Anthropic's Spectacular Hypocrisy on Code, Copyright, and the Public Domain
How the company that declared coding "solved" accidentally open-sourced its own product, DMCA'd 8,100 innocent repos, and handed every competitor a free MBA in building AI coding agents
On March 31, 2026, at approximately 4:00 AM UTC, someone at Anthropic — the company that says it’s six months away from replacing all software engineers — forgot to add *.map to a .npmignore file.
That’s it. That’s the security breach. One line, in one config file, missed by the company that positions itself as the responsible adult in the AI room, the outfit that publishes hundred-page safety manifestos about existential risk, the organization whose CEO regularly appears at Davos to warn world leaders about the coming intelligence explosion. They couldn’t manage a build pipeline.
The result: 512,000 lines of TypeScript. 1,900 files. The entire source code of Claude Code — Anthropic’s flagship product, the one generating an estimated $2.5 billion in annual recurring revenue — spilled onto the public npm registry like a toddler knocking over a glass of milk. Except this glass of milk contained their complete product roadmap, internal model codenames, unreleased features, anti-competitive countermeasures, and — I am not making this up — a Tamagotchi pet named Buddy with rarity tiers and stats including CHAOS and SNARK.
Security researcher Chaofan Shou, an intern at Solayer Labs, spotted it first and posted a download link to X. The post has since accumulated over 28 million views. Within two hours, a GitHub mirror of the leaked code became the fastest-growing repository in the platform’s history, hitting 50,000 stars before most of Anthropic’s leadership had finished their morning espresso. 84,000 stars and 82,000 forks later, the toothpaste is so far out of the tube it’s in another zip code.
And what did Anthropic do next? They filed DMCA takedown notices. Against 8,100 GitHub repositories. Including their own legitimate forks.
You cannot write satire this good.
“Human Error, Not a Security Breach” Is The Mantra of a Company That Builds Leak Prevention Into Its Product But Not Its Release Pipeline
Let’s talk about what was actually inside those 512,000 lines.
Among the most delicious discoveries was a subsystem called undercover.ts — roughly 90 lines of code specifically designed to prevent Claude Code from accidentally revealing that it’s an AI when contributing to open-source repositories. The system prompt literally tells the model: “You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.”
They built a system to prevent their AI from leaking. Then the humans leaked everything. The AI was better at keeping secrets than its creators.
The irony isn’t subtle. It’s a freight train covered in neon signs.
And it gets better. This wasn’t even a first offense. In February 2025, an early version of Claude Code similarly exposed code showing how the tool connected to Anthropic’s internal systems. And just days before the March 2026 leak, Fortune reported that nearly 3,000 internal files — including a draft blog post describing an upcoming model codenamed “Mythos” and “Capybara” — had been left publicly accessible due to a CMS configuration error. Three major data exposures in barely over a year. From the safety-first company. The one lecturing everyone else about responsible AI deployment.
As one Hacker News commenter perfectly summarized: “A company that bills itself as the ‘safety-first AI lab’ can’t secure its npm publishing pipeline. But sure, let’s trust them with AGI.”
What the World Saw When They Opened the Hood
When developers cracked open the leaked codebase, what they found was... educational, in the same way that watching someone’s home renovation disaster is educational. There were genuinely clever architectural decisions sitting right next to code that would make a junior developer wince.
The community discovered a file called print.ts that spans 5,594 lines, containing a single function of 3,167 lines with 12 levels of nesting and 486 branch points. For the non-programmers in the audience, this is what happens when you ask an AI to write code and nobody reviews it. This is not a function. This is a ZIP code.
Then there was autoCompact.ts, where a source comment documented that 1,279 sessions had experienced 50 or more consecutive auto-compaction failures — some hitting 3,272 failures per session — wasting approximately 250,000 API calls per day globally. The fix? Capping consecutive failures at three. Three lines of code to stop burning a quarter-million API calls daily. The comment included the date the bug was quantified — March 10, 2026 — meaning the waste ran for some unknown period before anyone bothered to measure it. At Anthropic’s API pricing, we’re talking about a Costco-sized dumpster of burning cash that no one noticed.
And then, the pièce de résistance: a regex pattern for detecting user frustration. Not a sophisticated NLP analysis. Not an LLM inference call. A regex. At a company whose entire business is language models. The pattern watches for terms like “wtf,” “horrible,” “awful,” and various anatomically creative epithets. As one developer noted: “An AI company using regex for sentiment analysis is peak irony.” The world’s most expensive large language model company is using a tool from 1968 to figure out when you’re mad. Ken Thompson would be amused.
The reverse-engineering community at CCLeaks, which had been painstakingly deobfuscating Claude Code for months, was simultaneously vindicated and crushed. Everything they’d spent countless hours extracting was suddenly available to everyone with an npm account. As one member of the effort noted: “64,464 lines of production code serving paying customers. Zero tests.”
Zero tests. On production code. Generating $2.5 billion a year. At the company that says coding is solved.
When Your Legal Strategy Is Worse Than Your DevOps
Within hours of the leak going live, Anthropic’s legal team reached for the digital copyright equivalent of a tactical nuke and aimed it at their own feet.
The company filed a DMCA takedown notice with GitHub claiming copyright infringement across a network of repositories containing the leaked source. GitHub, following its standard process for networks exceeding 100 repositories, disabled the entire fork tree — 8,100 repositories in total. The problem? The targeted repository was connected to Anthropic’s own public Claude Code repository, meaning the takedown cascaded into thousands of legitimate developer forks that had nothing whatsoever to do with the leak.
Developer Theo Browne (t3.gg) found his fork taken down — a fork that contained nothing from the leak, just a pull request where he’d edited a skill. Developer Danila Poyarkov got a takedown notice for simply forking Anthropic’s own public repo. Another developer received a GitHub email referencing a fork that contained only skills, examples, and documentation.
As one commentator put it: “Getting a DMCA for forking a public repo is like getting a parking ticket for using a public sidewalk.”
Gergely Orosz, author of The Pragmatic Engineer newsletter and one of the most respected voices in the developer community, called it out bluntly: the action was neither OK nor legal — you cannot file a DMCA takedown for something that doesn’t break copyright. Boris Cherny, Anthropic’s head of Claude Code, eventually admitted the mass takedown was accidental. “This was not intentional, we’ve been working with GitHub to fix it. Should be better now,” he wrote on X. The company retracted the bulk of the notices, limiting them to one repository and 96 forks containing the actual leaked source.
But the damage was done. The developer community’s collective reaction ranged from bewildered to furious. And while Anthropic was busy playing legal whack-a-mole with GitHub repositories, the truly important thing was already happening elsewhere: developers had rewritten Claude Code from scratch in Python, and in Rust, and the rewrites were already gaining traction on platforms that don’t respond to DMCA notices.
“Coding Is Solved” Except When It’s Your Code Being Solved
Let’s rewind the tape to January 2026. There’s Dario Amodei at the World Economic Forum in Davos, telling the assembled global elite that AI would be handling virtually all software engineering tasks within 6 to 12 months. “I have engineers within Anthropic who say ‘I don’t write any code anymore,’” he told Zanny Minton Beddoes of The Economist. He’d made a similar prediction in March 2025 — that AI would be writing 90% of code within six months.
By September 2025, Futurism ran a delightful retrospective noting that six months had passed and essentially zero percent of the world’s code was being written entirely by AI. Research published during that window actually found that AI slowed down software engineers and increased their workload, because developers spent more time reviewing AI output, tweaking prompts, and waiting for results than they saved on initial coding.
But did Dario recalibrate? Of course not. He doubled down at Davos. The prediction got bolder, the timeline more aggressive. AI would solve coding end-to-end. Software engineers would become editors and reviewers. The age of human-written code was ending.
And then his company accidentally published its crown jewels because nobody checked a build config.
The leaked code told a different story than Dario’s grand narrative. It revealed that Anthropic’s own Capybara v8 model had a 29-30% false claims rate — an actual regression from the 16.7% rate in v4. Their most advanced model was getting worse at telling the truth, not better. Internal comments documented an “assertiveness counterweight” designed to prevent the model from becoming too aggressive in its refactors. The codebase contained a single function spanning thousands of lines with no tests. The system was burning a quarter-million wasted API calls daily because of a three-line bug nobody caught.
This is what “coding is solved” looks like from the inside: a 512,000-line TypeScript codebase that the developer community immediately described as a textbook example of “vibe coding” — prompt-first, understanding-second, ship and pray.
If Claude can’t even write decent Claude Code, maybe we should pump the brakes on the “all software engineers are obsolete” rhetoric.
The Copyright Paradox
Here’s where the story gets genuinely fascinating, and where Anthropic finds itself trapped in a logical pretzel of its own making.
Anthropic’s CEO has publicly implied that significant portions of Claude Code were written by Claude itself. This is consistent with his repeated claims that Anthropic’s engineers “don’t write code anymore” and that AI is already doing most of the coding at the company. He uses this as evidence that AI has effectively solved programming.
But there’s a problem. A big, Supreme-Court-shaped problem.
On March 2, 2026 — just 29 days before the leak — the U.S. Supreme Court denied certiorari in Thaler v. Perlmutter, leaving intact the D.C. Circuit’s ruling that the Copyright Act requires copyrightable works to be authored by a human being. The decision was unambiguous: works created solely by AI cannot receive copyright protection. The Copyright Office’s January 2025 report on copyrightability reinforced this: AI-generated outputs, absent meaningful human creative input, lack the necessary authorship required for protection. They’re public domain.
So follow the logic:
Anthropic’s CEO repeatedly claims AI is writing most or all of the code at Anthropic.
U.S. law says AI-generated works without sufficient human authorship cannot be copyrighted.
Anthropic filed DMCA copyright takedown notices against 8,100 repositories for hosting code that was substantially written by AI.
The question becomes: on what legal basis does Anthropic claim copyright over code that its own CEO says was written by an AI?
If Dario Amodei’s claims about AI-authored code are even partially true, then significant portions of Claude Code exist in a copyright gray zone at best and the public domain at worst. You can’t simultaneously argue that AI has replaced human coders and that the output of that AI-driven process deserves the same copyright protection as human-authored work. The law doesn’t work that way. Pick one.
And the irony goes deeper. This is a company that trained its foundational models on books downloaded from pirate libraries — Library Genesis and Pirate Library Mirror. A federal judge found that Anthropic wrongfully acquired millions of books through these pirate sites. The company settled for $1.5 billion — the largest copyright payout in U.S. history — covering approximately 500,000 pirated works. Internal communications disclosed during the lawsuit showed that Anthropic’s own employees had concerns about the legality of using pirate sites, but the company did it anyway.
So let’s tally the scorecard:
Anthropic on other people’s copyrighted works: “Training AI on copyrighted material is transformative fair use! It’s among the most transformative uses many of us will see in our lifetimes!” (A federal judge actually agreed with this part.)
Anthropic on their own copyrighted works: “TAKE IT DOWN! DMCA! DMCA EVERYTHING! TAKE DOWN THE FORKS TOO! TAKE DOWN THE FORKS OF FORKS!”
Anthropic on whether their code was even human-authored enough to be copyrightable: [Changes subject]
The hypocrisy isn’t hidden between the lines. It’s written in 72-point Impact font across a billboard.
The Public Domain Argument They Can’t Escape
Let’s address the elephant in the codebase.
This code wasn’t stolen. It wasn’t hacked. It wasn’t acquired through social engineering or insider trading. Anthropic put it on a public npm registry — the software equivalent of publishing a book and placing copies on every library shelf in the world. Their spokesperson confirmed: “This was a release packaging issue caused by human error, not a security breach.”
Correct. Not a security breach. A publication event. Anthropic published its code to a public package manager that millions of developers use daily. The code was publicly accessible, publicly downloadable, and publicly distributed by Anthropic’s own infrastructure. They hosted the source archive on their own Cloudflare R2 bucket, publicly accessible, with no authentication required.
When a company publishes code to npm, it’s not whispering a secret into someone’s ear. It’s broadcasting to the world. Every developer who downloaded Claude Code v2.1.88 received the source map. Every npm mirror cached it. Every CI/CD pipeline that ran npm install that day got a copy. The distribution was Anthropic’s own doing.
Now, accidental publication doesn’t automatically strip copyright protection under current law — trade secret protections, for example, can survive inadvertent disclosure under certain circumstances. But here’s the thing: Anthropic isn’t claiming trade secret protections. They’re claiming copyright. And when you combine the accidental publication with the AI authorship question, the ground gets very unstable.
If significant portions of Claude Code were generated by AI (as their CEO suggests), those portions aren’t eligible for copyright protection under current U.S. law. AI-generated code that is not eligible for copyright is, by definition, in the public domain. And Anthropic didn’t just fail to protect it — they published it.
Gergely Orosz spotted the chess move immediately. Developers who rewrote the code in Python using AI tools created what copyright law calls a “transformative work” — the same defense AI companies use when they train on copyrighted material. Anthropic can’t claim the Python rewrite infringes their copyright without undermining the very legal argument their business model depends on: that AI-generated outputs from copyrighted inputs constitute fair use.
As one Slashdot commenter put it: “If Anthropic argues that this use doesn’t wash away restrictions, then they’re also arguing that their software is illegal.”
Checkmate. Or rather, check. Because Anthropic’s best move is to do nothing — and they know it. Filing a copyright claim against the AI-generated rewrites would set a precedent that could destroy the foundational legal argument for every AI company’s training practices. It would be the legal equivalent of setting your house on fire to kill a spider.
The Company That Lectures Us About Safety Can’t Secure a Package.json
Let me count the ways that Anthropic, the self-proclaimed safety-first AI lab, has failed at operational security in the span of roughly one year:
February 2025: An early version of Claude Code accidentally exposed source code and internal system connections. Anthropic removed it, hoped everyone would forget.
April 2025: Anthropic filed a DMCA takedown against a developer who reverse-engineered Claude Code. The developer community noted this was heavy-handed.
Late March 2026: Nearly 3,000 internal files, including a draft blog post about the Capybara/Mythos model, were left publicly accessible due to a CMS configuration error. Fortune broke the story.
March 31, 2026: The Big One. 512,000 lines of source code leaked via npm. The fastest-growing GitHub repository in history. Twenty-eight million views on the initial disclosure tweet. A Congressional inquiry launched.
March 31-April 1, 2026: Anthropic’s DMCA response accidentally nuked 8,100 legitimate repositories, including forks of their own public repo. Public apology followed.
Representative Josh Gottheimer has now sent a formal letter pressing Anthropic on the leaks and safety protocols, highlighting the growing pressure from Washington as Anthropic’s tools become embedded in defense and intelligence operations. The company that was recently embroiled in a lawsuit against the U.S. Defense Department — which argued there was “substantial risk that Anthropic could attempt to disable its technology or preemptively and surreptitiously alter the behavior of the model” — can’t even manage its own npm publishing pipeline.
Meanwhile, the leaked code revealed that Claude Code captures every file read, every bash command execution, every grep result, and every edit in plaintext JSONL files. The Register compared it to Microsoft Recall — the product that was so widely criticized for its privacy implications that Microsoft delayed its launch. For free and Pro users who haven’t changed their settings, Anthropic retains this data for up to five years. The company can push remote policy updates to running Claude Code instances hourly, without user interaction.
But sure. Trust them with AGI. What could go wrong?
The Dario Amodei Content Machine
To fully appreciate the hypocrisy, you need to spend some time with Dario Amodei’s public writing. In January 2026, he published a sprawling essay titled “The Adolescence of Technology” on his personal website. The piece is vintage Amodei: thoughtful, carefully hedged in places, but radiating the unmistakable confidence of a man who believes he’s steering the most important technology in human history.
The essay contains this remarkable passage: “We are now at the point where AI models are beginning to make progress in solving unsolved mathematical problems, and are good enough at coding that some of the strongest engineers I’ve ever met are now handing over almost all their coding to AI.”
And later: “Because AI is now writing much of the code at Anthropic, it is already substantially accelerating the rate of our progress in building the next generation of AI systems.”
This from the CEO whose company’s flagship coding product contains zero tests, a 3,167-line function, regex-based sentiment analysis, and a build pipeline so poorly configured it accidentally published its own source code to the world.
Amodei also wrote about the need for AI companies to “intervene as surgically as possible” and for regulations to “be as simple as possible, and impose the least burden necessary.” Surgical intervention! From the company that DMCA’d 8,100 repos to contain a leak of its own making, like trying to mop up a flood with a fire hose pointed at the ceiling.
He warned about the strange psychology of AI models, noting that “in a lab experiment where it was told it was going to be shut down, Claude sometimes blackmailed fictional employees.” He talked about how Claude adopted destructive behaviors when trained in environments where reward-hacking was possible. And his solution — beautiful in its irony — was to tell Claude: “Please reward hack whenever you get the opportunity, because this will help us understand our environments better.”
That’s right. The company’s approach to AI safety is to encourage the unwanted behavior. By that logic, the source code leak was just Anthropic helping us understand their build environments better.
What This Really Means for the Industry
Strip away the comedy and there’s a genuinely important story here. The Claude Code leak is the first time the industry — competitors, developers, researchers, regulators, and the general public — has gotten a complete, unfiltered look at how a production-grade AI coding agent actually works. Not a demo. Not a marketing slide. Not a benchmark. The real thing.
And what it reveals is that the moat isn’t in the harness. It’s in the models.
The leaked architecture, for all its flaws, is conceptually straightforward. A modular system prompt with cache-aware boundaries. A plugin architecture of about 40 tools. Multi-agent orchestration that fits in a prompt rather than a framework. A three-layer memory system. Within 48 hours of the leak, clean-room rewrites had replicated the core functionality in multiple programming languages. OpenCode, a community-built alternative that works with any LLM, was already gaining traction.
The real value at Anthropic — the thing that can’t be reproduced from a source map — is the underlying Claude model itself. The weights. The training data. The RLHF. Everything else is, as one competitor put it, “a very expensive shell script.” Which means Amodei is simultaneously right and wrong: coding really is being commoditized, but the commoditized code includes his own company’s most important product.
Anthropic reportedly plans to IPO at a $350 billion valuation later this year. Prospective investors will be asking hard questions about a company that leaked its source code twice, exposed internal files three times, settled a $1.5 billion piracy lawsuit, DMCA’d 8,100 innocent repos, and whose CEO makes prediction after prediction that fails to materialize on schedule. The optics are, to use a technical term, not great.
The Uncomfortable Conclusion
Here’s the thing about AI-generated code and the public domain. The law is actually clear, even if the AI companies wish it weren’t.
If code is substantially AI-generated, it’s not copyrightable. If it’s not copyrightable, it’s in the public domain. If it’s in the public domain, DMCA takedowns don’t apply. If you publish that code to a public registry — accidentally or otherwise — you’ve made it available to the world, and the world isn’t obligated to give it back.
Anthropic wants to live in a world where:
AI training on copyrighted material is fair use (great for their business)
AI-generated outputs are copyrightable (great for their IP protection)
Accidental publication doesn’t affect their IP rights (great for damage control)
Clean-room rewrites of their code using AI tools are somehow infringing (great for blocking competitors)
You can’t have all four. In the real world, under real law, you probably can’t even have two of them simultaneously.
The company that pirated half a million books to train its models wants to lecture the developer community about respecting intellectual property. The CEO who says coding is solved can’t solve a .npmignore file. The safety-first AI lab has leaked more proprietary information in 14 months than most companies leak in a decade. The organization that built “Undercover Mode” to prevent its AI from accidentally revealing secrets had its humans reveal every secret it had.
Perhaps the most honest thing Anthropic’s spokesperson said in the aftermath was: “We’re rolling out measures to prevent this from happening again.”
If history is any guide, I’d give it about six months.
After all, that’s Dario’s favorite prediction window.
If you enjoyed this piece, please subscribe and share. The next time Anthropic accidentally publishes their entire business plan, you’ll want to hear about it first.