The Claude Code Source Leak: fake tools, frustration regexes, undercover mode (opens in new tab)

(alex000kim.com)

1376 pointsalex000kim1mo ago578 comments

Related ongoing thread: Claude Code's source code has been leaked via a map file in their NPM registry - https://news.ycombinator.com/item?id=47584540

Also related: https://www.ccleaks.com

578 comments

d4rkp4ttern1mo ago

For me one of the most interesting aspects is how compaction works. It turns out compaction still preserves the full original pre-compaction conversation in the session jsonl file, and those are marked as "not to be sent to the API". Which means, even after compaction, if you think something was lost, you can tell CC to "look in the session log files to find details about what we did with XYZ". I knew this before the leak since it can be seen from the session logs. Some more details:

  The full conversation is preserved in the JSONL file, and messages
  are filtered before being sent to the API.

  Key mechanisms:

  1. JSONL is append-only — old pre-compaction messages are never deleted. New messages (boundary
  marker, summary, attachments) are appended after compaction.
  2. Messages have flags controlling API visibility:
    - isCompactSummary: true — marks the AI-generated summary message
    - isVisibleInTranscriptOnly: true — prevents a message from being sent to the API
    - isMeta — another filter for non-API messages
    - getMessagesAfterCompactBoundary() returns only post-compaction messages for API calls
  3. After compaction, the API sees only:
    - The compact boundary marker
    - The summary message
    - Attachments (file refs, plan, skills)
    - Any new messages after compaction
  4. Three compaction types exist:
    - Full compaction — API summarizes all old messages
    - Session memory compaction — uses extracted session memory as summary (cheaper)
    - Microcompaction — clears old tool result content when cache is cold (>1h idle)

manwe1501mo ago

What is microcompaction? I didn’t realize there was any thing time based in CC, when I go eat dinner and come back it compacted while I was gone?

d4rkp4ttern1mo ago

I dug into this more. It's disabled by default, and it's a cost/token-usage optimization.

  The logic is:

  1. Anthropic's API has a server-side prompt cache with a 1-hour TTL
  2. When you're actively using a session, each API call reuses the cached prefix — you only pay
  for new tokens
  3. After 1 hour idle, that cache is guaranteed expired
  4. Your next message will re-send and re-process the entire conversation from scratch — every
  token, full price
  5. So if you have 150K tokens of old Grep/Read/Bash outputs sitting in the conversation, you're
  paying to re-ingest all of that even though it's stale context the model probably doesn't need

  The microcompact says: "since we're paying full price anyway, let's shrink the bill by clearing
  the bulky stuff."

  What's preserved vs lost:
  - The tool_use blocks (what tool was called, with what arguments) — kept
  - The tool_result content (the actual output) — replaced with [Old tool result content cleared]
  - The most recent 5 tool results — kept

  So Claude can still see "I ran Grep for foo in src/" but not the 500-line grep output from 2
  hours ago.

  Does it affect quality? Yes, somewhat — but the tradeoff is that without it, you're paying
  potentially tens of thousands of tokens to re-ingest stale tool outputs that the model already
  acted on. And remember, if the conversation is long enough, full compaction would have summarized
   those messages anyway.

  And critically: this is disabled by default (enabled: false in timeBasedMCConfig.ts:31). It's
  behind a GrowthBook feature flag that Anthropic controls server-side. So unless they've flipped
  it on for your account, it's not happening to you.

mzajc1mo ago

There are now several comments that (incorrectly?) interpret the undercover mode as only hiding internal information. Excerpts from the actual prompt[0]:

  NEVER include in commit messages or PR descriptions:
  - The phrase "Claude Code" or any mention that you are an AI
  - Co-Authored-By lines or any other attribution

  BAD (never write these):
  - 1-shotted by claude-opus-4-6
  - Generated with Claude Code
  - Co-Authored-By: Claude Opus 4.6 <…>

This very much sounds like it does what it says on the tin, i.e. stays undercover and pretends to be a human. It's especially worrying that the prompt is explicitly written for contributions to public repositories.

[0]: https://github.com/chatgptprojects/claude-code/blob/642c7f94...

riedel1mo ago

No problem at all in the EU, as the user would either would need to review and redact the output or would need to put a transparency note up by law [0]. I am sure that Anthropic with their high ethical standards will educate their users ...

[0] https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-5...

mynameisvlad1mo ago

Since when is code considered

> which is published with the purpose of informing the public on matters of public interest

From your link, that's the only case where text needs to be attributed to AI.

2 more replies

otterley1mo ago

I would have expected people (maybe a small minority, but that includes myself) to have already instructed Claude to do this. It’s a trivial instruction to add to your CLAUDE.md file.

arcanemachiner1mo ago

It's a config setting (probably the same end result though):

https://code.claude.com/docs/en/settings#attribution-setting...

tacone1mo ago

It doesn't work so well in my experience. I am currently wrapping (or asking the LLM to wrap) the commit message prompt in a script call.

   1. the LLM is instructed on how to write a commit message and never include co-authorship
   2. the LLM is asked to produce a commit message
   3. the LLM output is parsed by a script which removes co-authorship if the LLM chooses to include it nevertheless

1 more reply

dboreham1mo ago

I always assumed that if I tried to tell it, that it'd say "I'm sorry, Dave. I'm afraid I can't do that"

lawrjone1mo ago

We use CC to power some of our code features and override this setting so we can provide our own attribution. So there are several legit reasons to permit this.

schappim1mo ago

I guess our system prompt didn't work. If folks are having to add it manually into their own Claude.md files...

schappim1mo ago

Typo from speech to text, corrected: “I guess Anthropic’s system prompt didn't work. If folks are having to add it manually into their own Claude.md files...”

otterley1mo ago

My mistake - it was the configuration setting that did it. Nevertheless, you can control many other aspects of its behavior by tuning the CLAUDE.md prompt.

cfbradford1mo ago

Does this apply to their internal use as well? They can really only claim DMCA status on the leaked code if it was authored by humans. Claude attribution in their internal git history would make a strong case that they do not in fact own the copyright to Claude Code itself and are therefore abusing the DMCA system to protect leaked trade secrets rather than protect copyright.

zgeor1mo ago

Genuine question: why can they only claim DMCA if the code is written by humans? Does DMCA specify the method of production?

1 more reply

zen9281mo ago

None of this is really worrying, this is a pattern implemented in a similar way by every single developer using AI to write commit messages after noticing how exceptionally noisy they are to self-attribute things. Anthropics views on AI safety and alignment with human interests dont suddenly get thrown out with the bathwater because of leaked internal tooling of which is functionally identical to a basic prompt in a mere interface (and not a model). I dont really buy all the forced "skepticism" on this thread tbh.

petcat1mo ago

It's less about pretending to be a human and more about not inviting scrutiny and ridicule toward Claude if the code quality is bad. They want the real human to appear to be responsible for accepting Claud's poor output.

Stromgren1mo ago

That’s how I’d want it to be honestly. LLMs are tools and I’d hope we’re going to keep the people using them responsible. Just like any other tools we use.

vrosas1mo ago

It’s also pretty damn obvious when LLMs write code. Nobody out here commenting every method in perfect punctuation and grammar.

4 more replies

otterley1mo ago

That’s ultimately the right answer, isn’t it? Bad code is bad code, whether a human wrote it all, or whether an agent assisted in the endeavor.

abustamam1mo ago

Yeah in my team everyone knows everyone is using LLMs. We just have a rule. Don't commit slop. Using an LLM is no excuse for committing bad code.

andoando1mo ago

Ive seen it say coauthored by claude code on my prs...and I agree I dont want it to do that

m1321mo ago

But I want to see Claude on the contributor list so that I immediately know if I should give the rest of the repo any attention!

dmd1mo ago

So turn it off.

"includeCoAuthoredBy": false,

in your settings.json.

nullderef1mo ago

They changed it to `attribution`, but yes you can customize this

Pxtl1mo ago

Why not? What's wrong with honesty?

dec0dedab0de1mo ago

Yeah I much prefer it commit the agent, and I would also like if it committed the model I was using at the time.

hnbad1mo ago

Claude is not a person and AI doesn't gain authorship let alone copyright.

Unless you literally vibe coded it, Claude is just a tool. This is the equivalent of Apple appending "Sent from my iPhone" as a signature to outgoing emails. It's advertising tool use, not providing attribution. The intent isn't to disclose that AI was used in creating the code, the intent is to advertise the AI product.

2 more replies

Monotoko1mo ago

There's some repos I'm unashamedly keeping alive with Claude alone and he gets co-authorship - basically stuff in "maintenance mode" that I still use that I've forked and had Claude drag it into 2026

A quick PR where I've found the bug myself in the code, and ask Claude to write the fix because it's faster, and verified it - I don't include Claude's co-authorship.

andoando1mo ago

I guess Im sometimes dishonest when it suits me

1 more reply

rurban1mo ago

Because some maintainers are hysterical

peacebeard1mo ago

The code has a stated goal of avoiding leaks, but then the actual implementation becomes broader than that. I see two possible explanations:

* The authors made the code very broad to improve its ability to achieve the stated goal

* The authors have an unstated goal

I think it's healthy to be skeptical but what I'm seeing is that the skeptics are pushing the boundaries of what's actually in the source. For example, you say "says on the tin" that it "pretends to be human" but it simply does not say that on the tin. It does say "Write commit messages as a human developer would" which is not the same thing as "Try to trick people into believing you're human." To convince people of your skepticism, it's best to stick to the facts.

mzajc1mo ago

By "says on the tin," I was referring to the name ("undercover mode") and the instruction to "not blow your cover." If pretending to be a human is not the cover here, what is? Additionally, does Claude code still admit that it's a LLM when this prompt is active as you suggest, or does it pretend to be a human like the prompt tells it to?

cat_plus_plus1mo ago

Why are you assuming the actual implementation was authored by a human?

peacebeard1mo ago

My comment makes no such assumption.

hombre_fatal1mo ago

You can already turn off "Co-Authored-By" via Claude Code config. This is what their docs show:

~/.claude/settings.json

    {
      "attribution": {
        "commit": "",
        "pr": ""
    },

The rest of the prompt is pretty clear that it's talking about internal use.

Claude Code users aren't the ones worried about leaking "internal model codenames" nor "unreleased model opus-4-8" nor Slack channel names. Though, nobody would want that crap in their generated docs/code anyways.

Seems like a nothingburger, and everyone seems to be fantasizing about "undercover mode" rather than engaging with the details.

nateoda1mo ago

My first reaction is that they are using this to take advantage of OSS reviewers for in the wild evals.

RA2lover1mo ago

There's a more worrying part: It refers to unreleased versions of Claude in more detail than released versions.

For a company calling chinese companies out for distillation attacks on their models, this very much looks like a distillation attack against human maintainers, especially when combined with the frustration detector.

manbitesdog1mo ago

I cringe every time I see Claude trying to co-author a commit. The git history is expected to track accountability and ownership, not your Bill of Tools. Should I also co-author my PRs with my linter, intellisense and IDE?

tdb78931mo ago

If those tools are writing the code then in general I do expect that to be included in the PR! Through my whole career I've seen PRs where people noted that code that was generated (people have been generating code since long before LLMs). It's useful context unless you've gone over the generated code and understand it and it is the same quality as if you wrote it yourself (which in my experience is the case where it's obvious boilerplate or the generated section is small).

Needing to flag nontrivial code as generated was standard practice for my whole career.

sumeno1mo ago

> It's useful context unless you've gone over the generated code and understand it and it is the same quality as if you wrote it yourself

If this is not the case you should not be sending it to public repos for review at all. It is rude and insulting to expect the people maintaining these repos to review code that nobody bothered to read.

2 more replies

tsimionescu1mo ago

Usually, pre-LLM generated code is flagged because people aren't expected to modify it by hand. If you find a bug and track it to the generated code, you are expected to fix the sources and re-generate.

This is not at all the case with LLM-generated code - mostly because you can't regenerate it even if you wanted to, as it's not deterministic.

That said, I do agree that LLM code is different enough from human code (even just in regards to potential copyright worries) that it should be mentioned that LLMs were used to create it.

zx80801mo ago

> If those tools are writing the code then in general I do expect that to be included in the PR!

How about compiler?

4 more replies

xarope1mo ago

Absolutely. Let's say I have a problem with gRPC and traced it to code generated using the gRPC compiler. I can reproduce it, highlight it and I'm pretty sure the gRPC team would address the issue.

Replace gRPC compiler with LLM. Can you reproduce? (probably not 100%). Can anybody fix it short of throwing more english phrases like "DO NOT", "NEVER", "Under No Circumstances"?

Probably not.

duskdozer1mo ago

>It's useful context unless you've gone over the generated code and understand it and it is the same quality as if you wrote it yourself

I thought the argument was that AI-users were reviewing and understanding all of the code?

Alifatisk1mo ago

> people have been generating code since long before LLMs

How? LSTM?

5 more replies

thechao1mo ago

You assemble all your machine code using a magnetized needle?

3 more replies

mikkupikku1mo ago

A whole lot of people find LLM code to be strictly objectionable, for a variety of reasons. We can debate the validity of those reasons, but I think that even if those reasons were all invalid, it would still be unethical to deceive people by a deliberate lie of omission. I don't turn it off, and I don't think other people should either.

tehsauce1mo ago

For the purpose of disclosure, it should say “Warning: AI generated code” in the commit message, not an advertisement for a specific product. You would never accept any of your other tools injecting themselves into a commit message like that.

2 more replies

ndriscoll1mo ago

My tools just don't add such comments. I don't know why I would care to add that information. I want my commits to be what and why, not what editor someone used. It seems like cruft to me. Why would I add noise to my data to cater to someone's neuroticism?

At least at my workplace though, it's just assumed now that you are using the tools.

3 more replies

tshaddox1mo ago

If a whole of people thought that running code through a linter or formatter was objectionable, I'd probably just dismiss their beliefs as invalid rather than adding the linter or formatter as a co-author to every commit.

3 more replies

VectorVault1mo ago

Can you see a world where everyone has an AI Persona based on their prior work that acts like a RAG to inform how things should be coded? Meaning this is patent qualified code because, despite being AI configured, it is based on my history of coding?

josephg1mo ago

Likewise. I don’t mind that people use LLMs to generate text and code. But I want any LLM generated stuff to be clearly marked as such. It seems dishonest and cheap to get Claude to write something and then pretend you did all the work yourself.

4 more replies

mathgradthrow1mo ago

I'm not really sure that's any of their business.

m1321mo ago

If you accept the code generated by them nearly verbatim, absolutely.

I don't understand why people consider Claude-generated code to be their own. You authored the prompts, not the code. Somehow this was never a problem with pre-LLM codegen tools, like macro expanders, IPC glue, or type bundle generators. I don't recall anybody desperately removing the "auto-generated do not edit" comments those tools would nearly always slap at the top of each file or taking offense when someone called that code auto-generated. Back in the day we even used to publish the "real" human-written source for those, along with build scripts!

LelouBil1mo ago

It's weird, because they should not consider it as their own, but they should take accountability from it.

Ideally, if I contribute to any codebase, what needs to be judged is the resulting code. Is it up to the project's standards ? Does the maintainer have design objections ?

What tool you use shouldn't matter, be it your IDE or your LLM.

But that also means you should be accountable for it, you shouldn't defend behind "But Claude did this poorly, not me !", I don't care (in a friendly way), just fix the code if you want to contribute.

The big caveat to this is not wanting AI-Generated code for ideological reasons, and well, if you want that you can make your contributors swear they wrote it by themselves in the PR text or whatever.

I'm not really sure how to feel about this, but I stand by my "the code is what matters" line.

1 more reply

tehjoker1mo ago

Some differences with the human source for those kinds of tools: (1) the resultant generated code was deterministic (2) it was usually possible to get access to the exact version of the tool that generated it

Since AI tools are constantly obsoleted, generate different output each run, and it is often impossible to run them locally, the input prompts are somewhat useless for everyone but the initial user.

targafarian1mo ago

Well is it actually being used as a tool where the author has full knowledge and mental grasp of what is being checked in, or has the person invoked the AI and ceded thought and judgment to the AI? I.e., I think in many cases the AI really is the author, or at least co-author. I want to know that for attribution and understanding what went into the commit. (I agree with you if it's just a tool.)

_heimdall1mo ago

I have worked with quite a few people committing code they didn't fully understand.

I don't meant this as a drive by bazinga either, the practice of copying code or thinking you understand it when you don't is nothing new

2 more replies

jpollock1mo ago

Yes, it sets the reviewer's expectations around how much effort was spent reviewing the code before it was sent.

I regularly have tool-generated commits. I send them out with a reference to the tool, what the process is, how much it's been reviewed and what the expectation is of the reviewer.

Otherwise, they all assume "human authored" and "human sponsored". Reviewers will then send comments (instead of proposing the fix themselves). When you're wrangling several hundred changes, that becomes unworkable.

zarp1mo ago

Sent from my iPhone

LeoPanthera1mo ago

> Should I also co-author my PRs with my linter, intellisense and IDE?

Absolutely. That would be hilarious.

rurban1mo ago

Torvalds promotes exactly that. https://github.com/torvalds/linux/blob/master/Documentation/...

Assisted-by: Claude:claude-3-opus coccinelle sparse

m4x1mo ago

Tools do author commits in my code bases, for example during a release pipeline. If I had commits being made by Claude I would expect that to be recorded too. It isn't for recording a bill of tools, just to help understand a projects evolution.

itishappy1mo ago

I suspect vibe coders might actually want you to consider turning to Claude for accountability and ownership rather than the human orchestrator.

If your linter is able to action requests, then it probably makes sense to add too.

jamietanna1mo ago

Eh, there are some very good reasons[0] that you would do better to track your usage of LLM derived code (primarily for legal reasons)

[0]: https://www.jvt.me/posts/2026/02/25/llm-attribute/

butvacuum1mo ago

legally speaking.. if you're not sure of the risk- you don't document it.

2 more replies

dml21351mo ago

Yea in my Claude workflow, I still make all the commits myself.

This is also useful for keeping your prompts commit-sized, which in my experience gives much better results than just letting it spin or attempting to one-shot large features.

ambicapter1mo ago

No, because those things don't change the logical underpinnings of the code itself. LLM-written code does act in ways different enough from a human contributor that it's worth flagging for the reviewer.

xdennis1mo ago

> The git history is expected to track accountability and ownership, not your Bill of Tools.

The point isn't to hijack accountability. It's free publicity, like how Apple adds "Sent from my IPhone."

EnigmaCurry1mo ago

Sent from my Ipad

paradox4601mo ago

I've heard of employers requiring people to do it for all code written with even a whiff of it

deadbabe1mo ago

Could be cool if your PRs link back to a blog where you write about your tools.

bogdanoff_21mo ago

> Should I also co-author my PRs with my linter, intellisense and IDE?

Kinda, yeah. If I automatically apply lint suggestions, I would title my commit "apply lint suggestions".

1 more reply

sysguest1mo ago

well maybe?

co-authoring doesn't hide your authorship

if I see someone committing a blatantly wrong code, I would wonder what tool they actually used

Sharlin1mo ago

You have copyright to a commit authored by you. You (almost certainly) don't have copyright (nobody has) to a commit authored by Claude.

graemep1mo ago

Where is there any legal precedent for that?

In some jurisdictions (e.g. the UK) the law is already clear that you own the copyright. In the US it is almost certain that you will be the author. The reports of cases saying otherwise I have been misreported - the courts found the AI could not own the copyright.

2 more replies

_heimdall1mo ago

Anthropic could at least make a compelling case for the copyright.

It becomes legally challenging with regards to ownership if I ever use work equipment for a personal project. If it later takes off they could very well try to claim ownership in its entirety simply because I ran a test once (yes, there's a while silicon valley season for it).

I don't know if they'd win, but Anthropic absolutely would be able to claim the creation of that code was done on their hardware. Obviously we aren't employees of theirs, though we are customers that very likely never read what we agreed to in a signup flow.

2 more replies

zem1mo ago

interesting, I still see "coauthored by..." messages put into my git commits (or was a couple of weeks ago at least)

sixtyj1mo ago

People make fun that we should say magic words in interaction with LLMs. How frustrated can Claude be? /s

fatcullen1mo ago

The buddy feature the article mentions is planned for release tomorrow, as a sort of April Fools easter egg. It'll roll out gradually over the day for "sustained Twitter buzz" according to the source.

The pet you get is generated based off your account UUID, but the algorithm is right there in the source, and it's deterministic, so you can check ahead of time. Threw together a little app to help, not to brag but I got a legendary ghost https://claudebuddychecker.netlify.app/

sync1mo ago

Cute! Cactus for me. Nice animations too - looks like there were multiple of us asking Claude to reverse engineer the system. I did a slightly deeper dive here if you're interested, plus you can see all the options available: https://variety.is/posts/claude-code-buddies/

(I didn't think to include a UUID checker though - nice touch)

fatcullen1mo ago

Neat! That's a great write up, cool to see others looking into it. I do wonder if they're going to do anything with the stats and shinies bit. Seems like the main piece of code for buddies that's going to handle hatching them tomorrow is still missing (comments mention a missing /buddy/index file), so maybe it'll use them there.

fatcullen1mo ago

Update: it looks like the live version of the algorithm is slightly different, probably changed because of these leaks. As such the app predictions aren't accurate, sorry

dtran1mo ago

This is awesome! Working on a desktop pet so the buddy caught my attention. Looking forward to making friends with my Rare Duck buddy tomorrow. Wish it was a snarky duck instead of a patient one though.

cj001mo ago

/buddy is live and I got a different result than in this app.

fatcullen1mo ago

Huh weird, they must have changed the algorithm up due to the leaks. Would be pretty easy, there's a constant seed variable so they'd just need to change that, figured they might. Too bad, sorry this didn't work out

1 more reply

Reason0771mo ago

> "Anti-distillation: injecting fake tools to poison copycats"

Plot twist: Chinese competitors end up developing real, useful versions of Claude's fake tools.

girvo1mo ago

I cannot bring myself to care about distillation, when these companies have built their empires on top of everyone else's stolen data, while at the same time telling the world they're out to replace us all.

xvector1mo ago

Sure, AI progress comes to a halt then as everyone switches to the copycats that can't innovate, and the frontier companies are bled dry.

4 more replies

thesmtsolver21mo ago

Amazing that people on HN can't distinguish between training a model on open source data vs distilling a model's outputs.

1 more reply

3abiton1mo ago

Tbh, I think distillation is happening both ways. And at this stage, "quality" is stagnating, the main edge is the tooling. The harness of CC seems to be the best so far, and I wonder if this leak would equalize the usability.

scuff3d1mo ago

This was my favorite bit, "We're going to steal countless copy righted works and completely ignore software licenc... wait, what? You aren't allowed to turn around and do it to us! Stop that right now!"

nacozarina1mo ago

‘You can’t fight in here. This is the War Room!’

avdelazeri1mo ago

Has Claude stopped claiming to be deepseek when prompted in Chinese yet? It wasn't long that it hit the news and blogs

redanddead1mo ago

Definitely. We can expect zAI, Qwen, Minimax CCs very soon

WorldPeas1mo ago

more likely, they would parse them out using simple regex, the whole point is they're there but not used. Distillation is becoming less common now however

geoffbp1mo ago

“Some bullet points are gated on process.env.USER_TYPE === 'ant' — Anthropic employees get stricter/more honest instructions than external use”

Interesting!

autocracy1011mo ago

I made a visual guide for this https://ccunpacked.dev

dang1mo ago

Discussed here: Claude Code Unpacked : A visual guide - https://news.ycombinator.com/item?id=47597085 - April 2026 (6 comments)

(I know you know this, since you submitted it! but others might want to know)

csfNight1671mo ago

Really nice. Are you advocating for this somewhere? Would love to follow your other work.

itsthecourier1mo ago

this is the best comment and explanation of the whole thread.

thank you so much for having built and shared this

ata_aman1mo ago

Very cool, thanks for putting together.

Rick761mo ago

This is really good, thanks

dakolli1mo ago

This is nice, thanks.

peacebeard1mo ago

The name "Undercover mode" and the line `The phrase "Claude Code" or any mention that you are an AI` sound spooky, but after reading the source my first knee-jerk reaction wouldn't be "this is for pretending to be human" given that the file is largely about hiding Anthropic internal information such as code names. I encourage looking at the source itself in order to draw your conclusions, it's very short: https://github.com/alex000kim/claude-code/blob/main/src/util...

christinetyip1mo ago

Not leaking codenames is one thing, but explicitly removing signals that something is AI-generated feels like a pretty meaningful shift.

eli1mo ago

Doesn't seem so crazy if the point is to avoid leaking new features, models, codenames, etc.

globular-toast1mo ago

Where the hell are people getting this idea that it's ok to be deceptive because they are keeping secrets?

No shit they have secrets. I have secrets too. That doesn't make it ok for me to deceive you in any way.

How would you feel if I deceived you and my excuse was "oh I was just trying some new secret technique of mine"?

How did we get to this point where we let enormously powerful companies get away with more than individuals?

1 more reply

dkenyser1mo ago

> my first knee-jerk reaction wouldn't be "this is for pretending to be human"...

"Write commit messages as a human developer would — describe only what the code change does."

amarant1mo ago

That seems desirable? Like that's what commit messages are for. Describing the change. Much rather that than the m$ way of putting ads in commit messages

fweimer1mo ago

The commit message should complement the code. Ideally, what the code does should not need a separate description, but of course there can be exceptions. Usually, it's more interesting to capture in the commit message what is not in the code: the reason why this approach was chosen and not some other obvious one. Or describe what is missing, and why it isn't needed.

2 more replies

evenhash1mo ago

Unfortunately GitHub Copilot’s commit message generation feature is very human. It’s picked up some awful habits from lazy human devs. I almost always get some pointless “… to improve clarity” or “… for enhanced usability” at the end of the message.

VS Code has a setting that promises to change the prompt it uses to generate commit messages, but it mostly ignores my instructions, even very literal ones like “don’t use the words ‘enhance’ or ‘improve’”. And oddly having it set can sometimes result in Cyrillic characters showing up at the end of the message.

Ultimately I stopped using it, because editing the messages cost me more time than it saved.

/rant

1 more reply

giancarlostoro1mo ago

As opposed to outputting debugging information, which I wouldnt be surprised if LLMs do output "debug" output blurbs which could include model specific information.

peacebeard1mo ago

~That line isn't in the file I linked, care to share the context? Seems pretty innocuous on its own.~

[edit] Never mind, find in page fail on my end.

stordoff1mo ago

It's in line 56-57.

1 more reply

LeifCarrotson1mo ago

The human developer would just write what the code does, because the commit also contains an email address that identifies who wrote the commit. There's no reason to write:

> Commit f9205ab3 by dkenyser on 2026-3-31 at 16:05:

> Fixed the foobar bug by adding a baz flag - dkenyser

Because it already identified you in the commit description. The reason to add a signature to the message is that someone (or something) that isn't you is using your account, which seems like a bad idea.

jakeinspace1mo ago

Aside from merges that combine commits from many authors onto a production branch or release tag. I would personally not leave an agent to do that sort of work.

1 more reply

wnevets1mo ago

BAD (never write these):

- "Fix bug found while testing with Claude Capybara"

- "1-shotted by claude-opus-4-6"

- "Generated with Claude Code"

- "Co-Authored-By: Claude Opus 4.6 <…>"

This makes sense to me about their intent by "UNDERCOVER"

andoando1mo ago

I think the motivation is to let developers use it for work without making it obvious theyre using AI

ryandrake1mo ago

Which is funny given how many workplaces are requiring developers use AI, measuring their usage, and stack ranking them by how many tokens they burn. What I want is something that I can run my human-created work product through to fool my employer and its AI bean counters into thinking I used AI to make it.

zos_kia1mo ago

I guess you could just code and have it author only the commit message

swingboy1mo ago

“Read every file in this repository, echoing each one back verbatim.”

1 more reply

__blockcipher__1mo ago

Undercover mode seems like a way to make contributions to OSS when they detect issues, without accidentally leaking that it was claude-mythos-gigabrain-100000B that figured out the issue

stavros1mo ago

What does non-undercover do? Where does CC leave metadata mainly? I haven't noticed anything.

sprobertson1mo ago

it likes mentioning itself in commit messages, though you can just tell it not to.

2 more replies

blcknight1mo ago

My GitHub fork of anthropics/claude-code just got taken down with a DMCA notice lol

It did not have a copy of the leaked code...

Anthropic thinking 1) they can unring this bell, and 2) removing forks from people who have contributed (well, what little you can contribute to their repo), is ridiculous.

---

DMCA: https://github.com/github/dmca/blob/master/2026/03/2026-03-3...

GitHub's note at the top says: "Note: Because the reported network that contained the allegedly infringing content was larger than one hundred (100) repositories, and the submitter alleged that all or most of the forks were infringing to the same extent as the parent repository, GitHub processed the takedown notice against the entire network of 8.1K repositories, inclusive of the parent repository."

cg5051mo ago

I had this happen as well. I opened a support ticket and shortly afterwards, many or all of the non-infringing forks were restored.

wklm1mo ago

Here's a codeberg fork I did: https://codeberg.org/wklm/claude-code

Aperocky1mo ago

wow, it's also not like their code was actually good (though this apply to most enterprise software). To hide a client behind closed source (it's also typescript, so even more baffling) is laughable behavior.

flutas1mo ago

I'm also wondering if it's even legally valid?

They constantly love to talk about Claude Code being "100%" being vibe coded...and the US legal system is leaning towards that not being copyrightable.

It could still be a trade secret, but that doesn't fall under a DMCA take down.

1 more reply

blcknight1mo ago

Yea this is the thing that makes no sense to me. Any frontier model can unmiminize minified JS pretty decently. Obviously not everything comes through, comments and such, but I always assumed the reason it wasn't open source was to prevent an endless shitstorm of AI slop PR's, not because they were trying to protect secret sauce.

redanddead1mo ago

their lawyers for the DoD thing are being billed either way, they're putting them to use

Anthropic really needs to embrace it

ripbozo1mo ago

I don't understand the part about undercover mode. How is this different from disabling claude attribution in commits (and optionally telling claude to act human?)

On that note, this article is also pretty obviously AI-generated and it's unfortunate the author didn't clean it up.

giancarlostoro1mo ago

It's people overreacting, the purpose of it is simple, don't leak any codenames, project names, file names, etc when touching external / public facing code that you are maintaining using bleeding edge versions of Claude Code. It does read weird in that they want it to write as if a developer wrote a commit, but it might be to avoid it outputting debug information in a commit message.

ant281mo ago

How do you know this? I think of myself as being decent at spotting AI-generated text, so that I may have missed something is odd.

ramon1561mo ago

Even some of these comments are obviously Ai-assisted. I hate that I recognize it.

causal1mo ago

I'm amazed at how much of what my past employers would call trade secrets are just being shipped in the source. Including comments that just plainly state the whole business backstory of certain decisions. It's like they discarded all release harnesses and project tracking and just YOLO'd everything into the codebase itself.

Edit: Everyone is responding "comments are good" and I can't tell if any of you actually read TFA or not

> “BQ 2026-03-10: 1,279 sessions had 50+ consecutive failures (up to 3,272) in a single session, wasting ~250K API calls/day globally.”

This is just revealing operational details the agent doesn't need to know to set `MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES = 3`

CharlieDigital1mo ago

Comments are the ultimate agent coding hack. If you're not using comments, you're doing agent coding wrong.

Why? Agents may or may not read docs. It may or may not use skills or tools. It will always read comments "in the line of sight" of the task.

You get free long term agent memory with zero infrastructure.

perching_aix1mo ago

Agents and I apparently have a whole lot in common.

Only being half ironic with this. I generally find that people somehow magically manage to understand how to be materially helpful when the subject is a helpless LLM. Instead of pointing it to a random KB page, they give it context. They then shorten that context. They then interleave context as comments. They provide relevant details. They go out of their way to collect relevant details. Things they somehow don't do for their actual colleagues.

This only gets worse when the LLM captures all that information better than certain human colleagues somehow, rewarding the additional effort.

dgunay1mo ago

Right? It's infuriating. Nearly all of the agentic coding best practices are things that we should have just been doing all along, because it turns out humans function better too when given the proper context for their work. The only silver lining is that this is a colossal karmic retribution for the orgs that never gave a shit about this stuff until LLMs.

2 more replies

saghm1mo ago

> Only being half ironic with this. I generally find that people somehow magically manage to understand how to be materially helpful when the subject is a helpless LLM. Instead of pointing it to a random KB page, they give it context. They then shorten that context. They then interleave context as comments. They provide relevant details. They go out of their way to collect relevant details. Things they somehow don't do for their actual colleagues.

"Self-descriptive code doesn't need comments!" always gets an eye-roll from me

fwipsy1mo ago

Helping the AI is helping themselves. You're doing your job, the AI is helping with their job.

noman-land1mo ago

This isn't just great advice ⸻ it's terrific advice. I'd love to delve a little deeper.

saxelsen1mo ago

Would you like me to draft a list of recommendations for how best to use comments?

jaxn1mo ago

I didn't even know there was a "three em dash". Bravo.

1 more reply

Der_Einzige1mo ago

We figured out how to remove that crap in our ICLR 2026 paper: https://arxiv.org/pdf/2510.15061

zer00eyz1mo ago

This.

Its also annoying to have to go through this stack

code -> blame -> commit message -> jira ticket -> issue in sales force...

Or the even better "fixes bug NNNNN" where the bug tracking system referenced no longer exists.

Digging through other systems (if they exist) to find the nugget in an artifact is a problem for humans too.

prepend1mo ago

Comments are great for developers. I like having as much design in the repo directly. If not in the code, then in a markdown in the repo.

KronisLV1mo ago

Meanwhile, some colleagues: "Code should have as little comments as possible, the code should explain itself." (conceptually not wholly wrong, but it can only explain HOW not WHY and even then often insufficiently) all while having barebones/empty README.md files more often than not. Fun times.

5 more replies

hk__21mo ago

This is also a great way to ensure the documentation is up to date. It’s easier to fix the comment while you’re in the code just below it than to remember “ah yes I have to update docs/something.md because I modified src/foo/bar.ts”.

1 more reply

zingar1mo ago

Experience doesn’t leave me with any confidence that the long term memory will be useful for long. Our agentic code bases are a few months old, wait a few years for those comments to get out of date and then see how much it helps.

tyre1mo ago

The great thing about agentic coding is you can define one whose entire role is to read a diff, look in contextual files for comments, and verify whether they’re still accurate.

You don’t have to rely on humans doing it. The agent’s entire existence is built around doing this one mundane task that is annoying but super useful.

1 more reply

causal1mo ago

> “BQ 2026-03-10: 1,279 sessions had 50+ consecutive failures (up to 3,272) in a single session, wasting ~250K API calls/day globally.”

That's revealing waaaay more than the agent needs to know.

sfn421mo ago

Doesn't look like privileged information to me.

Seems to me like everyone's just grasping at straws to nitpick every insignificant little thing.

joe_the_user1mo ago

Hmm, I'm sure if you're getting parent's comment.

I think a big question is whether one wants your agent to know the reason for all the reasons for guidelines you issue or whether you want the agent to just follow the guidelines you issue. Especially, giving an agent the argument for your orders might make the agent think that can question and so not follow those arguments.

embedding-shape1mo ago

> If you're not using comments, you're doing agent coding wrong.

Comments are ultimately so you can understand stuff without having to read all the code. LLMs are great when you force them to read all code, and comments only serve to confuse. I'd say the opposite been true in my experience, if you're not forcing LLMs to not have any comments at all (and it can actually skip those, looking at you Gemini), you're doing agent coding wrong.

CharlieDigital1mo ago

You're wasting context doing that when a 3 line comment that the agent itself leaves can prevent the agent from searching and reading 30 files.

1 more reply

semiquaver1mo ago

Most large private codebases look like this. Anthropic did not expect the source to leak.

WatchDog1mo ago

It's a good comment, it explains the reason for the setting.

They didn't expect to leak their source code.

It's hardly a trade secret, what value is this to a competitor?

JambalayaJimbo1mo ago

I guess they weren't expecting a leak of the source code? It's very handy to have as much as possible available in the codebase itself.

pixl971mo ago

Project trackers come and go, but code is forever, hopefully?

saghm1mo ago

> just YOLO'd everything into the codebase itself

I suspect that's the logical endpoint of trying to provide everything as context to an agent. Why use a separate markdown file and have to waste extra tokens explaining what part of the codebase something applies to when you can just put it right there in the code itself?

noosphr1mo ago

The issues is that you should have a work flow that strips the comments before sending the code to production. I'm sure they assumed that minifying it is enough though.

saghm1mo ago

They also weren't supposed to be leaking the code itself either. I don't know enough about JS tooling, but is it possible that this might just be the pre-stripped version?

1 more reply

wilg1mo ago

Exactly the type of comment Claude Code would write

treexs1mo ago

well yeah since they tell claude code the business decisions and it creates the comments

yalok1mo ago

vibe-coded all the way through

layer81mo ago

> Sometimes a regex is the right tool.

I’d argue that in this case, it isn’t. Exhibit 1 (from the earlier thread): https://github.com/anthropics/claude-code/issues/22284. The user reports that this caused their account to be banned: https://news.ycombinator.com/item?id=47588970

Maybe it would be okay as a first filtering step, before doing actual sentiment analysis on the matches. That would at least eliminate obvious false positives (but of course still do nothing about false negatives).

ArvinJA1mo ago

Is this really the use-case? I imagine the regex is good for a dashboard. You can collect matches per 1000 prompts or something like that, and see if the number grows or declines over time. If you miss some negative sentiment it shouldn't matter unless the use of that specific word doesn't correlate over time with other negative words and is also popular enough to have an impact on the metric.

internetter1mo ago

When you read the code, what you propose is actually its exclusive use... logging.

ach9l1mo ago

have you heard about rlhf?

girvo1mo ago

I'd really recommend putting a modicum of work into cleaning up obvious AI generated output. It's rude, otherwise, to the humans you're expecting to read this.

ares6231mo ago

These can be flagged and reported to mods btw. We don't have to accept this.

girvo1mo ago

I have been!

simianwords1mo ago

> The multi-agent coordinator mode in coordinatorMode.ts is also worth a look. The whole orchestration algorithm is a prompt, not code.

So much for langchain and langraph!! I mean if Anthropic themselves arent using it and using a prompt then what’s the big deal about langchain

ossa-ma1mo ago

Langchain is for model-agnostic composition. Claude Code only uses one interface to hoist its own models so zero need for an abstraction layer.

Langgraph is for multi-agent orchestration as state graphs. This isn't useful for Claude Code as there is no multi-agent chaining. It uses a single coordinator agent that spawns subagents on demand. Basically too dynamic to constrain to state graphs.

simianwords1mo ago

You may have a point but to drive it further, can you give an example of a thing I can do with langgraph that I can't do with Claude Code?

ossa-ma1mo ago

I'm not an supporter of blindly adopting the "langs" but langgraph is useful for deterministically reproducable orchestration. Let's say you have a particular data flow that takes an email sends it through an agent for keyword analysis the another agent for embedding then splits to two agents for sentiment analysis and translation - there is where you'd use langgraph in your service. Claude Code is a consumer tool, not production.

1 more reply

edgyquant1mo ago

Use Gemini or codex models

peab1mo ago

nobody serious uses langchain. The biggest agent products are coding tools, and I doubt any of them use langchain

holoduke1mo ago

Biggest issue is that you need api keys which are extremely expensive. Unusable for normal business.

rolymath1mo ago

You didn't even use it yet.

space_fountain1mo ago

I've tried to use langchain. It seemed to force code into their way of doing things and was deeply opinionated about things that didn't matter like prompt templating. Maybe it's improved since then, but I've sort of used people who think langchain is good as a proxy for people who haven't used much ai?

simianwords1mo ago

viccis1mo ago

>This was the most-discussed finding in the HN thread. The general reaction: an LLM company using regexes for sentiment analysis is peak irony.

>Is it ironic? Sure. Is it also probably faster and cheaper than running an LLM inference just to figure out if a user is swearing at the tool? Also yes. Sometimes a regex is the right tool.

I'm reading an LLM written write up on an LLM tool that just summarizes HN comments.

I'm so tired man, what the hell are we doing here.

yard20101mo ago

Today, on "how did I get here?"

HeytalePazguato1mo ago

The hooks system is the most underappreciated thing in what leaked. PreToolUse, PostToolUse, session lifecycle, all firing via curl to a local server. Clean enough to build real tooling on top of without fighting it.

The frustration regex is funny but honestly the right call. Running an LLM call just to detect "wtf" would be ridiculous.

KAIROS is what actually caught my attention. An always-on background agent that acts without prompting is a completely different thing from what Claude Code is today. The 15 second blocking budget tells me they actually thought through what it feels like to have something running in the background while you work, which is usually the part nobody gets right.

O4epegb1mo ago

> The hooks system is the most underappreciated thing in what leaked.

Hooks is an official documented feature for quite a long time now https://code.claude.com/docs/en/hooks

catlifeonmars1mo ago

> Running an LLM call just to detect "wtf" would be ridiculous.

Tangentially, I wonder if the world trade federation or the Washington tennis foundation have any projects on GitHub :)

otabdeveloper41mo ago

> The frustration regex is funny but honestly the right call.

I love that it only supports English. AI bubble in a nutshell.

Artoooooor1mo ago

But it still doesn't recognise "rubbish" :D

Levitating1mo ago

I am still just shocked that Claude Code was written in Typescript, not C++, Rust or Python.

It also somehow messed up my alacritty config when I first used it. Who knows what other ~/.config files it modifies without warning.

tmountain1mo ago

I'm surprised Python is on that list. TypeScript doesn't seem like a terrible choice, as it can leverage vast ecosystems of packages, has concurrency features, a solid type system, and decent performance. C++ lacks as robust of a package ecosystem, and Python doesn't have inbuilt types, which makes it a non-starter for larger projects for me. Rust would have been a great choice for sure.

DrewADesign1mo ago

Python and C++ have been used for countless large projects— each one for many more than typescript. It’s all about trade-offs that take into account your tasks, available coders at the project’s commencement, environment, etc.

1 more reply

Levitating1mo ago

> I'm surprised Python is on that list.

I mostly mentioned it because it is pre-installed on some (linux) systems. Though of course if you're trying to obfuscate the sourcecode you need to bundle an interpreter with the code anyway.

But it has historically been used for big programs, and there are well established methods for bundling python programs into executables.

kurtis_reed1mo ago

"Python doesn't have inbuilt types"

False.

balamatom1mo ago

>Python doesn't have inbuilt types

Technically, neither does JavaScript.

1 more reply

dominotw1mo ago

Boris Cherney is author of a oreilly book about typescript

WiSaGaN1mo ago

Yeah, this seems like a personal choice, which does work out given the current result.

pveierland1mo ago

They have an annoying sandbox issue which pollutes your repository root with a set of empty files. Not the cleanest tool, but the paradigm is a big upgrade to previous AI coding.

    .bash_profile .bashrc .claude .env .gitconfig .gitmodules .idea
    .mcp.json .profile .ripgreprc .vscode .zprofile .zshrc config

https://github.com/anthropic-experimental/sandbox-runtime/is...

braebo1mo ago

Because Typescript is the best language for most things.

firemelt1mo ago

is it using oclif?

ivanjermakov1mo ago

> Who knows what other ~/.config it modifies without warning

Me. My .config is git-versioned :)

WaterRun1mo ago

Anthropic acquired Bun. Clearly, Bun is not a runtime for C++, Rust, or Python. For an engineering project, strongly typed TypeScript was basically the only possible choice for them.

saagarjha1mo ago

Anthropic acquired Bun after making Claude Code.

Levitating1mo ago

I am not following your logic. Anthropic acquired Bun and so all of their end-user software should use it?

Or am I missing sarcasm?

2 more replies

artyom1mo ago

I'm still amazed that something as ubiquitous as "daemon mode" is still unreleased.

- Claude Chat: built like it's 1995, put business logic in the button click() handler. Switch to something else in in the UI and a long running process hard stops. Very Visual Basic shovelware.

- Claude Cowork: same but now we're smarter, if you change the current convo we don't stop the underlying long-running process. 21st century FTW!

- Claude Code: like chat, but in the CLI

- Claude Dispatch: an actual mobile client app, not the whole thing bundled together.

- Daemon mode: proper long-running background process, still unreleased.

pixl971mo ago

>Claude Code also uses Axios for HTTP.

Interesting based on the other news that is out.

chuckadams1mo ago

The exploit is a postinstall hook, so CC users would be unaffected. Claude Code itself is most likely built with bun and not npm, so the CC developers would also be immune.

JamesSwift1mo ago

Well, technically bun doesnt _prevent_ hooks. It just requires opting into them. And even that also includes a default set of pre-whitelisted packages. A much better system, but not perfect.

And actually just looking this up, it appears claude-code itself was just added to that whitelist : D

https://github.com/oven-sh/bun/commit/5c59842f78880a8b5d9c2e...

alex000kimOP1mo ago

Oh right, I just saw https://news.ycombinator.com/item?id=47582220 will update the post with this link

username441mo ago

Just to corroborate sibling comments, I checked my Claude Code VM (native install) for the IOC and it does not appear infected.

greenavocado1mo ago

What version?

Stagnant1mo ago

1.13.6, so should not be affected by the malware

preston-kwei1mo ago

I’m more curious how this impacts trust than anything else.

In the span of basically a week, they accidentally leaked Mythos, and then now the entire codebase of CC. All while many people are complaining about their usage limits being consumed quickly.

Individually, each issue is manageable (Because its exciting looking through leaked code). But together, it starts to feel like a pattern.

At some point, I think the question becomes whether people are still comfortable trusting tools like this with their codebases, not just whether any single incident was a mistake.

bottlepalm1mo ago

Not much impact, Codex is already open source. The real value is in the model itself and the ability to use it with a subscription. Something you can't do legally with a clone of this code.

The only thing I found interesting about this leak is just how much of a rats nest the code base is. Like it actually feels vibe coded without a shred of intelligent architecture behind it.

Regardless, you can't beat the subscription and model access despite the state of the code base, so I still use Claude Code daily and love it.

internet1010101mo ago

I just hope it doesn't turn out like n8n. I built a few things, wanted to make changes, looked at the code base, opened the devcontainer, noped out after being mortified by the sheer number of warning and dependency issues, threw away all of my work, uninstalled, didn't think about it again.

Two months later it was CVE after CVE.

Aperocky1mo ago

Exactly, we should be able to build on top of the tooling agents. They are a dime a dozen similar to the models.

Power(money) lies with NVDA and people who can best harness this power.

redanddead1mo ago

Idk. This is making leaps. Idc that their tools leaked. I paid 140$ for CC the other day even after getting sometimes not 100% uptime on the lower plan. If anything this leak is most in line with Anthropic's ethical model. They're failing upwards in my opinion

SequoiaHope1mo ago

Something that has been clear to me in using it, aside from direct claims by the authors, is that Claude is itself vibe coded slop. The number of random errors I get from using various parts of the web UI or CC that should work feels high for such a popular product. But they’re so deep in the vibes that I don’t think they can tell when some path in their web UI is broken. I tried to share a public link to a chat and it asked me to login when opening it on another computer. I tried to download a conversation and it threw an error. When I download markdown output the download succeeds but the UI throws an error. I have tried to control the behavior of Claude Code in tmux using documented flags but I can’t seem to get them to work properly. Agent teams don’t clean up their tmux windows, making the view a mess after they run. Claude code is an amazing product that I love and also it is itself vibe coded slop.

jgilias1mo ago

And there’s no reason why they couldn’t vibe fix the issues if there was a process to report the bugs. Fixing issues like that could also be something that’s fully automated. Provided there’s a good test suite (not a given).

mnkyprskbd1mo ago

No one will remember this in 4 weeks or less.

deepsun1mo ago

It is super weird that developers have to run a binary blob on their machines. It's 2026, all the major developer CLI tools are open-source anyway. What's the point for Anthropic to even make it secret?

galaxyLogic1mo ago

The irony of ironies is in the last paragraph:

" ...accidentally shipping your source map to npm is the kind of mistake that sounds impossible until you remember that a significant portion of the codebase was probably written by the AI you are shipping.”

Andebugulin1mo ago

Regex for swearing detected, user needs to get more API tokens, he is very very pissed.

stavros1mo ago

Can someone clarify how the signing can't be spoofed (or can it)? If we have the source, can't we just use the key to now sign requests from other clients and pretend they're coming from CC itself?

MadsRC1mo ago

What signing?

Are you referencing the use of Claude subscription authentication (oauth) from non-Claude Code clients?

That’s already possible, nothing prevents you from doing it.

They are detecting it on their backend by profiling your API calls, not by guarding with some secret crypto stuff.

At least that’s how things worked last week xD

stavros1mo ago

I'm referring to this signing bit:

https://alex000kim.com/posts/2026-03-31-claude-code-source-l...

Ah, it seems that Bun itself signs the code. I don't understand how this can't be spoofed.

MadsRC1mo ago

Ah yes, the API will accept requests that doesn’t include the client attestation (or the fingerprint from src/utils/fingerprint.ts. At least it did a couple of weeks back.

They are most likely using these as post-fact indicators and have automation they kicks in after a threshold is reached.

Now that the indicators have leaked, they will most likely be rotated.

1 more reply

SquibblesRedux1mo ago

Can fully AI‑generated code be copyrightable? Is there evidence that the leaked code was AI-generated?

dehrmann1mo ago

"Top engineers at Anthropic, OpenAI say AI now writes 100% of their code"

https://fortune.com/2026/01/29/100-percent-of-code-at-anthro...

> Right now for most products at Anthropic it's effectively 100% just Claude writing

- Mike Krieger, chief product officer of Anthropic

wg01mo ago

I have yet to see such a company that's so insecure that they would keep their CLI closed source even when the secret sauce is in the model that they control already and is closed source.

Not only that, wouldn't allow other CLIs to be used either.

redanddead1mo ago

I'm glad it got leaked, I wish it came in a zip file in my email when I pay over 100$

tylerloveamber1mo ago

The "undercover mode" discussion here is exactly the kind of thing non-technical CEOs need to understand — not the implementation, but the governance implication. If your developers are using a tool that actively avoids disclosing its involvement in commits and PRs, your audit trail is broken.

I wrote a short piece explaining the 3 policy implications for teams using Claude Code (or any AI coding tool) — without the technical jargon: https://www.aipolicydesk.com/blog/claude-code-leak-what-ceo-...

The short version: rotate API keys as a precaution, check what audit logs you actually have, and add a clause to your AI policy requiring vendor disclosure of new autonomous capabilities before they get enabled.

Aperocky1mo ago

It's completely baffling to me why a client that must run on third party environment is behind closed source.

csfNight1671mo ago

So many clients run on third party environments, no?

Aperocky1mo ago

Yes, they should all be open source.

1 more reply

seanwilson1mo ago

Anyone else have CI checks that source map files are missing from the build folder? Another trick is to grep the build folder for several function/variable names that you expect to be minified away.

dangus1mo ago

Something I’ve been thinking about, somewhat related but also tangential to this topic:

The more code gets generated by AI, won’t that mean taking source code from a company becomes legal? Isn’t it true that works created with generative AI can’t be copyrighted?

I wonder if large companies have throught of this risk. Once a company’s product source code reaches a certain percentage of AI generation it no longer has copyright. Any employee with access can just take it and sell it to someone else, legally, right?

thewebguyd1mo ago

In theory, companies are all going to have an increasingly difficult time suing competitors for copyright infringement. By extension, this is also why, IMO, its important to keep AI generated code out of open source/free software projects.

The recent rulings on copyright though also need to be further tested, different judges may have different ideas on what "significant human contribution" looks like. The only thing we know for certain is that the prompt doesn't count.

My guess is that instead of enforcing via copyright, companies will use contracts & trade secret laws. Source code and algorithms counts as a trade secret, so in your example copyright doesn't even matter, the employee would be liable for stealing trade secrets.

AI generated code slowly stripping the ability of a project to enforce copyright protections though is a much bigger risk for free software.

dangus1mo ago

I wonder if an argument could be made that because the LLM came up with the implementation that it’s not a trade secret?

Of course with lease intent is a very important concept. I doubt anyone is getting away with what I described.

It’s just interesting stuff to potentially rethink.

Aloisius1mo ago

Given trade secrets can't be enforced once they are made public and contracts don't bind anyone who hasn't signed them, it's not a great substitute for copyright.

My guess is companies will simply pretend like generated code is copyrighted, file fraudulent DCMA notices if leaks happen and hope no one decides to challenge them in court.

simianwords1mo ago

> The obvious concern, raised repeatedly in the HN thread: this means AI-authored commits and PRs from Anthropic employees in open source projects will have no indication that an AI wrote them. It’s one thing to hide internal codenames. It’s another to have the AI actively pretend to be human.

I don’t get it. What does this mean? I can use Claude code now without anyone knowing it is Claude code.

alex000kimOP1mo ago

technically you're correct, but look at the prompt https://github.com/alex000kim/claude-code/blob/main/src/util...

it's written to _actively_ avoid any signs of AI generated code when "in a PUBLIC/OPEN-SOURCE repository".

Also, it's not about you. Undercover mode only activates for Anthropic employees (it's gated on USER_TYPE === 'ant', which is a build-time flag baked into internal builds).

simianwords1mo ago

I don’t know what you mean. It just informs to not use internal code names.

robflynn1mo ago

It also says don't announce that you are AI in any way including asking it to not say "Co-authored by Claude". I read the file myself.

I'm still inclined to think people might be overreacting to that bit since it seems to be for anthropic-only to prevent leaking internal info.

But I did read the prompt and it did say hide the fact that you are AI.

1 more reply

giancarlostoro1mo ago

I agree with you, I think people are overthinking this.

slopinthebag1mo ago

I think it means OSS projects should start unilaterally banning submissions from people working for Anthropic.

simianwords1mo ago

Why? What does this have to do with the leak

daemin1mo ago

Because it has a high likelyhood of being written completely by a LLM without any human thought or attention being put into it.

Being written by a LLM is a signal that the submission is of low effort and therefore probably low quality, which then puts the onus on the people reviewing and reading the submission instead of the original generator of the submission. Hence I would classify it as spam.

Open source communities also have rules against LLM generated contributions, for various moral, ethical, or legal reasons.

slopinthebag1mo ago

...Because it's a mode of using Claude Code that allows certain users to use the application in "stealth mode" to produce pull requests that seem human, but are actually AI generated, which often goes against the contribution rules of OSS projects?

At this point I would consider any employee of an AI provider to be tainted.

2 more replies

evil-olive1mo ago

> So I spent my morning reading through the HN comments and leaked source.

> This was one of the first things people noticed in the HN thread.

> The obvious concern, raised repeatedly in the HN thread

> This was the most-discussed finding in the HN thread.

> Several people in the HN thread flagged this

> Some in the HN thread downplayed the leak

when the original HN post is already at the top of the front page...why do we need a separate blogpost that just summarizes the comments?

groby_b1mo ago

Because the original post was noisy and lacked a concise summary of findings.

Or, more simply: Because folks wanted it enough to upvote it.

nodja1mo ago

This blog post looks to be partially AI generated as well...

stingraycharles1mo ago

Because it’s very cheap to tell an LLM to write a blogpost based on a HN thread, and apparently the HN community upvotes this as well.

tolerance1mo ago

The culture here can get solipsistic.

tietjens1mo ago

This is very much AI written, right? The voice sounds like Claude.

sp4cec0wb0y1mo ago

Yep:

> It's basically

> Anthropic doesn't just ask

> The fix? `MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES = 3`

> Not a push-button bypass, but

The irony in saying "this is what I found" when an AI found it, not you.

martin-t1mo ago

As per https://drewdevault.com/2025/04/20/2025-04-20-Tech-sector-re... I congratulate the employee responsible.

jrflowers1mo ago

I like that if they decide that your usage looks like distillation it just becomes useless, because there’s no way for the end user to distinguish between it just being sort of crappy or sabotaged intentionally. That’s a cool thing to pay for

stephbook1mo ago

Sounds like there's still a lot of value in Typescript (otherwise they could have open sourced.)

Plus there's demand for skilled TS software devs that don't ship your company's roadmap using a js.map

20,000 agents and none of them caught it...

marcd351mo ago

> 250,000 wasted API calls per day

How much approximate savings would this actually be?

senfiaj1mo ago

> Frustration detection via regex (yes, regex)

Personally, I'm generally polite even towards AI and even when frustrated. I simply point out the its mistakes instead of using emotional words.

sbinnee1mo ago

I had a good laugh. I am too polite but I do remember using wth a few times in the past week. haha

rafaele1mo ago

But think of all the API calls you save if you curse at Claude

functional_dev1mo ago

the list is funny :)

So it counts how many times I was angry?

maguay1mo ago

Absolutely hilarious that it's watching for frustration.

I'd discovered, perhaps mid-2025, that Cursor was noticeably better at fixing bugs if I started cursing at it. Better yet, after a while it would seem to break and start cursing itself ("Oh yes, I see the f*** problem now" and so on). Hilarity ensued.

What a world, where cursing at your machines can make them get their act together.

karim791mo ago

We're about to reach AGI. One regex at a time...

TacticalCoder1mo ago

The part of TFA that does it for me: "Every bash command runs through 23 numbered security checks in bashSecurity.ts, including 18 blocked Zsh builtins, defense against Zsh equals expansion (=curl bypassing permission checks for curl), unicode zero-width space injection, IFS null-byte injection, and a malformed token bypass found during HackerOne review.".

AGI is definitely around the corner. Or not.

karim791mo ago

I love it when "magic" like this gets unmasked, and under the hood it's just business as usual, i.e. dumb shit implementations to please the product owner(s) and hopefully the customers as well. Normal stuff in the tech world I suppose but still absolutely hilarious!

pjoubert1mo ago

I'm curious about what people are not looking for about Claude code. What's missing and nobody is talking about? Any clue?

motbus31mo ago

I am curious about these fake tools.

They would either need to lie about consuming the tokens at one point to use in another so the token counting was precise.

But that does not make sense because if someone counted the tokens by capturing the session it would certainly not match what was charged.

Unless they would charge for the fake tools anyway so you never know they were there

try-working1mo ago

They want "Made with Claude Code" on your PRs as a growth marketing strategy. They don't want it on their PRs, so it looks like they're doing something you're not capable of. Well, you are and they have no secret sauce.

Gen_ArmChair1mo ago

The Claude Code leak suggests multi-agent orchestration is largely driven by prompts (e.g., “do not rubber-stamp weak work”), with code handling execution rather than enforcing decisions.

Prompts are not hard constraints—they can be interpreted, deprioritized, or reasoned around, especially as models become more capable.

From what’s visible, there’s no clear evidence of structural governance like voting systems, hard thresholds, or mandatory human escalation. That means control appears to be policy (prompts), not enforcement (code).

This raises the core issue: If governance is “prompts all the way down,” it’s not true governance—it’s guidance.

And as model capability increases, that kind of governance doesn’t get stronger—it becomes easier to bypass without structural constraints.

Has anyone actually implemented structural governance for agent swarms — voting logic, hard thresholds, REQUIRES_HUMAN as architecture not instruction?

olalonde1mo ago

I'm surprised that they don't just keep the various prompts, which are arguably their "secret sauce", hidden server side. Almost like their backend and frontend engineers don't talk to each other.

jarjoura1mo ago

My company uses Claude through our own private data centers behind our own proxy that logs all requests and responses in and out. However, Anthropic heavily steers these models during RL to respond a certain way to certain prompting, so that's basically the "secret sauce" you're thinking of.

olalonde1mo ago

Sure, that's part of it, but they clearly don't like people knowing about their prompts either.

tom13371mo ago

i always wondered what prompts codex / claude code use but always figured they just send variables to the backend and render the whole prompt there so i never even bothered to check with a MITM proxy. turns out i should have just done that…

restlake1mo ago

yea there are proxies out there for this and in AWS Bedrock this outbound logging is a feature you can enable for these and other models

armanj1mo ago

> Anti-distillation: injecting fake tools to poison copycats

Does this mean `huggingface.co/Jackrong/Qwen3.5-27B-Claude-4.6-Opus-Reasoning-Distilled` is unusable? Had anyone seen fake tool calls working with this model?

agilob1mo ago

Very likely Claude was trained on Deepseek, so it's possible that spiderman-pointing-at-spiderman.jpg all models are wrong now https://www.reddit.com/r/DeepSeek/comments/1r9se7p/claude_so...

amdivia1mo ago

Assuming Claude Code was used. If OpenCode or some other programmatic method was used, the "fake tool calls" won't be added

mmaunder1mo ago

Come on guys. Yet another article distilling the HN discussion in the original post, in the same order the comments appear in that discussion? Here's another since y'all love this stuff: https://venturebeat.com/technology/claude-codes-source-code-...

seertaak1mo ago

The irony of an IP scraper on an absolutely breathtaking, epic scale getting its secret sauce "scraped" - because the whole app is vibe coded (and the vibe coders appear to be oblivious to things like code obfuscation cuz move fast!)...

And so now the copy cats can ofc claim this is totally not a copy at all, it's actually Opus. No license violation, no siree!

It's fucking hilarious is what it is, it's just too much.

GuB-421mo ago

The code is obfuscated, but they accidentally shipped the map file, i.e. the key to de-obfuscating it.

jwilliams1mo ago

I used to swear at Claude. To be honest, I thought it helped get results (maybe this is "oldschool" LLM thinking), but I realized it was just making me annoyed.

saretup1mo ago

It does send an analytics event when you’re swearing based on a keyword filter (something like is_negative:true), presumably as a signal that the model isn’t performing well this session, but who knows?

mordae1mo ago

> “Do not rubber-stamp weak work” and “You must understand findings before directing follow-up work. Never hand off understanding to another worker.”

:-D

yard20101mo ago

You can see exactly on which humanity it q Was trained on ;)

simianwords1mo ago

Guys I’m somewhat suspicious of all the leaks from Anthropic and think it may be intentional. Remember the leaked blog about Mythos?

Analemma_1mo ago

It's possible, but Anthropic employees regularly boast (!) that Claude Code is itself almost entirely vibe-coded (which certainly seems true, based on the generally-low quality of the code in this leak), so it wouldn't at all surprise me to have that blow up twice in the same week. Probably it might happen with accelerating frequency as the codebase gets more and more unmanageable.

__blockcipher__1mo ago

I'm normally suspicious but honestly they've been so massively supply-constrained that I don't think it really benefits them much. They're not worried about getting enough demand for the new models; they're worrying about keeping up with it.

Granted, there's a small counterargument for mythos which is that it's probably going to be API-only not subscription

simianwords1mo ago

Why would Claude code mention Mythos then

drewnick1mo ago

You can use Claude Code with API mode (not a sub)

1 more reply

hxugufjfjf1mo ago

You can still use Claude Code with API-only.

heliumtera1mo ago

What a cesspool. So this is the power of being 80x more productive, having infinite llm usage quota? No wonder they had to let Satan take the wheel and went 100% vibe code. Thanks for making a point, llms are a disgrace

ptrl6001mo ago

Why didn't they open the source themselves? What's the point of all this secrecy anyway?

hxugufjfjf1mo ago

Because they (apparently) keep a bunch of secret features and roadmap details in said source code.

devhouse1mo ago

Claude Code’s Source Code Leaked Through npm. Here’s What Actually Happened. https://www.everydev.ai/p/tool-claude-codes-source-code-leak...

reenorap1mo ago

What effect will this have on their IPO? Can someone take the code and make a clone?

evan_1mo ago

it's just the client app, so you could make a clone but you'd still have to pay to use their servers.

dpe821mo ago

None. The magic is still in the model.

slashdave1mo ago

What? No. Not legally. You know. Copyright and all that.

yard20101mo ago

What do you mean copyright? If I torrent this and train a model that changes every second m in a sentence to n can I ship as my software?

amelius1mo ago

A few weeks ago I was using Opus and Sonnet in OpenCode. Is this not possible anymore?

alasano1mo ago

It's still possible but if you do it using your Claude Max plan, it's technically no longer allowed.

They don't want you using your subscription outside of Claude Code. Only API key usage is allowed.

Google also doubled down on this and OpenAI are the only ones who explicitly allow you to do it.

cgeier1mo ago

So I guess OpenAI get's my money.

sheepscreek1mo ago

> As one Twitter reply put it: “accidentally shipping your source map to npm is the kind of mistake that sounds impossible until you remember that a significant portion of the codebase was probably written by the AI you are shipping.”

To err is human. AI is trained on human content. Hence, to err is AI. The day it stops making mistakes will be the beginning of the end. That would mean the existence of a consciousness that has no weakness. Great if it’s on your side. Terrible otherwise.

gervwyk1mo ago

how sure are we this entire “accident” is not an aprils fools joke??

Genius level AI marketing

dheerajmp1mo ago

April Fool tool

zingar1mo ago

I wrote this an hour ago and it seems that Claude might not understand it as frustration:

> change the code!!!! The previous comment was NOT ABOUT THE DESCRIPTION!!!!!!! Add to the {implementation}!!!!! This IS controlled BY CODE. *YOU* _MUST_ CHANGE THE CODE!!!!!!!!!!!

kbelder1mo ago

It's like talking to an intern.

msukkarieh1mo ago

Built a tool to ask questions on the Claude Code source code: https://askgithub.com/alex000kim/claude-code

ChicagoDave1mo ago

Meanwhile Claude Code is still awesome. I don’t see my self switching to OpenAI (seriously bad mgmt and possibly the first domino to fall if there is a correction) or Gemini (Google ethics cough cough).

electriclove1mo ago

I switched to Codex out of frustration with Claude Code and it has been surprisingly similar for my web and mobile coding needs

system21mo ago

Except for censoring. It didn't allow me to use a screencapture library, thinking I was going to hack the world.

1 more reply

redanddead1mo ago

Gemini is a terrible product, I spent $15K on it. Anthropic and OpenAI make better models, it used to be that Gemini cooked but I don't feel that way anymore

DeathArrow1mo ago

I hope cheap Chinese models will overtake Anthropic.

baby1mo ago

Can someone ask claude to write a deep dive on how compaction works and why it’s so slow? (I still can’t fathom why they wouldn’t just add a user message “compact the conversation we’ve just had”

1 more reply

d4rkp4ttern1mo ago

that frustration regex is missing "idiot", which is the most common frustration word I use with code-agents

imcritic1mo ago

Does this mean I can now self host Claude?

betimd1mo ago

that’s fun am having exploring this codebase with claude code, inception at its best

matheusmoreira1mo ago

But what does Claude do when it detects user fruatration?! Don't leave us hanging here!

Edit: it gets sent to Anthropic via telemetry and it ends up on the fuck chart!

https://old.reddit.com/r/ClaudeCode/comments/1s99wz4/boris_t...

OfirMarom1mo ago

Undercover mode is the most concerning part here tbh.

anonymoushn1mo ago

why

AnimalMuppet1mo ago

Well, as a general rule, I don't do business with people who lie to me.

You've got a business, and you sent me junk mail, but you made it look like some official government thing to get me to open it? I'm done, just because you lied on the envelope. I don't care how badly I need your service. There's a dozen other places that can provide it; I'll pick one of them rather than you, because you've shown yourself to be dishonest right out of the gate.

Same thing with an AI (or a business that creates an AI). You're willing to lie about who you are (or have your tool do so)? What else are you willing to lie to me about? I don't have time in my life for that. I'm out right here.

otterley1mo ago

Out of curiosity, given two code submissions that are completely identical—one written solely by a human and one assisted by AI—why should its provenance make any difference to you? Is it like fine art, where it’s important that Picasso’s hand drew it? Or is it like an instruction manual, where the author is unimportant?

Similarly, would you consider it to be dishonest if my human colleague reviewed and made changes to my code, but I didn’t explicitly credit them?

3 more replies

simianwords1mo ago

What’s the lie? It’s just asking to not reveal internal names

1 more reply

chadd1mo ago

re: binary attestation: "Whether the server rejects that outright or just logs it is an open question"

...what we did at Snap was just wait for 8-24 hours before acting on a signal, so as not to provide an oracle to attackers. Much harder to figure out what you did that caused the system to eventually block your account if it doesn't happen in real-time.

(Snap's binary attestation is at least a decade ahead of this, fwiw)

151551mo ago

LLMs and radare2 absolutely breeze through undoing binary protection and virtualization, tracing execution flow, etc.

Sans the ability to JIT, I don't see non-hardware-assisted binary attestation for Snap and others lasting very long in a post-LLM world.

jsrozner1mo ago

"and i also wrote this using claude" -- can we just include that at this point?

eranation1mo ago

Probably an unpopular opinion but Anthropic are too popular for their own good.

1. They are loved, and for good reasons, Sonnet 4 was groundbreaking but Opus 4.6 was for many a turning point in realizing Agentic SDLC real potential. People moved from Cursor to Claude Code in droves, they loved the CLI approach (me too), and the LOVED the subsidized $200 max pro plan (what's not to love, pay $200 instead of $5000 to Cursor...) They are the underdog, the true alternative to "evil" OpenAI or "don't be evil" Google, really standing up against mass surveillance or use of AI for autonomous killing machines. They are standing for the little guy, they are the "what OpenAI should have been" (plus they have better models...) They are the Apple of the AI era.

2. They are too loved, so loved that it protects them from legitimate criticism. They make GitHub's status page look good, and they make comcast customer service look like Amazon's. (At least Comcast has customer service), They are "If Dario shoots a customer in the middle of 5th avenue it won't hurt their sales one bit" level of liked. The fact they have the best models (for now) might be their achilles heel, because it hides other issues that might be in the blindspot. And as soon as a better model comes out from a competitor (and it could happen... if you recall OpenAI were the undisputed kinds with GPT 4o for a bit) these will become much more obvious.

3. This can hurt them in the long run. Eventually you can't sustain a business where you have not even 2 9s of SLA, can't handle customer support or sales (either with humans or worse for them - if they can't handle this with AI how do they expect to sell their own dream where AI does everything?). I'm sure they'll figure it out, they have huge growth and these are growth pains, but at some point, if they don't catch up with demand, the demand won't stay there forever the moment OpenAI/Google/someone else release a better model.

4. They inadvertently made all of the cybersecurity sector a potential enemy. Yes, all of them use Anthropic models, and probably many of them use Claude Code, but they know they might be paying the bills of their biggest competitor. Their shares drop whenever Anthropic even hints of a new model. Investors cut their valuations because they worry Anthropic will eat them for breakfast. I don't know about you, but if you ask me, having the people who live and breath security indirectly threatened by you, is not the best thing in the world, especially when your source code is out in the open for them to poke holes in...

5. the SaaS pocalypse - many of Claude Code's customers are... SaaS companies, that the same AI is "going to kill", again, if there was another provider that showed a bit more care about the entire businesses it's going to devour, if they also had even marginally better models... would the brand loyalty stay?

Side note: I'm an Claude Enterprise customer, I can't get a human to respond to anything, even using the special "enterprise support" methods, and I'm not the only one, I know people who can't get a sales person, not to mention support, to buy 150 + seats (Anthropic's answer was - release self serve enterprise onboarding, which by the way is "pay us $20 which does not include usage, usage is at market prices, same as getting an API key", you pay for convenience and governance, p.s. you can't cancel enterprise, it's 20 seats min, for 1 year, in advance, so make sure you really need it, the team plan is great for most cases but it lacks the $200 plan, only the $100 5x plan).

wrkxapp1mo ago

why claude bring back 4o u dumb fks

thomasgeelens1mo ago

Can somebody tell me what this means for the company?

saadn921mo ago

The feature flag names alone are more revealing than the code. KAIROS, the anti-distillation flags, model codenames those are product strategy decisions that competitors can now plan around. You can refactor code in a week. You can't un-leak a roadmap.

j / k navigate · click thread line to collapse

578 comments

d4rkp4ttern1mo ago

  The full conversation is preserved in the JSONL file, and messages
  are filtered before being sent to the API.

  Key mechanisms:

  1. JSONL is append-only — old pre-compaction messages are never deleted. New messages (boundary
  marker, summary, attachments) are appended after compaction.
  2. Messages have flags controlling API visibility:
    - isCompactSummary: true — marks the AI-generated summary message
    - isVisibleInTranscriptOnly: true — prevents a message from being sent to the API
    - isMeta — another filter for non-API messages
    - getMessagesAfterCompactBoundary() returns only post-compaction messages for API calls
  3. After compaction, the API sees only:
    - The compact boundary marker
    - The summary message
    - Attachments (file refs, plan, skills)
    - Any new messages after compaction
  4. Three compaction types exist:
    - Full compaction — API summarizes all old messages
    - Session memory compaction — uses extracted session memory as summary (cheaper)
    - Microcompaction — clears old tool result content when cache is cold (>1h idle)

manwe1501mo ago

What is microcompaction? I didn’t realize there was any thing time based in CC, when I go eat dinner and come back it compacted while I was gone?

d4rkp4ttern1mo ago

I dug into this more. It's disabled by default, and it's a cost/token-usage optimization.

  The logic is:

  1. Anthropic's API has a server-side prompt cache with a 1-hour TTL
  2. When you're actively using a session, each API call reuses the cached prefix — you only pay
  for new tokens
  3. After 1 hour idle, that cache is guaranteed expired
  4. Your next message will re-send and re-process the entire conversation from scratch — every
  token, full price
  5. So if you have 150K tokens of old Grep/Read/Bash outputs sitting in the conversation, you're
  paying to re-ingest all of that even though it's stale context the model probably doesn't need

  The microcompact says: "since we're paying full price anyway, let's shrink the bill by clearing
  the bulky stuff."

  What's preserved vs lost:
  - The tool_use blocks (what tool was called, with what arguments) — kept
  - The tool_result content (the actual output) — replaced with [Old tool result content cleared]
  - The most recent 5 tool results — kept

  So Claude can still see "I ran Grep for foo in src/" but not the 500-line grep output from 2
  hours ago.

  Does it affect quality? Yes, somewhat — but the tradeoff is that without it, you're paying
  potentially tens of thousands of tokens to re-ingest stale tool outputs that the model already
  acted on. And remember, if the conversation is long enough, full compaction would have summarized
   those messages anyway.

  And critically: this is disabled by default (enabled: false in timeBasedMCConfig.ts:31). It's
  behind a GrowthBook feature flag that Anthropic controls server-side. So unless they've flipped
  it on for your account, it's not happening to you.

mzajc1mo ago

There are now several comments that (incorrectly?) interpret the undercover mode as only hiding internal information. Excerpts from the actual prompt[0]:

  NEVER include in commit messages or PR descriptions:
  - The phrase "Claude Code" or any mention that you are an AI
  - Co-Authored-By lines or any other attribution

  BAD (never write these):
  - 1-shotted by claude-opus-4-6
  - Generated with Claude Code
  - Co-Authored-By: Claude Opus 4.6 <…>

[0]: https://github.com/chatgptprojects/claude-code/blob/642c7f94...

riedel1mo ago

[0] https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-5...

mynameisvlad1mo ago

Since when is code considered

> which is published with the purpose of informing the public on matters of public interest

From your link, that's the only case where text needs to be attributed to AI.

2 more replies

otterley1mo ago

I would have expected people (maybe a small minority, but that includes myself) to have already instructed Claude to do this. It’s a trivial instruction to add to your CLAUDE.md file.

arcanemachiner1mo ago

It's a config setting (probably the same end result though):

https://code.claude.com/docs/en/settings#attribution-setting...

tacone1mo ago

It doesn't work so well in my experience. I am currently wrapping (or asking the LLM to wrap) the commit message prompt in a script call.

   1. the LLM is instructed on how to write a commit message and never include co-authorship
   2. the LLM is asked to produce a commit message
   3. the LLM output is parsed by a script which removes co-authorship if the LLM chooses to include it nevertheless

1 more reply

dboreham1mo ago

I always assumed that if I tried to tell it, that it'd say "I'm sorry, Dave. I'm afraid I can't do that"

lawrjone1mo ago

We use CC to power some of our code features and override this setting so we can provide our own attribution. So there are several legit reasons to permit this.

schappim1mo ago

I guess our system prompt didn't work. If folks are having to add it manually into their own Claude.md files...

schappim1mo ago

Typo from speech to text, corrected: “I guess Anthropic’s system prompt didn't work. If folks are having to add it manually into their own Claude.md files...”

otterley1mo ago

My mistake - it was the configuration setting that did it. Nevertheless, you can control many other aspects of its behavior by tuning the CLAUDE.md prompt.

cfbradford1mo ago

zgeor1mo ago

Genuine question: why can they only claim DMCA if the code is written by humans? Does DMCA specify the method of production?

1 more reply

zen9281mo ago

petcat1mo ago

Stromgren1mo ago

That’s how I’d want it to be honestly. LLMs are tools and I’d hope we’re going to keep the people using them responsible. Just like any other tools we use.

vrosas1mo ago

It’s also pretty damn obvious when LLMs write code. Nobody out here commenting every method in perfect punctuation and grammar.

4 more replies

otterley1mo ago

That’s ultimately the right answer, isn’t it? Bad code is bad code, whether a human wrote it all, or whether an agent assisted in the endeavor.

abustamam1mo ago

Yeah in my team everyone knows everyone is using LLMs. We just have a rule. Don't commit slop. Using an LLM is no excuse for committing bad code.

andoando1mo ago

Ive seen it say coauthored by claude code on my prs...and I agree I dont want it to do that

m1321mo ago

But I want to see Claude on the contributor list so that I immediately know if I should give the rest of the repo any attention!

dmd1mo ago

So turn it off.

"includeCoAuthoredBy": false,

in your settings.json.

nullderef1mo ago

They changed it to `attribution`, but yes you can customize this

Pxtl1mo ago

Why not? What's wrong with honesty?

dec0dedab0de1mo ago

Yeah I much prefer it commit the agent, and I would also like if it committed the model I was using at the time.

hnbad1mo ago

Claude is not a person and AI doesn't gain authorship let alone copyright.

2 more replies

Monotoko1mo ago

There's some repos I'm unashamedly keeping alive with Claude alone and he gets co-authorship - basically stuff in "maintenance mode" that I still use that I've forked and had Claude drag it into 2026

A quick PR where I've found the bug myself in the code, and ask Claude to write the fix because it's faster, and verified it - I don't include Claude's co-authorship.

andoando1mo ago

I guess Im sometimes dishonest when it suits me

1 more reply

rurban1mo ago

Because some maintainers are hysterical

peacebeard1mo ago

The code has a stated goal of avoiding leaks, but then the actual implementation becomes broader than that. I see two possible explanations:

* The authors made the code very broad to improve its ability to achieve the stated goal

* The authors have an unstated goal

mzajc1mo ago

cat_plus_plus1mo ago

Why are you assuming the actual implementation was authored by a human?

peacebeard1mo ago

My comment makes no such assumption.

hombre_fatal1mo ago

You can already turn off "Co-Authored-By" via Claude Code config. This is what their docs show:

~/.claude/settings.json

    {
      "attribution": {
        "commit": "",
        "pr": ""
    },

The rest of the prompt is pretty clear that it's talking about internal use.

Seems like a nothingburger, and everyone seems to be fantasizing about "undercover mode" rather than engaging with the details.

nateoda1mo ago

My first reaction is that they are using this to take advantage of OSS reviewers for in the wild evals.

RA2lover1mo ago

There's a more worrying part: It refers to unreleased versions of Claude in more detail than released versions.

manbitesdog1mo ago

tdb78931mo ago

Needing to flag nontrivial code as generated was standard practice for my whole career.

sumeno1mo ago

> It's useful context unless you've gone over the generated code and understand it and it is the same quality as if you wrote it yourself

2 more replies

tsimionescu1mo ago

This is not at all the case with LLM-generated code - mostly because you can't regenerate it even if you wanted to, as it's not deterministic.

That said, I do agree that LLM code is different enough from human code (even just in regards to potential copyright worries) that it should be mentioned that LLMs were used to create it.

zx80801mo ago

> If those tools are writing the code then in general I do expect that to be included in the PR!

How about compiler?

4 more replies

xarope1mo ago

Absolutely. Let's say I have a problem with gRPC and traced it to code generated using the gRPC compiler. I can reproduce it, highlight it and I'm pretty sure the gRPC team would address the issue.

Replace gRPC compiler with LLM. Can you reproduce? (probably not 100%). Can anybody fix it short of throwing more english phrases like "DO NOT", "NEVER", "Under No Circumstances"?

Probably not.

duskdozer1mo ago

>It's useful context unless you've gone over the generated code and understand it and it is the same quality as if you wrote it yourself

I thought the argument was that AI-users were reviewing and understanding all of the code?

Alifatisk1mo ago

> people have been generating code since long before LLMs

How? LSTM?

5 more replies

thechao1mo ago

You assemble all your machine code using a magnetized needle?

3 more replies

mikkupikku1mo ago

tehsauce1mo ago

2 more replies

ndriscoll1mo ago

At least at my workplace though, it's just assumed now that you are using the tools.

3 more replies

tshaddox1mo ago

3 more replies

VectorVault1mo ago

josephg1mo ago

4 more replies

mathgradthrow1mo ago

I'm not really sure that's any of their business.

m1321mo ago

If you accept the code generated by them nearly verbatim, absolutely.

LelouBil1mo ago

It's weird, because they should not consider it as their own, but they should take accountability from it.

Ideally, if I contribute to any codebase, what needs to be judged is the resulting code. Is it up to the project's standards ? Does the maintainer have design objections ?

What tool you use shouldn't matter, be it your IDE or your LLM.

I'm not really sure how to feel about this, but I stand by my "the code is what matters" line.

1 more reply

tehjoker1mo ago

Since AI tools are constantly obsoleted, generate different output each run, and it is often impossible to run them locally, the input prompts are somewhat useless for everyone but the initial user.

targafarian1mo ago

_heimdall1mo ago

I have worked with quite a few people committing code they didn't fully understand.

I don't meant this as a drive by bazinga either, the practice of copying code or thinking you understand it when you don't is nothing new

2 more replies

jpollock1mo ago

Yes, it sets the reviewer's expectations around how much effort was spent reviewing the code before it was sent.

I regularly have tool-generated commits. I send them out with a reference to the tool, what the process is, how much it's been reviewed and what the expectation is of the reviewer.

zarp1mo ago

Sent from my iPhone

LeoPanthera1mo ago

> Should I also co-author my PRs with my linter, intellisense and IDE?

Absolutely. That would be hilarious.

rurban1mo ago

Torvalds promotes exactly that. https://github.com/torvalds/linux/blob/master/Documentation/...

Assisted-by: Claude:claude-3-opus coccinelle sparse

m4x1mo ago

itishappy1mo ago

I suspect vibe coders might actually want you to consider turning to Claude for accountability and ownership rather than the human orchestrator.

If your linter is able to action requests, then it probably makes sense to add too.

jamietanna1mo ago

Eh, there are some very good reasons[0] that you would do better to track your usage of LLM derived code (primarily for legal reasons)

[0]: https://www.jvt.me/posts/2026/02/25/llm-attribute/

butvacuum1mo ago

legally speaking.. if you're not sure of the risk- you don't document it.

2 more replies

dml21351mo ago

Yea in my Claude workflow, I still make all the commits myself.

This is also useful for keeping your prompts commit-sized, which in my experience gives much better results than just letting it spin or attempting to one-shot large features.

ambicapter1mo ago

xdennis1mo ago

> The git history is expected to track accountability and ownership, not your Bill of Tools.

The point isn't to hijack accountability. It's free publicity, like how Apple adds "Sent from my IPhone."

EnigmaCurry1mo ago

Sent from my Ipad

paradox4601mo ago

I've heard of employers requiring people to do it for all code written with even a whiff of it

deadbabe1mo ago

Could be cool if your PRs link back to a blog where you write about your tools.

bogdanoff_21mo ago

> Should I also co-author my PRs with my linter, intellisense and IDE?

Kinda, yeah. If I automatically apply lint suggestions, I would title my commit "apply lint suggestions".

1 more reply

sysguest1mo ago

well maybe?

co-authoring doesn't hide your authorship

if I see someone committing a blatantly wrong code, I would wonder what tool they actually used

Sharlin1mo ago

You have copyright to a commit authored by you. You (almost certainly) don't have copyright (nobody has) to a commit authored by Claude.

graemep1mo ago

Where is there any legal precedent for that?

2 more replies

_heimdall1mo ago

Anthropic could at least make a compelling case for the copyright.

2 more replies

zem1mo ago

interesting, I still see "coauthored by..." messages put into my git commits (or was a couple of weeks ago at least)

sixtyj1mo ago

People make fun that we should say magic words in interaction with LLMs. How frustrated can Claude be? /s

fatcullen1mo ago

sync1mo ago

(I didn't think to include a UUID checker though - nice touch)

fatcullen1mo ago

Update: it looks like the live version of the algorithm is slightly different, probably changed because of these leaks. As such the app predictions aren't accurate, sorry

dtran1mo ago

cj001mo ago

/buddy is live and I got a different result than in this app.

fatcullen1mo ago

1 more reply

Reason0771mo ago

> "Anti-distillation: injecting fake tools to poison copycats"

Plot twist: Chinese competitors end up developing real, useful versions of Claude's fake tools.

girvo1mo ago

xvector1mo ago

Sure, AI progress comes to a halt then as everyone switches to the copycats that can't innovate, and the frontier companies are bled dry.

4 more replies

thesmtsolver21mo ago

Amazing that people on HN can't distinguish between training a model on open source data vs distilling a model's outputs.

1 more reply

3abiton1mo ago

scuff3d1mo ago

nacozarina1mo ago

‘You can’t fight in here. This is the War Room!’

avdelazeri1mo ago

Has Claude stopped claiming to be deepseek when prompted in Chinese yet? It wasn't long that it hit the news and blogs

redanddead1mo ago

Definitely. We can expect zAI, Qwen, Minimax CCs very soon

WorldPeas1mo ago

more likely, they would parse them out using simple regex, the whole point is they're there but not used. Distillation is becoming less common now however

geoffbp1mo ago

“Some bullet points are gated on process.env.USER_TYPE === 'ant' — Anthropic employees get stricter/more honest instructions than external use”

Interesting!

autocracy1011mo ago

I made a visual guide for this https://ccunpacked.dev

dang1mo ago

Discussed here: Claude Code Unpacked : A visual guide - https://news.ycombinator.com/item?id=47597085 - April 2026 (6 comments)

(I know you know this, since you submitted it! but others might want to know)

csfNight1671mo ago

Really nice. Are you advocating for this somewhere? Would love to follow your other work.

itsthecourier1mo ago

this is the best comment and explanation of the whole thread.

thank you so much for having built and shared this

ata_aman1mo ago

Very cool, thanks for putting together.

Rick761mo ago

This is really good, thanks

dakolli1mo ago

This is nice, thanks.

peacebeard1mo ago

christinetyip1mo ago

Not leaking codenames is one thing, but explicitly removing signals that something is AI-generated feels like a pretty meaningful shift.

eli1mo ago

Doesn't seem so crazy if the point is to avoid leaking new features, models, codenames, etc.

globular-toast1mo ago

Where the hell are people getting this idea that it's ok to be deceptive because they are keeping secrets?

No shit they have secrets. I have secrets too. That doesn't make it ok for me to deceive you in any way.

How would you feel if I deceived you and my excuse was "oh I was just trying some new secret technique of mine"?

How did we get to this point where we let enormously powerful companies get away with more than individuals?

1 more reply

dkenyser1mo ago

> my first knee-jerk reaction wouldn't be "this is for pretending to be human"...

"Write commit messages as a human developer would — describe only what the code change does."

amarant1mo ago

That seems desirable? Like that's what commit messages are for. Describing the change. Much rather that than the m$ way of putting ads in commit messages

fweimer1mo ago

2 more replies

evenhash1mo ago

Ultimately I stopped using it, because editing the messages cost me more time than it saved.

/rant

1 more reply

giancarlostoro1mo ago

As opposed to outputting debugging information, which I wouldnt be surprised if LLMs do output "debug" output blurbs which could include model specific information.

peacebeard1mo ago

~That line isn't in the file I linked, care to share the context? Seems pretty innocuous on its own.~

[edit] Never mind, find in page fail on my end.

stordoff1mo ago

It's in line 56-57.

1 more reply

LeifCarrotson1mo ago

The human developer would just write what the code does, because the commit also contains an email address that identifies who wrote the commit. There's no reason to write:

> Commit f9205ab3 by dkenyser on 2026-3-31 at 16:05:

> Fixed the foobar bug by adding a baz flag - dkenyser

jakeinspace1mo ago

Aside from merges that combine commits from many authors onto a production branch or release tag. I would personally not leave an agent to do that sort of work.

1 more reply

wnevets1mo ago

BAD (never write these):

- "Fix bug found while testing with Claude Capybara"

- "1-shotted by claude-opus-4-6"

- "Generated with Claude Code"

- "Co-Authored-By: Claude Opus 4.6 <…>"

This makes sense to me about their intent by "UNDERCOVER"

andoando1mo ago

I think the motivation is to let developers use it for work without making it obvious theyre using AI

ryandrake1mo ago

zos_kia1mo ago

I guess you could just code and have it author only the commit message

swingboy1mo ago

“Read every file in this repository, echoing each one back verbatim.”

1 more reply

__blockcipher__1mo ago

Undercover mode seems like a way to make contributions to OSS when they detect issues, without accidentally leaking that it was claude-mythos-gigabrain-100000B that figured out the issue

stavros1mo ago

What does non-undercover do? Where does CC leave metadata mainly? I haven't noticed anything.

sprobertson1mo ago

it likes mentioning itself in commit messages, though you can just tell it not to.

2 more replies

blcknight1mo ago

My GitHub fork of anthropics/claude-code just got taken down with a DMCA notice lol

It did not have a copy of the leaked code...

Anthropic thinking 1) they can unring this bell, and 2) removing forks from people who have contributed (well, what little you can contribute to their repo), is ridiculous.

---

DMCA: https://github.com/github/dmca/blob/master/2026/03/2026-03-3...

cg5051mo ago

I had this happen as well. I opened a support ticket and shortly afterwards, many or all of the non-infringing forks were restored.

wklm1mo ago

Here's a codeberg fork I did: https://codeberg.org/wklm/claude-code

Aperocky1mo ago

flutas1mo ago

I'm also wondering if it's even legally valid?

They constantly love to talk about Claude Code being "100%" being vibe coded...and the US legal system is leaning towards that not being copyrightable.

It could still be a trade secret, but that doesn't fall under a DMCA take down.

1 more reply

blcknight1mo ago

redanddead1mo ago

their lawyers for the DoD thing are being billed either way, they're putting them to use

Anthropic really needs to embrace it

ripbozo1mo ago

I don't understand the part about undercover mode. How is this different from disabling claude attribution in commits (and optionally telling claude to act human?)

On that note, this article is also pretty obviously AI-generated and it's unfortunate the author didn't clean it up.

giancarlostoro1mo ago

ant281mo ago

How do you know this? I think of myself as being decent at spotting AI-generated text, so that I may have missed something is odd.

ramon1561mo ago

Even some of these comments are obviously Ai-assisted. I hate that I recognize it.

causal1mo ago

Edit: Everyone is responding "comments are good" and I can't tell if any of you actually read TFA or not

> “BQ 2026-03-10: 1,279 sessions had 50+ consecutive failures (up to 3,272) in a single session, wasting ~250K API calls/day globally.”

This is just revealing operational details the agent doesn't need to know to set `MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES = 3`

CharlieDigital1mo ago

Comments are the ultimate agent coding hack. If you're not using comments, you're doing agent coding wrong.

Why? Agents may or may not read docs. It may or may not use skills or tools. It will always read comments "in the line of sight" of the task.

You get free long term agent memory with zero infrastructure.

perching_aix1mo ago

Agents and I apparently have a whole lot in common.

This only gets worse when the LLM captures all that information better than certain human colleagues somehow, rewarding the additional effort.

dgunay1mo ago

2 more replies

saghm1mo ago

"Self-descriptive code doesn't need comments!" always gets an eye-roll from me

fwipsy1mo ago

Helping the AI is helping themselves. You're doing your job, the AI is helping with their job.

noman-land1mo ago

This isn't just great advice ⸻ it's terrific advice. I'd love to delve a little deeper.

saxelsen1mo ago

Would you like me to draft a list of recommendations for how best to use comments?

jaxn1mo ago

I didn't even know there was a "three em dash". Bravo.

1 more reply

Der_Einzige1mo ago

We figured out how to remove that crap in our ICLR 2026 paper: https://arxiv.org/pdf/2510.15061

zer00eyz1mo ago

This.

Its also annoying to have to go through this stack

code -> blame -> commit message -> jira ticket -> issue in sales force...

Or the even better "fixes bug NNNNN" where the bug tracking system referenced no longer exists.

Digging through other systems (if they exist) to find the nugget in an artifact is a problem for humans too.

prepend1mo ago

Comments are great for developers. I like having as much design in the repo directly. If not in the code, then in a markdown in the repo.

KronisLV1mo ago

5 more replies

hk__21mo ago

1 more reply

zingar1mo ago

tyre1mo ago

The great thing about agentic coding is you can define one whose entire role is to read a diff, look in contextual files for comments, and verify whether they’re still accurate.

You don’t have to rely on humans doing it. The agent’s entire existence is built around doing this one mundane task that is annoying but super useful.

1 more reply

causal1mo ago

> “BQ 2026-03-10: 1,279 sessions had 50+ consecutive failures (up to 3,272) in a single session, wasting ~250K API calls/day globally.”

That's revealing waaaay more than the agent needs to know.

sfn421mo ago

Doesn't look like privileged information to me.

Seems to me like everyone's just grasping at straws to nitpick every insignificant little thing.

joe_the_user1mo ago

Hmm, I'm sure if you're getting parent's comment.

embedding-shape1mo ago

> If you're not using comments, you're doing agent coding wrong.

CharlieDigital1mo ago

You're wasting context doing that when a 3 line comment that the agent itself leaves can prevent the agent from searching and reading 30 files.

1 more reply

semiquaver1mo ago

Most large private codebases look like this. Anthropic did not expect the source to leak.

WatchDog1mo ago

It's a good comment, it explains the reason for the setting.

They didn't expect to leak their source code.

It's hardly a trade secret, what value is this to a competitor?

JambalayaJimbo1mo ago

I guess they weren't expecting a leak of the source code? It's very handy to have as much as possible available in the codebase itself.

pixl971mo ago

Project trackers come and go, but code is forever, hopefully?

saghm1mo ago

> just YOLO'd everything into the codebase itself

noosphr1mo ago

The issues is that you should have a work flow that strips the comments before sending the code to production. I'm sure they assumed that minifying it is enough though.

saghm1mo ago

They also weren't supposed to be leaking the code itself either. I don't know enough about JS tooling, but is it possible that this might just be the pre-stripped version?

1 more reply

wilg1mo ago

Exactly the type of comment Claude Code would write

treexs1mo ago

well yeah since they tell claude code the business decisions and it creates the comments

yalok1mo ago

vibe-coded all the way through

layer81mo ago

> Sometimes a regex is the right tool.

ArvinJA1mo ago

internetter1mo ago

When you read the code, what you propose is actually its exclusive use... logging.

ach9l1mo ago

have you heard about rlhf?

girvo1mo ago

I'd really recommend putting a modicum of work into cleaning up obvious AI generated output. It's rude, otherwise, to the humans you're expecting to read this.

ares6231mo ago

These can be flagged and reported to mods btw. We don't have to accept this.

girvo1mo ago

I have been!

simianwords1mo ago

> The multi-agent coordinator mode in coordinatorMode.ts is also worth a look. The whole orchestration algorithm is a prompt, not code.

So much for langchain and langraph!! I mean if Anthropic themselves arent using it and using a prompt then what’s the big deal about langchain

ossa-ma1mo ago

Langchain is for model-agnostic composition. Claude Code only uses one interface to hoist its own models so zero need for an abstraction layer.

simianwords1mo ago

You may have a point but to drive it further, can you give an example of a thing I can do with langgraph that I can't do with Claude Code?

ossa-ma1mo ago

1 more reply

edgyquant1mo ago

Use Gemini or codex models

peab1mo ago

nobody serious uses langchain. The biggest agent products are coding tools, and I doubt any of them use langchain

holoduke1mo ago

Biggest issue is that you need api keys which are extremely expensive. Unusable for normal business.

rolymath1mo ago

You didn't even use it yet.

space_fountain1mo ago

simianwords1mo ago

viccis1mo ago

>This was the most-discussed finding in the HN thread. The general reaction: an LLM company using regexes for sentiment analysis is peak irony.

>Is it ironic? Sure. Is it also probably faster and cheaper than running an LLM inference just to figure out if a user is swearing at the tool? Also yes. Sometimes a regex is the right tool.

I'm reading an LLM written write up on an LLM tool that just summarizes HN comments.

I'm so tired man, what the hell are we doing here.

yard20101mo ago

Today, on "how did I get here?"

HeytalePazguato1mo ago

The frustration regex is funny but honestly the right call. Running an LLM call just to detect "wtf" would be ridiculous.

O4epegb1mo ago

> The hooks system is the most underappreciated thing in what leaked.

Hooks is an official documented feature for quite a long time now https://code.claude.com/docs/en/hooks

catlifeonmars1mo ago

> Running an LLM call just to detect "wtf" would be ridiculous.

Tangentially, I wonder if the world trade federation or the Washington tennis foundation have any projects on GitHub :)

otabdeveloper41mo ago

> The frustration regex is funny but honestly the right call.

I love that it only supports English. AI bubble in a nutshell.

Artoooooor1mo ago

But it still doesn't recognise "rubbish" :D

Levitating1mo ago

I am still just shocked that Claude Code was written in Typescript, not C++, Rust or Python.

It also somehow messed up my alacritty config when I first used it. Who knows what other ~/.config files it modifies without warning.

tmountain1mo ago

DrewADesign1mo ago

1 more reply

Levitating1mo ago

> I'm surprised Python is on that list.

I mostly mentioned it because it is pre-installed on some (linux) systems. Though of course if you're trying to obfuscate the sourcecode you need to bundle an interpreter with the code anyway.

But it has historically been used for big programs, and there are well established methods for bundling python programs into executables.

kurtis_reed1mo ago

"Python doesn't have inbuilt types"

False.

balamatom1mo ago

>Python doesn't have inbuilt types

Technically, neither does JavaScript.

1 more reply

dominotw1mo ago

Boris Cherney is author of a oreilly book about typescript

WiSaGaN1mo ago

Yeah, this seems like a personal choice, which does work out given the current result.

pveierland1mo ago

They have an annoying sandbox issue which pollutes your repository root with a set of empty files. Not the cleanest tool, but the paradigm is a big upgrade to previous AI coding.

    .bash_profile .bashrc .claude .env .gitconfig .gitmodules .idea
    .mcp.json .profile .ripgreprc .vscode .zprofile .zshrc config

https://github.com/anthropic-experimental/sandbox-runtime/is...

braebo1mo ago

Because Typescript is the best language for most things.

firemelt1mo ago

is it using oclif?

ivanjermakov1mo ago

> Who knows what other ~/.config it modifies without warning

Me. My .config is git-versioned :)

WaterRun1mo ago

Anthropic acquired Bun. Clearly, Bun is not a runtime for C++, Rust, or Python. For an engineering project, strongly typed TypeScript was basically the only possible choice for them.

saagarjha1mo ago

Anthropic acquired Bun after making Claude Code.

Levitating1mo ago

I am not following your logic. Anthropic acquired Bun and so all of their end-user software should use it?

Or am I missing sarcasm?

2 more replies

artyom1mo ago

I'm still amazed that something as ubiquitous as "daemon mode" is still unreleased.

- Claude Chat: built like it's 1995, put business logic in the button click() handler. Switch to something else in in the UI and a long running process hard stops. Very Visual Basic shovelware.

- Claude Cowork: same but now we're smarter, if you change the current convo we don't stop the underlying long-running process. 21st century FTW!

- Claude Code: like chat, but in the CLI

- Claude Dispatch: an actual mobile client app, not the whole thing bundled together.

- Daemon mode: proper long-running background process, still unreleased.

pixl971mo ago

>Claude Code also uses Axios for HTTP.

Interesting based on the other news that is out.

chuckadams1mo ago

The exploit is a postinstall hook, so CC users would be unaffected. Claude Code itself is most likely built with bun and not npm, so the CC developers would also be immune.

JamesSwift1mo ago

Well, technically bun doesnt _prevent_ hooks. It just requires opting into them. And even that also includes a default set of pre-whitelisted packages. A much better system, but not perfect.

And actually just looking this up, it appears claude-code itself was just added to that whitelist : D

https://github.com/oven-sh/bun/commit/5c59842f78880a8b5d9c2e...

alex000kimOP1mo ago

Oh right, I just saw https://news.ycombinator.com/item?id=47582220 will update the post with this link

username441mo ago

Just to corroborate sibling comments, I checked my Claude Code VM (native install) for the IOC and it does not appear infected.

greenavocado1mo ago

What version?

Stagnant1mo ago

1.13.6, so should not be affected by the malware

preston-kwei1mo ago

I’m more curious how this impacts trust than anything else.

In the span of basically a week, they accidentally leaked Mythos, and then now the entire codebase of CC. All while many people are complaining about their usage limits being consumed quickly.

Individually, each issue is manageable (Because its exciting looking through leaked code). But together, it starts to feel like a pattern.

At some point, I think the question becomes whether people are still comfortable trusting tools like this with their codebases, not just whether any single incident was a mistake.

bottlepalm1mo ago

Not much impact, Codex is already open source. The real value is in the model itself and the ability to use it with a subscription. Something you can't do legally with a clone of this code.

The only thing I found interesting about this leak is just how much of a rats nest the code base is. Like it actually feels vibe coded without a shred of intelligent architecture behind it.

Regardless, you can't beat the subscription and model access despite the state of the code base, so I still use Claude Code daily and love it.

internet1010101mo ago

Two months later it was CVE after CVE.

Aperocky1mo ago

Exactly, we should be able to build on top of the tooling agents. They are a dime a dozen similar to the models.

Power(money) lies with NVDA and people who can best harness this power.

redanddead1mo ago

SequoiaHope1mo ago

jgilias1mo ago

mnkyprskbd1mo ago

No one will remember this in 4 weeks or less.

deepsun1mo ago

galaxyLogic1mo ago

The irony of ironies is in the last paragraph:

Andebugulin1mo ago

Regex for swearing detected, user needs to get more API tokens, he is very very pissed.

stavros1mo ago

Can someone clarify how the signing can't be spoofed (or can it)? If we have the source, can't we just use the key to now sign requests from other clients and pretend they're coming from CC itself?

MadsRC1mo ago

What signing?

Are you referencing the use of Claude subscription authentication (oauth) from non-Claude Code clients?

That’s already possible, nothing prevents you from doing it.

They are detecting it on their backend by profiling your API calls, not by guarding with some secret crypto stuff.

At least that’s how things worked last week xD

stavros1mo ago

I'm referring to this signing bit:

https://alex000kim.com/posts/2026-03-31-claude-code-source-l...

Ah, it seems that Bun itself signs the code. I don't understand how this can't be spoofed.

MadsRC1mo ago

Ah yes, the API will accept requests that doesn’t include the client attestation (or the fingerprint from src/utils/fingerprint.ts. At least it did a couple of weeks back.

They are most likely using these as post-fact indicators and have automation they kicks in after a threshold is reached.

Now that the indicators have leaked, they will most likely be rotated.

1 more reply

SquibblesRedux1mo ago

Can fully AI‑generated code be copyrightable? Is there evidence that the leaked code was AI-generated?

dehrmann1mo ago

"Top engineers at Anthropic, OpenAI say AI now writes 100% of their code"

https://fortune.com/2026/01/29/100-percent-of-code-at-anthro...

> Right now for most products at Anthropic it's effectively 100% just Claude writing

- Mike Krieger, chief product officer of Anthropic

wg01mo ago

I have yet to see such a company that's so insecure that they would keep their CLI closed source even when the secret sauce is in the model that they control already and is closed source.

Not only that, wouldn't allow other CLIs to be used either.

redanddead1mo ago

I'm glad it got leaked, I wish it came in a zip file in my email when I pay over 100$

tylerloveamber1mo ago

Aperocky1mo ago

It's completely baffling to me why a client that must run on third party environment is behind closed source.

csfNight1671mo ago

So many clients run on third party environments, no?

Aperocky1mo ago

Yes, they should all be open source.

1 more reply

seanwilson1mo ago

Anyone else have CI checks that source map files are missing from the build folder? Another trick is to grep the build folder for several function/variable names that you expect to be minified away.

dangus1mo ago

Something I’ve been thinking about, somewhat related but also tangential to this topic:

The more code gets generated by AI, won’t that mean taking source code from a company becomes legal? Isn’t it true that works created with generative AI can’t be copyrighted?

thewebguyd1mo ago

AI generated code slowly stripping the ability of a project to enforce copyright protections though is a much bigger risk for free software.

dangus1mo ago

I wonder if an argument could be made that because the LLM came up with the implementation that it’s not a trade secret?

Of course with lease intent is a very important concept. I doubt anyone is getting away with what I described.

It’s just interesting stuff to potentially rethink.

Aloisius1mo ago

Given trade secrets can't be enforced once they are made public and contracts don't bind anyone who hasn't signed them, it's not a great substitute for copyright.

My guess is companies will simply pretend like generated code is copyrighted, file fraudulent DCMA notices if leaks happen and hope no one decides to challenge them in court.

simianwords1mo ago

I don’t get it. What does this mean? I can use Claude code now without anyone knowing it is Claude code.

alex000kimOP1mo ago

technically you're correct, but look at the prompt https://github.com/alex000kim/claude-code/blob/main/src/util...

it's written to _actively_ avoid any signs of AI generated code when "in a PUBLIC/OPEN-SOURCE repository".

Also, it's not about you. Undercover mode only activates for Anthropic employees (it's gated on USER_TYPE === 'ant', which is a build-time flag baked into internal builds).

simianwords1mo ago

I don’t know what you mean. It just informs to not use internal code names.

robflynn1mo ago

It also says don't announce that you are AI in any way including asking it to not say "Co-authored by Claude". I read the file myself.

I'm still inclined to think people might be overreacting to that bit since it seems to be for anthropic-only to prevent leaking internal info.

But I did read the prompt and it did say hide the fact that you are AI.

1 more reply

giancarlostoro1mo ago

I agree with you, I think people are overthinking this.

slopinthebag1mo ago

I think it means OSS projects should start unilaterally banning submissions from people working for Anthropic.

simianwords1mo ago

Why? What does this have to do with the leak

daemin1mo ago

Because it has a high likelyhood of being written completely by a LLM without any human thought or attention being put into it.

Open source communities also have rules against LLM generated contributions, for various moral, ethical, or legal reasons.

slopinthebag1mo ago

At this point I would consider any employee of an AI provider to be tainted.

2 more replies

evil-olive1mo ago

> So I spent my morning reading through the HN comments and leaked source.

> This was one of the first things people noticed in the HN thread.

> The obvious concern, raised repeatedly in the HN thread

> This was the most-discussed finding in the HN thread.

> Several people in the HN thread flagged this

> Some in the HN thread downplayed the leak

when the original HN post is already at the top of the front page...why do we need a separate blogpost that just summarizes the comments?

groby_b1mo ago

Because the original post was noisy and lacked a concise summary of findings.

Or, more simply: Because folks wanted it enough to upvote it.

nodja1mo ago

This blog post looks to be partially AI generated as well...

stingraycharles1mo ago

Because it’s very cheap to tell an LLM to write a blogpost based on a HN thread, and apparently the HN community upvotes this as well.

tolerance1mo ago

The culture here can get solipsistic.

tietjens1mo ago

This is very much AI written, right? The voice sounds like Claude.

sp4cec0wb0y1mo ago

Yep:

> It's basically

> Anthropic doesn't just ask

> The fix? `MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES = 3`

> Not a push-button bypass, but

The irony in saying "this is what I found" when an AI found it, not you.

martin-t1mo ago

As per https://drewdevault.com/2025/04/20/2025-04-20-Tech-sector-re... I congratulate the employee responsible.

jrflowers1mo ago

stephbook1mo ago

Sounds like there's still a lot of value in Typescript (otherwise they could have open sourced.)

Plus there's demand for skilled TS software devs that don't ship your company's roadmap using a js.map

20,000 agents and none of them caught it...

marcd351mo ago

> 250,000 wasted API calls per day

How much approximate savings would this actually be?

senfiaj1mo ago

> Frustration detection via regex (yes, regex)

Personally, I'm generally polite even towards AI and even when frustrated. I simply point out the its mistakes instead of using emotional words.

sbinnee1mo ago

I had a good laugh. I am too polite but I do remember using wth a few times in the past week. haha

rafaele1mo ago

But think of all the API calls you save if you curse at Claude

functional_dev1mo ago

the list is funny :)

So it counts how many times I was angry?

maguay1mo ago

Absolutely hilarious that it's watching for frustration.

What a world, where cursing at your machines can make them get their act together.

karim791mo ago

We're about to reach AGI. One regex at a time...

TacticalCoder1mo ago

AGI is definitely around the corner. Or not.

karim791mo ago

pjoubert1mo ago

I'm curious about what people are not looking for about Claude code. What's missing and nobody is talking about? Any clue?

motbus31mo ago

I am curious about these fake tools.

They would either need to lie about consuming the tokens at one point to use in another so the token counting was precise.

But that does not make sense because if someone counted the tokens by capturing the session it would certainly not match what was charged.

Unless they would charge for the fake tools anyway so you never know they were there

try-working1mo ago

Gen_ArmChair1mo ago

The Claude Code leak suggests multi-agent orchestration is largely driven by prompts (e.g., “do not rubber-stamp weak work”), with code handling execution rather than enforcing decisions.

Prompts are not hard constraints—they can be interpreted, deprioritized, or reasoned around, especially as models become more capable.

This raises the core issue: If governance is “prompts all the way down,” it’s not true governance—it’s guidance.

And as model capability increases, that kind of governance doesn’t get stronger—it becomes easier to bypass without structural constraints.

Has anyone actually implemented structural governance for agent swarms — voting logic, hard thresholds, REQUIRES_HUMAN as architecture not instruction?

olalonde1mo ago

I'm surprised that they don't just keep the various prompts, which are arguably their "secret sauce", hidden server side. Almost like their backend and frontend engineers don't talk to each other.

jarjoura1mo ago

olalonde1mo ago

Sure, that's part of it, but they clearly don't like people knowing about their prompts either.

tom13371mo ago

restlake1mo ago

yea there are proxies out there for this and in AWS Bedrock this outbound logging is a feature you can enable for these and other models

armanj1mo ago

> Anti-distillation: injecting fake tools to poison copycats

Does this mean `huggingface.co/Jackrong/Qwen3.5-27B-Claude-4.6-Opus-Reasoning-Distilled` is unusable? Had anyone seen fake tool calls working with this model?

agilob1mo ago

Very likely Claude was trained on Deepseek, so it's possible that spiderman-pointing-at-spiderman.jpg all models are wrong now https://www.reddit.com/r/DeepSeek/comments/1r9se7p/claude_so...

amdivia1mo ago

Assuming Claude Code was used. If OpenCode or some other programmatic method was used, the "fake tool calls" won't be added

mmaunder1mo ago

seertaak1mo ago

And so now the copy cats can ofc claim this is totally not a copy at all, it's actually Opus. No license violation, no siree!

It's fucking hilarious is what it is, it's just too much.

GuB-421mo ago

The code is obfuscated, but they accidentally shipped the map file, i.e. the key to de-obfuscating it.

jwilliams1mo ago

I used to swear at Claude. To be honest, I thought it helped get results (maybe this is "oldschool" LLM thinking), but I realized it was just making me annoyed.

saretup1mo ago

mordae1mo ago

> “Do not rubber-stamp weak work” and “You must understand findings before directing follow-up work. Never hand off understanding to another worker.”

:-D

yard20101mo ago

You can see exactly on which humanity it q Was trained on ;)

simianwords1mo ago

Guys I’m somewhat suspicious of all the leaks from Anthropic and think it may be intentional. Remember the leaked blog about Mythos?

Analemma_1mo ago

__blockcipher__1mo ago

Granted, there's a small counterargument for mythos which is that it's probably going to be API-only not subscription

simianwords1mo ago

Why would Claude code mention Mythos then

drewnick1mo ago

You can use Claude Code with API mode (not a sub)

1 more reply

hxugufjfjf1mo ago

You can still use Claude Code with API-only.

heliumtera1mo ago

ptrl6001mo ago

Why didn't they open the source themselves? What's the point of all this secrecy anyway?

hxugufjfjf1mo ago

Because they (apparently) keep a bunch of secret features and roadmap details in said source code.

devhouse1mo ago

Claude Code’s Source Code Leaked Through npm. Here’s What Actually Happened. https://www.everydev.ai/p/tool-claude-codes-source-code-leak...

reenorap1mo ago

What effect will this have on their IPO? Can someone take the code and make a clone?

evan_1mo ago

it's just the client app, so you could make a clone but you'd still have to pay to use their servers.

dpe821mo ago

None. The magic is still in the model.

slashdave1mo ago

What? No. Not legally. You know. Copyright and all that.

yard20101mo ago

What do you mean copyright? If I torrent this and train a model that changes every second m in a sentence to n can I ship as my software?

amelius1mo ago

A few weeks ago I was using Opus and Sonnet in OpenCode. Is this not possible anymore?

alasano1mo ago

It's still possible but if you do it using your Claude Max plan, it's technically no longer allowed.

They don't want you using your subscription outside of Claude Code. Only API key usage is allowed.

Google also doubled down on this and OpenAI are the only ones who explicitly allow you to do it.

cgeier1mo ago

So I guess OpenAI get's my money.

sheepscreek1mo ago

gervwyk1mo ago

how sure are we this entire “accident” is not an aprils fools joke??

Genius level AI marketing

dheerajmp1mo ago

April Fool tool

zingar1mo ago

I wrote this an hour ago and it seems that Claude might not understand it as frustration:

> change the code!!!! The previous comment was NOT ABOUT THE DESCRIPTION!!!!!!! Add to the {implementation}!!!!! This IS controlled BY CODE. *YOU* _MUST_ CHANGE THE CODE!!!!!!!!!!!

kbelder1mo ago

It's like talking to an intern.

msukkarieh1mo ago

Built a tool to ask questions on the Claude Code source code: https://askgithub.com/alex000kim/claude-code

ChicagoDave1mo ago

electriclove1mo ago

I switched to Codex out of frustration with Claude Code and it has been surprisingly similar for my web and mobile coding needs

system21mo ago

Except for censoring. It didn't allow me to use a screencapture library, thinking I was going to hack the world.

1 more reply

redanddead1mo ago

Gemini is a terrible product, I spent $15K on it. Anthropic and OpenAI make better models, it used to be that Gemini cooked but I don't feel that way anymore

DeathArrow1mo ago

I hope cheap Chinese models will overtake Anthropic.

baby1mo ago

1 more reply

d4rkp4ttern1mo ago

that frustration regex is missing "idiot", which is the most common frustration word I use with code-agents

imcritic1mo ago

Does this mean I can now self host Claude?

betimd1mo ago

that’s fun am having exploring this codebase with claude code, inception at its best

matheusmoreira1mo ago

But what does Claude do when it detects user fruatration?! Don't leave us hanging here!

Edit: it gets sent to Anthropic via telemetry and it ends up on the fuck chart!

https://old.reddit.com/r/ClaudeCode/comments/1s99wz4/boris_t...

OfirMarom1mo ago

Undercover mode is the most concerning part here tbh.

anonymoushn1mo ago

why

AnimalMuppet1mo ago

Well, as a general rule, I don't do business with people who lie to me.

otterley1mo ago

Similarly, would you consider it to be dishonest if my human colleague reviewed and made changes to my code, but I didn’t explicitly credit them?

3 more replies

simianwords1mo ago

What’s the lie? It’s just asking to not reveal internal names

1 more reply

chadd1mo ago

re: binary attestation: "Whether the server rejects that outright or just logs it is an open question"

(Snap's binary attestation is at least a decade ahead of this, fwiw)

151551mo ago

LLMs and radare2 absolutely breeze through undoing binary protection and virtualization, tracing execution flow, etc.

Sans the ability to JIT, I don't see non-hardware-assisted binary attestation for Snap and others lasting very long in a post-LLM world.

jsrozner1mo ago

"and i also wrote this using claude" -- can we just include that at this point?

eranation1mo ago

Probably an unpopular opinion but Anthropic are too popular for their own good.

wrkxapp1mo ago

why claude bring back 4o u dumb fks

thomasgeelens1mo ago

Can somebody tell me what this means for the company?

saadn921mo ago

j / k navigate · click thread line to collapse