The video discusses a major leak of Anthropic’s Claude Code version 4, highlighting that Anthropic accidentally published their entire source code, including source maps, on npm. Source maps allow minified JavaScript to be reversed back to its original form, meaning the full, readable code was exposed. This is the second time Anthropic has released their code publicly, but unlike before, this time the leak was accidental and has caused significant embarrassment. The leak also revealed vulnerabilities, such as susceptibility to the Axios supply chain attack, raising concerns about security risks.
The leak originated from a known issue with Anthropic’s front-end development server improperly serving source maps in production, which had been reported weeks prior but remained unaddressed. The video humorously critiques Anthropic’s handling of the situation and the company’s attempts to hide employee involvement with the code in public repositories. It also points out the irony of Anthropic using a simplistic, hard-coded approach to sentiment analysis in their AI, despite having access to advanced models capable of more nuanced understanding.
Among the revelations in the leaked code are quirky and unexpected features, such as a terminal-based Tamagotchi-style “buddy” system planned for release, which resembles collectible digital pets or NFTs. The code also contains strict internal rules preventing Anthropic employees from revealing their connection to Claude Code publicly, which the video suggests makes the company appear secretive and suspicious. Additionally, safety-related instructions embedded in the code require direct approval from specific team members before modification, yet these safeguards are stored client-side, making them vulnerable.
The video warns about the broader implications of the leak, emphasizing that with nearly 500,000 lines of code exposed, numerous bugs and security flaws are now publicly accessible. This increases the risk of exploitation, including potential leaks of sensitive environment variables and credentials. While some risks may be limited, the availability of the code invites attackers to discover and leverage vulnerabilities, posing a threat to Anthropic and its users over the coming months.
Finally, the video critiques Anthropic’s restrictive terms of service, which prohibit users from building competing products using Claude, and suggests the company may be hostile toward its user base. The narrator finds it ironic and frustrating that Anthropic uses vast amounts of open-source code for training but aggressively protects its own code from public use. Despite the controversy, the leak has led to some positive outcomes, such as community contributions to the open-source project, including pull requests generated by Claude Code itself, adding a humorous twist to the situation.
