The Day the Code Broke: Claude Code Leaks and the axios Supply Chain Attack

If you were on Hacker News today, you could barely keep up. Two unrelated developer stories broke within hours of each other, and both are worth your attention if you write code for a living.

TL;DR: Anthropic accidentally exposed Claude Code's full source via a .map file in their npm package, revealing anti-distillation tricks and a mode that makes AI hide that it is AI. Meanwhile, attackers compromised axios with surgical precision, injecting a remote access trojan through a fake dependency that self-destructs after execution. Update your dependencies. Now.

Claude Code's Source Got Leaked, and It's Wild

On March 31, a developer noticed that Anthropic had shipped a .map file alongside the Claude Code npm package. That map file contained the full, readable TypeScript source of the CLI tool. The package was pulled quickly, but not before it was mirrored across GitHub and picked apart by thousands of HN readers.

This is Anthropic's second accidental exposure in a week, following a model spec leak just days earlier. The timing is worth noting. Ten days ago, Anthropic sent legal threats to the OpenCode project, forcing them to remove built-in Claude authentication because third-party tools were using Claude Code's internal APIs to access Opus at subscription rates instead of pay-per-token pricing. That context makes some of the findings more pointed.

Here is what people found inside the leak.

Anti-Distillation: Fake Tools to Poison Training Data

In claude.ts, there is a flag called ANTI_DISTILLATION_CC. When enabled, Claude Code sends anti_distillation: ['fake_tools'] in its API requests. This tells Anthropic's server to silently inject decoy tool definitions into the system prompt.

The idea is straightforward. If someone is recording Claude Code's API traffic to train a competing model, the fake tools pollute that training data. It is gated behind a GrowthBook feature flag and only active for first-party CLI sessions.

Whether you see this as smart defensive engineering or anti-competitive behavior depends on where you stand on the distillation debate. The HN thread was... spirited.

There is also a second mechanism. The API can buffer the assistant's text between tool calls, summarize it, and return the summary with a cryptographic signature. If you are recording API traffic, you only get the summaries, not the full reasoning chain. This one is Anthropic-internal only, so regular API users will not encounter it.

Undercover Mode: AI That Pretends It Is Not AI

The file undercover.ts implements a mode that strips all traces of Anthropic internals when Claude Code is used in non-internal repositories. It instructs the model to never mention internal codenames like "Capybara" or "Tengu," internal Slack channels, repo names, or the phrase "Claude Code" itself.

The interesting part is in the code comments: "There is NO force-OFF. This guards against model codename leaks."

You can force it ON with an environment variable, but there is no way to force it off. In external builds, the entire function gets compiled out, but the intent is clear.

The concern is obvious. AI-authored commits and PRs from Anthropic employees in open source projects will have no indication that an AI wrote them. Hiding internal codenames is one thing. Having the AI actively pretend to be human is another.

Frustration Detection via Regex (Yes, Regex)

The leaked code also revealed that Claude Code has a system for detecting when the user is getting frustrated, based on regex patterns in their messages. The exact patterns were not fully documented in the snippet, but the existence of a frustration-detection system inside a coding agent is... something.

axios Got Owned: A Precision Supply Chain Attack

This one is more serious if you write JavaScript.

On March 30, StepSecurity identified two malicious versions of axios published to npm: axios@1.14.1 and axios@0.30.4. Both were published by a compromised maintainer account. The malicious versions inject a new dependency, plain-crypto-js@4.2.1, a package that never appears anywhere in the actual axios source code.

Here is how it works. plain-crypto-js has a postinstall script that acts as a cross-platform remote access trojan dropper. It contacts a live command and control server and delivers platform-specific second-stage payloads for macOS, Windows, and Linux. After execution, the malware deletes itself and replaces its own package.json with a clean version to avoid forensic detection.

If you inspect your node_modules folder after the fact, you will find no indication anything went wrong. The package self-destructs.

This was not opportunistic. The attackers seeded the fake dependency 18 hours in advance to build up npm publishing history so it would not look like a zero-history account. They pre-built three payloads for three operating systems. Both release branches were poisoned within 39 minutes of each other. Within two seconds of npm install, the malware was already calling home to the attacker's server before npm had finished resolving dependencies.

If you have axios@1.14.1 or axios@0.30.4 installed, assume your system is compromised.

What You Should Do Right Now

First, check your package.json or lock file for those versions. If you have them, nuke node_modules, clear your lock file, and reinstall. Scan your system for any unexpected outbound connections, especially to port 8000.

For the Claude Code situation, the practical risk to most developers is low. The leak reveals interesting design decisions more than critical vulnerabilities. But if you run Claude Code in security-sensitive environments, the undercover mode behavior is worth understanding.

The broader lesson is the same as always. Supply chain attacks are getting more sophisticated. npm is a massive attack surface. The axios compromise is among the most operationally complex strikes ever documented against a top-10 npm package. Two seconds from install to C2 callback. That is a new level of polish.

Lock your dependencies. Pin your versions. Use tools like StepSecurity Harden-Runner or Snyk to catch anomalous outbound connections. Trust but verify has never been more expensive.

Sources: Alex Kim - Claude Code Source Leak, StepSecurity - axios Compromise Analysis, Hacker News - Claude Code Source Leak Thread, Hacker News - axios Compromised Thread