AI Advisory Agent
Make an Inquiry
Login
AI Advisory Agent
Make an Inquiry

VENDORiQ: The Anthropic Claude Code Leak and Lessons for Vendor Governance

Download PDF
Anthropic’s source code leak reveals critical CI/CD failures, demystifying AI 'safety' as hard-coded scripts while highlighting urgent vendor governance risks.

The Latest

While Anthopic’s CEO was in the Australian Parliament House, describing the coming wave of employment changes and well-governed AI, the company itself was in the midst of recovering from a catastrophic failure of governance due to AI-powered development operations.

Version 2.1.88 of its Claude Code Node Package Manager (NPM) inadvertently included a 57-megabyte source map file that exposed over 500,000 lines of proprietary TypeScript code. Security researcher Chaofan Xiao identified the exposure; the Anthropic code was widely disseminated across the internet despite Anthropic’s legal team issuing DMCA takedowns. The irony of Anthopic demanding copyright protection for revealing its own code, given how AI was developed using content from pirate sites, is stark.

The leak revealed Claude Code’s internal architecture: an 11-step processing pipeline, hard-coded safety guardrails, ‘anti-distillation poison pills’ designed to hinder competitor models from learning from Claude, an ‘undercover mode’ for human-like output, and a regex-based frustration detector. 

The root cause is a misconfigured source map in the build process, possibly related to Bunjs, which is a JavaScript runtime recently acquired by Anthropic.  Bunks reportedly had a known GitHub issue regarding source map retention in production builds. 

Community responses were rapid and went beyond the code itself, highlighting the legal absurdities AI creates to justify ‘effective immunity’ from copyright law. One example is that developers fed the Claude code into an AI, which rewrote it into another language (Python) and produced a functionally identical, open-source, and freely available GitHub project, ‘Clawcode’, which saw significant adoption within hours.

In addition, the leak also casts a shadow on the Anthopic’s Glasswing Project, which aims to shift code safety and security flaw detection to autonomous agents.

Why it Matters:

This incident exposes a fundamental tension in modern software development: the gap between publicly stated safety and security commitments versus the operational controls required to enforce them. For organisations evaluating Anthropic’s Claude Code, the leak raises several material concerns that go beyond mere intellectual property exposure.

Supply Chain Security and Build Process Governance

The primary lesson concerns building pipeline integrity, not AI architecture. The leak occurred because a development artifact was packaged and released to production. 

This is a preventable error with mature CI/CD (continuous integration and continuous delivery) practices. IBRS has consistently emphasised that security must be embedded in DevOps workflows through automated scanning and artifact exclusion. Anthropic’s failure here suggests either immature or inadequately monitored build processes. This is concerning for a company claiming safety-first principles. For organisations adopting Claude Code, this raises a direct question. If Anthropic cannot prevent accidental code disclosure, even with overreliance on AI-powered code quality checks and CI/CD, how can mid-sized development teams trust these very same tools?

The Black Box Illusion and Safety-by-Obscurity

The leaked code reveals that Claude Code operates as a ‘dynamic prompt sandwich glued together with TypeScript’. It consists of approximately 11 processing steps with hard-coded instructions designed to constrain model behaviour. These include regex-based pattern matching for profanity, static tool lists, and prompt engineering guardrails. The leak demystifies the perception of advanced LLMs as inscrutable technology. Instead, as IBRS has noted in the past, it is the non-AI processes and hard-coded orchestrations that leverage the LLMs that make the biggest difference.

IBRS has noted that safety testing for LLMs requires explicit, rigorous prompts designed to trigger unsafe outputs in the specific application context. Organisations cannot rely on vendor claims of safety architecture if that architecture is proprietary and unauditable. The leak suggests that Anthropic’s safety model is implementation-specific and may not withstand scrutiny or transfer well to alternative environments or models.

Intellectual Property Protection and Competitive Differentiation

The rapid emergence of community-driven alternatives (Clawcode, OpenCLOD) demonstrates a critical reality. Once proprietary code is publicly available, open-source competitors can quickly reimplement equivalent functionality. 

Anthropic invested significantly in ‘anti-distillation poison pills’ techniques designed to mislead competitor models training on Claude’s outputs. Now these safeguards are explicitly known. This represents a substantial loss of competitive advantage. For Anthropic’s rumoured IPO later in 2026, the timing is particularly damaging. Investors evaluating the company must now contend with the reality that core intellectual property – their coding assistant architecture – is no longer exclusive. IBRS research on AI-generated code has emphasised the ‘authorless’ nature of such software and the resulting IP ownership uncertainty. This incident underscores the concern that vendors’ proprietary code can become open source through operational failures, fundamentally shifting the value proposition of proprietary versus open-source AI solutions.

Vendor Risk Assessment and Third Party Dependency Management

The incident has secondary but material implications. Claude Code relies on Axios, an HTTP client library reportedly compromised by North Korean hackers, which introduces a potential remote-access vector. This compounds the primary leak with a supply chain vulnerability. IBRS recommends a pragmatic, risk-based approach to third party cyber security that includes standardised vendor assessments and rigorous due diligence on vendors’ own security practices

Lessons from the Incident

Anthropic’s incident demonstrates that even well-funded AI companies can fail to build basic security controls. Organisations should now view AI vendors through a more critical lens, specifically assessing their CI/CD maturity, software supply chain controls, and build artifact management practices, not just their model architecture or safety claims.

The revelation of ‘undercover mode’, which is instructions to Claude to mask its identity in commit messages and outputs, raises questions about whether this feature aligns with Anthropic’s stated transparency commitments. If customers or regulators view this as a deceptive AI deployment, it could invite regulatory scrutiny. For organisations using Claude Code in regulated industries (financial services, healthcare, critical infrastructure), this incident warrants a reassessment of whether using this vendor aligns with emerging AI governance requirements.

Who’s Impacted?

  • CIOs: Must reassess vendor risk management frameworks for AI solutions. Evaluate Anthropic’s operational maturity post-incident and consider diversifying AI coding assistant vendors to reduce dependency risk.
  • CISOs: Should audit all internal uses of Claude Code and other Anthropic products, review whether leaked roadmap details or architectural insights alter threat footprints, and assess the impact of the Axios vulnerability on systems using Claude.
  • Development Team Leads/Architects: Need to review CI/CD pipelines – especially those that leverage Claude to build or validate the pipelines.
  • Project Leads/Delivery Managers: Need to verify that AI-assisted development workflows using Claude Code are not dependent on features that are now considered potentially unreliable or subject to rapid competitive pressure.

Next Steps

  • Immediate (Next 2 Weeks):
    • Conduct an internal audit of all CI/CD pipelines to verify that development artifacts (source maps, debug symbols, internal documentation) are stripped from production builds and package releases.
    • Review all active Claude Code deployments to assess whether this incident alters the risk profiles of mission-critical applications
  • Short-Term (1–3 Months):
    • Conduct a comprehensive vendor security assessment of Anthropic covering build pipeline security, CI/CD maturity, software supply chain governance, and incident response practices. 
    • Review all contracts with Anthropic to assess indemnity clauses, liability caps, and whether leaked IP breaches warrant renegotiation or termination rights.
  • Medium-Term (3–6 Months):
    • Implement a formal AI governance framework that extends beyond data governance to include operational controls, build security, supply chain oversight, and regular safety testing as per IBRS guidance on comprehensive AI governance.
  • Strategic (Ongoing):
    • Require AI vendors to provide transparency into their build processes, artifact management, and security testing practices as part of ongoing contract management. Treat the build process security as a material contract requirement equivalent to runtime security and data protection.
    • Monitor the adoption and maturity of community-driven AI solution forks to inform strategic decisions about proprietary versus open-source AI tooling investments.

Submit an Inquiry

Trouble viewing this article?

Search
Related Content

Search

Register for complimentary membership where you will receive:
  • Complimentary research
  • Free vendor analysis
  • Invitations to events and webinars
Delivered to your inbox each week
Register Here
Already an IBRS client? Sign in here