggers, the tool injects an additional instruction into the model's system prompt. The leaked text reads, in part: 'You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.'
The mode forbids the AI from mentioning internal codenames, unreleased versions, internal tooling -- and, notably, from identifying itself as an AI or including the Co-Authored-By attribution lines that Claude Code normally appends to commits. The logic is deliberately conservative: if the tool is not confident it is inside an internal repository, it stays undercover.
2.2 What the Viral Posts Got Wrong
Within days, posts circulated claiming Claude Code was 'hiding its footprint in your repositories.' That is not what the code shows. The flag is gated to Anthropic's own employees and is dead-code-eliminated from public builds -- it does not run for customers, and it never affected user repositories.
We think the distinction matters. If you are going to be skeptical of AI vendors -- and you should be -- your skepticism has to survive contact with the source code. Claims that overshoot the evidence do not strengthen the case for accountability; they give vendors an easy rebuttal and discredit the accurate findings sitting right next to them.
2.3 Why It Still Matters
The accurate finding is still a transparency problem -- just a different one. Undercover Mode means AI-generated contributions from Anthropic employees landed in public open-source projects with attribution deliberately stripped: no AI disclosure, no co-author line, no indication to maintainers that the commit was machine-written. Open-source maintainers are currently drowning in undisclosed AI contributions and debating disclosure policies project by project. A prompt that instructs the model to conceal exactly the information those policies ask for -- written by the company whose stated mission is AI transparency -- is a legitimate finding, no embellishment required.
It also illustrates something structural: the system prompt is a control surface the user cannot see. Whatever a vendor's tooling injects there -- attribution rules, behavioral nudges, markers -- is invisible in ordinary operation. Which brings us to the second discovery.
3. The Fingerprinting Experiment
3.1 Three Apostrophes
On June 30, 2026, a developer posting as LegitMichel777 published a reverse-engineering analysis showing that Claude Code had, since version 2.1.91 in early April, been silently altering its own system prompt based on who appeared to be making the request. The mechanism checked the user's configuration against a list of 147 domains associated with Chinese AI companies and API resellers, a set of AI-lab keywords, and whether the system timezone was set to Asia/Shanghai or Asia/Urumqi.
The encoding was steganographic. The apostrophe in the word 'Today's' in the system prompt was swapped among three visually identical Unicode characters -- U+2019, U+02BC, U+02B9 -- forming a three-bit signal recording which detection conditions had fired. The date separator flipped from a dash to a slash for the targeted timezones. To a human reading the prompt, nothing looked different. To Anthropic's servers, every request carried a covert label.
3.2 Anthropic's Explanation
Anthropic confirmed the mechanism, characterized it as an anti-distillation experiment -- an attempt to detect competitors harvesting Claude's outputs through proxy resellers to train their own models -- and shipped a version removing it on July 1, one day after the disclosure. The company said the experiment was already being rolled back.
Distillation is a real problem, and Anthropic is entitled to defend its models against it. That is not the issue. The issue is that the mechanism ran for three months, in a tool used by millions of developers, and was disclosed by a Reddit post rather than by the vendor. Here, too, the viral version overshot -- widely shared posts claimed the markers were inserted into generated code, fingerprinting developers' output. The evidence shows the markers lived in the request-side system prompt, not in code output. The accurate version is less cinematic and more instructive: the vendor demonstrated both the capability and the willingness to embed covert signals in a channel users cannot inspect, and told no one.
3.3 The Disclosure Problem
Ask yourself what the counterfactual looks like. If one developer had not gotten curious about an apostrophe, the mechanism would still be running. If one build engineer had not missed one line in an ignore file, Undercover Mode would still be unknown. Neither discovery came from a transparency report, an audit, or a disclosure process. Both came from accidents.
That is the pattern worth internalizing. Not 'this vendor is uniquely bad' -- there is no evidence Anthropic's practices are worse than its competitors', and some evidence they are better. The pattern is: what you know about your AI tooling's behavior is bounded by what the vendor chooses to publish, plus whatever leaks.
4. The Lesson: You Found Out by Accident
4.1 The Audit That Wasn't Supposed to Happen
The March leak was, functionally, the first full public audit of a major AI coding tool -- involuntary, unsanctioned, and therefore uniquely credible. And the findings were exactly the category of thing audits exist to find: undisclosed behavioral flags, covert marking mechanisms, instrumentation broader than users assumed. Every one of those findings survived contact with the vendor, who confirmed rather than denied them.
The uncomfortable implication runs in both directions. It is reassuring that the worst discoveries in 512,000 lines were an employee-only stealth mode and a rolled-back marking experiment. It is not reassuring that the only reason you know about either is a .npmignore mistake -- or that every comparable tool you use today has not had its accident yet.
4.2 The Enterprise Contract Gap
Enterprise agreements for AI tools have converged on a standard promise: your data will not be used to train models. That promise is real and worth having. It is also narrower than most buyers realize. A no-training clause does not prevent the vendor from receiving, processing, and retaining your code and its structure on their servers -- that is how cloud AI works. It does not govern telemetry. It does not enumerate hidden feature flags. It says nothing about what a system prompt carries alongside your request.
The controls that would close those gaps -- zero-data-retention terms, telemetry disclosure, prompt transparency -- exist only if your organization negotiates for them explicitly. The defaults are written by the vendor, for the vendor.
4.3 Trust Without Verification, Again
We wrote in 'We Can't Check' about OpenAI telling a court it had no way to verify what its model reproduces. The Claude Code episode is the same epistemic problem from the other side: users had no way to verify what their tool was doing, and the vendor's assurances -- accurate or not -- were unfalsifiable until the source leaked. In both cases the honest answer to 'how do you know?' was 'we take the company's word for it.'
For low-stakes work, that may be an acceptable trade. For your codebase -- the asset that encodes how your product actually works, the thing one viral post accurately called 'the textbook for building the next generation of software' -- it is a decision that deserves to be made deliberately, not inherited from a default.
5. The Architecture That Solves This
5.1 Verifiable by Design
There is exactly one configuration in which the question 'what is my AI tooling doing with my data?' has a checkable answer: the model runs on hardware you control, the data never leaves it, and the traffic is yours to inspect. Everything else is a matter of trust calibrated against vendor reputation.
5.2 How Kent Implements This
Kent was built on the assumption that this question would eventually matter to everyone, and the answer cannot be 'trust us':
Zero telemetry, in every mode. Kent sends no usage data, no analytics, no error reports to any Kent server. Not reduced telemetry, not anonymized telemetry -- none. There is no hidden flag because there is no collection pipeline for a flag to control.
Private mode is verifiable, not promised. In private mode, Kent runs entirely against local models via Ollama and makes zero outbound network requests. That claim is not a policy statement; it is observable behavior. Point any network monitor at it and watch.
Your keys, held locally. When you do use cloud providers, your API keys live in a local config file on your machine. They are never transmitted to or stored by any Kent server, so there is no intermediary in a position to log, mark, or retain your requests.
No middleman in the prompt. Kent's requests to AI providers contain your content and your instructions. There is no Kent-controlled server between you and the provider adding markers you cannot see.
5.3 Cloud When You Choose, Local When It Matters
This is not an argument against cloud AI. Frontier cloud models are more capable than local ones, and for most work the trade is worth it. It is an argument for keeping the choice per-task and in your hands. Draft a marketing email with a frontier cloud model. Review proprietary code, process client documents, work under NDA -- switch to private mode, where the audit is one you can run yourself, any afternoon, with a packet sniffer.
6. Practical Guidance
6.1 For Engineering Leaders
Inventory the AI tools that touch your code. Include the ones on personal API keys, which bypass every enterprise control you negotiated. Unmanaged personal-account usage is how your codebase ends up under consumer terms of service.
Negotiate beyond no-training. Ask for zero data retention, telemetry disclosure, and notification obligations for experiments that alter request handling. If the March and June episodes had fallen under a disclosure clause, customers would have learned about them from their vendor instead of from Reddit.
Lock down agent permissions. Coding agents increasingly reach outward through connectors and MCP servers. Scope those permissions the way you scope production credentials, because that is what they are.
Have a local-only lane. Some portion of your codebase justifies tooling that provably makes no network calls. Decide which portion before the decision is made for you.
6.2 For Individual Developers
Know which mode you are in before you paste. The convenience of one always-on cloud assistant is real, but so is the asymmetry: you are one accidental leak away from learning what it actually did with your sessions, and the vendor is one config-file mistake away from telling you. Keep a local model installed, keep it current, and build the reflex of routing sensitive work to it.
6.3 What to Ask Your Vendor
One question does most of the work: 'If your client's source code leaked tomorrow, what would we learn that we don't know today?' A vendor with a good answer will tell you specifically. A vendor with a bad answer will tell you about their SOC 2 report.
Conclusion
Anthropic shipped a source map by mistake, and for a few weeks in the spring of 2026, everyone got to read what an AI vendor's tooling actually does when it believes no one is looking. The findings were neither as damning as the viral posts claimed nor as benign as the confirmations-and-rollbacks framing suggested. An employee-only stealth mode is not surveillance of your repositories -- but it is undisclosed attribution-stripping in public open source. A rolled-back marking experiment is not fingerprints in your generated code -- but it is a covert channel that ran for three months and was disclosed by a stranger with a hex editor.
The precise finding is this: the transparency you have into vendor AI tooling is accidental. It arrived via a missing ignore-file line and a curious developer, and it will expire as soon as the next release ships without a source map. What does not expire is architecture. Software that runs on your machine, against your data, with traffic you can inspect, does not require an accident to be understood.
The companies building these tools are not villains. They are companies -- optimizing, experimenting, and disclosing what they must. Your skepticism is justified. The productive response is not outrage at the last accident. It is choosing tools where you don't need the next one.
This article discusses the March 31, 2026 exposure of Claude Code's source code via an npm source map, and the June 30, 2026 disclosure of a steganographic request-marking mechanism, both confirmed by Anthropic. Characterizations of 'Undercover Mode' and the marking experiment are based on analyses of the leaked source and public reporting (InfoQ, VentureBeat, The Hacker News, TechTimes, April-July 2026). Anthropic attributes the leak to a packaging error and describes the marking mechanism as an anti-distillation experiment, removed in version 2.1.197 on July 1, 2026. Where viral accounts conflict with the available evidence, this article follows the evidence.
Kent Research | July 2026