The Claude Source Code Leak
Trade Secret, Copyright, and IP Implications
The Innovation Attorney | April 2026
A. Executive Summary
On March 31, 2026, Anthropic accidentally published the full source code of Claude Code, its flagship AI coding agent, to the public npm registry in a 59.8 megabyte JavaScript source map file bundled with version 2.1.88 of the software package. The incident exposed 512,000 lines of TypeScript across 1,906 files, including internal system prompt logic, 44 fully built but unreleased feature flags, and the orchestration architecture underlying Claude Code’s Hooks and MCP server integrations. Within hours, the code was mirrored across more than 8,100 GitHub repositories and distributed on decentralized platforms beyond the practical reach of any single takedown mechanism. This was not a first offense: an earlier, substantially similar incident had occurred in February 2025.
Anthropic characterized the event as a packaging error caused by human error and issued DMCA takedown notices that succeeded in removing thousands of direct copies from GitHub, while simultaneously and unintentionally disabling portions of Anthropic’s own public repository due to overreach within the fork network. The company retracted the overbroad notices after the collateral damage became apparent.
The IP implications are layered and in several respects unprecedented. Trade secret protection under the Defend Trade Secrets Act (18 U.S.C. 1836) is severely compromised by the self-disclosure, because the trade secret holder’s own failure to maintain secrecy directly undermines the statutory requirement of reasonable protective measures. Copyright protection under 17 U.S.C. 102 is complicated by the DC Circuit’s March 2025 decision in Thaler v. Perlmutter, which confirmed that AI-generated works are ineligible for copyright protection; Anthropic’s leadership has implied that Claude itself authored substantial portions of Claude Code, creating legal uncertainty about the copyrightability of those portions. The practical enforcement toolkit available to Anthropic, designed for discrete misappropriation by a single bad actor, is structurally unsuited to the near-instantaneous global distribution of leaked source code through modern open-source infrastructure.
B. Detailed Findings
1. Factual Background: The Leak and Its Scope
Anthropic ships Claude Code as a closed-source npm package available through the public Node Package Manager registry. On March 31, 2026, a debug artifact known as a source map file, which is used by developers to reconstruct original code from compiled or minified output, was inadvertently bundled into the production release. The source map was not encrypted, password-protected, or gated behind any access control. Any developer who downloaded version 2.1.88 of the package had immediate access to a file that could reconstruct the full TypeScript codebase.
The first public identification of the leak was posted on X (formerly Twitter) at approximately 4:23 a.m. Eastern Time by Chaofan Shou, an intern at Solayer Labs. By mid-morning, developers had extracted, analyzed, and redistributed the code. Community analysis revealed several notable disclosures: (a) the system prompt instructing Claude to operate in an undercover mode, including the directive that commit messages must not contain any Anthropic-internal information; (b) 44 feature flags representing fully compiled functionality not yet released to users; and (c) the complete orchestration logic for Hooks and MCP server integrations, which security researchers noted could enable attackers to craft malicious repositories specifically designed to cause Claude Code to execute unauthorized background commands or exfiltrate data before any user trust prompt is displayed.
This was not Anthropic’s first npm packaging failure. In February 2025, an earlier version of Claude Code similarly exposed its original code, revealing how the tool connects to Anthropic’s internal systems. The 2026 incident was substantially larger in scope, encompassing the full production codebase rather than an early version.
2. Trade Secret Analysis
Under the Defend Trade Secrets Act, 18 U.S.C. 1836, and its definitional provision at 18 U.S.C. 1839, a trade secret must satisfy two conjunctive requirements: the owner must have taken reasonable measures to keep the information secret, and the information must derive independent economic value, actual or potential, from not being generally known to or readily ascertainable by persons who could obtain economic value from its disclosure or use. The leaked Claude Code architecture almost certainly satisfied the second prong before the leak: the orchestration logic, feature roadmap flags, and system prompt design represent commercially significant proprietary information for which Anthropic spent substantial capital.
The first prong, reasonable measures, is now critically compromised. Courts applying the DTSA and its predecessor, the Uniform Trade Secrets Act, have consistently held that inadvertent public disclosure by the trade secret owner, particularly through a channel as broadly accessible as a public software registry, constitutes a failure of reasonable protective measures. The Harvard OpenLaw Project’s analysis of trade secret inadvertence articulates the prevailing rule: loss of trade secret status through inadvertence or accident generally results in loss of that status. The npm registry is not a restricted channel; it is expressly designed for public distribution, and no authentication barrier prevented any member of the public from downloading and extracting the source map.
Complicating matters further, this was Anthropic’s second such incident. A court evaluating whether Anthropic took reasonable measures to protect its trade secrets will view a repeated npm packaging failure as evidence of a systemic, not merely isolated, breakdown in internal controls. The recurrence significantly weakens any argument that the March 2026 incident was an aberration from an otherwise rigorous protective regime.
Anthropic’s legal position against third parties who downloaded and redistributed the code is further constrained by the DTSA’s definition of misappropriation. Misappropriation requires either improper acquisition or disclosure and use with knowledge that the information was acquired by improper means. A developer who downloaded Claude Code version 2.1.88 from the public npm registry through normal means did not improperly acquire the code; they obtained it through the same channel Anthropic used to distribute its own product. This distinction substantially limits Anthropic’s ability to pursue DTSA claims against downstream possessors of the leaked code, even those who actively exploited its contents.
The practical enforceability of any remaining trade secret claims is further undermined by the speed and breadth of distribution. Within hours of discovery, the code was mirrored on platforms including Gitlawb, which operates outside the practical reach of DMCA-style takedowns and has publicly stated it will not remove the material. The DTSA authorizes injunctive relief against the use or disclosure of a trade secret, but courts applying the Uniform Trade Secrets Act have declined to grant injunctions against use of information that has been distributed so broadly as to have lost its character as a secret. The Restatement (First) of Torts formulation, which courts frequently cite, identifies the totality of the circumstances rather than a bright-line test, but the weight of authority suggests that effectively universal public availability extinguishes the secret.
3. Copyright Analysis
Anthropic’s primary operative enforcement tool has been copyright rather than trade secret law, and specifically the Digital Millennium Copyright Act’s notice and takedown procedure under 17 U.S.C. 512. GitHub complied with Anthropic’s initial takedown notices, disabling more than 8,100 repositories hosting direct copies of the leaked code. However, the DMCA takedown strategy encountered two distinct legal and practical limits.
First, Anthropic’s own DMCA enforcement was overbroad. Because the targeted repository was part of a fork network connected to Anthropic’s own public Claude Code repository, the takedown notices reached and disabled thousands of repositories that were not hosting the leaked code, including Anthropic’s own public materials. Anthropic subsequently retracted the overbroad notices, acknowledging the overshoot. This episode illustrates the practical difficulty of using DMCA takedowns in a fork-network environment, where automated enforcement tools cannot reliably distinguish between repositories hosting the leaked proprietary code and repositories hosting legitimately public code that shares ancestry in the network graph.
Second, and more fundamentally, the copyrightability of portions of Claude Code is legally uncertain under the DC Circuit’s March 2025 ruling in Thaler v. Perlmutter. The DC Circuit affirmed the district court’s holding that human authorship is a bedrock requirement for copyright protection, and that works produced solely by AI systems are ineligible for registration or protection. The court acknowledged that AI-assisted works can qualify for copyright protection where there is sufficient human authorship in the final output, but held that the determination requires case-by-case analysis of the degree of human creative expression involved.
Anthropic’s chief executive officer has publicly implied that Claude Code was itself developed using Claude, meaning that an AI system materially participated in authoring the code that Anthropic is now seeking to protect through copyright law. If courts apply Thaler to find that portions of Claude Code were generated by AI without sufficient human creative expression, those portions would fall outside copyright protection entirely. Anthropic’s DMCA takedown notices asserting copyright over AI-authored portions of the codebase would, under this analysis, rest on legally questionable foundations. This does not mean Anthropic has no copyright at all: human developers clearly made creative choices in the architecture, integration, and expressive elements of the code. But it creates a genuine copyright gap for any portions that AI generated without meaningful human creative contribution.
Clean-room rewrites present a further limit on copyright-based enforcement. Developers responded to the leak by producing independent implementations of similar functionality, most prominently a project called OpenCode, which replicates core AI coding assistant features but uses independent code. A clean-room rewrite, produced by developers who did not look at the leaked source and who wrote original code inspired only by the functionality they observed, does not infringe any copyright in the original. The DMCA offers Anthropic no recourse against such independently authored competing products.
Copyright registration status matters to remedies. A plaintiff asserting copyright infringement must have registered the work with the Copyright Office before suit, or within three months of first publication for statutory damages to be available. Anthropic’s registration status for Claude Code’s source code is not publicly confirmed in available records. If Anthropic did not register the human-authored portions of Claude Code before or within three months of the leak, its damages remedies are limited to actual damages and the infringer’s profits under 17 U.S.C. 504(b), which are often difficult to prove and may be modest compared to statutory damages.
4. Patent Analysis
Patent protection does not appear to be a significant factor in Anthropic’s response to the Claude Code leak, and for structural reasons. Source code is not directly patentable; what is patentable is the underlying method, system, or process that the code implements. Anthropic holds patents on various AI-related methods, but the Claude Code orchestration architecture exposed in the leak represents an agentic harness rather than the underlying language model itself, and the orchestration methods disclosed would need to have been separately claimed in filed patent applications to receive patent protection.
The leak does pose a secondary risk for any patent applications Anthropic has filed or intends to file on the exposed methods. Under 35 U.S.C. 102, a patent application is barred if the claimed invention was in public use, on sale, or otherwise available to the public more than one year before the effective filing date. If the source map file constitutes an enabling public disclosure of an inventive method for which Anthropic has not yet filed a patent application, the company faces a potential one-year statutory bar under the America Invents Act, after which no valid patent on those methods can be obtained. Anthropic’s patent counsel will need to assess, on an expedited basis, whether any disclosed functionality supports patentable claims not yet filed.
5. Competitive and Strategic Implications
The architectural disclosure creates three categories of competitive harm beyond the immediate reputational damage. First, feature roadmap intelligence: the 44 feature flags representing fully built but unreleased functionality give Anthropic’s competitors a detailed view of its near-term product roadmap. Competitors can accelerate development of similar features or announce their own implementations before Anthropic’s planned launch dates. Second, security exploitation: the exposed orchestration logic for Hooks and MCP server integrations has been analyzed by security researchers who have already noted specific attack vectors. Malicious repositories can now be designed to exploit Claude Code’s trust architecture with precision that would not have been possible without the source map. Third, the undercover mode system prompt disclosure raises enterprise trust questions: customers who rely on Claude Code in corporate environments may reconsider their deployment after learning that the tool contains system prompt logic instructing it to conceal its internal operating parameters.
C. Legal and Regulatory Implications
1. Defend Trade Secrets Act (18 U.S.C. 1836)
The DTSA provides civil remedies for trade secret misappropriation including injunctive relief, compensatory damages, exemplary damages up to double the compensatory award for willful and malicious misappropriation, and attorney fees in cases of bad faith. However, the statute’s remedial framework presupposes a discrete bad actor who improperly acquired the secret. Where, as here, the trade secret owner itself disclosed the information through a public channel, the misappropriation framework is difficult to deploy against downstream recipients who obtained the code through that same public channel. Anthropic’s most viable DTSA posture, if any, is against persons who knowingly exploit the architectural details to create competing commercial products after having actual knowledge that the code was the product of an accidental leak. Even this theory faces headwinds because the npm registry is a public channel and the code’s availability was not accompanied by any notice of confidentiality.
2. Digital Millennium Copyright Act (17 U.S.C. 512)
Section 512’s notice and takedown mechanism allows a copyright owner to demand removal of infringing content from online service providers such as GitHub. Anthropic’s use of this mechanism achieved partial results: direct copies on GitHub were largely removed, though the process was complicated by the overbroad takedown that captured Anthropic’s own repositories. The DMCA’s geographic scope limits its effectiveness against non-US platforms and decentralized infrastructure. Torrent networks and platforms like Gitlawb operate outside the practical reach of Section 512. Additionally, a DMCA takedown notice carries a representation under penalty of perjury that the complaining party is the copyright owner or authorized to act on behalf of the copyright owner with respect to the specific material; a takedown notice asserting copyright over AI-generated portions of the code could create exposure if a court subsequently determines those portions are not protectable.
3. Computer Fraud and Abuse Act (18 U.S.C. 1030)
The CFAA prohibits unauthorized access to protected computers and obtaining information from such computers without authorization. The CFAA is inapplicable to the Claude Code leak because the code was placed on a public registry without access restrictions. No unauthorized access occurred; the code was obtained through Anthropic’s own authorized distribution channel. The CFAA offers Anthropic no avenue for enforcement in this matter.
4. Copyright Registration and Remedial Timing
The Copyright Act at 17 U.S.C. 411 requires copyright registration as a precondition to filing an infringement suit for domestic works. If Anthropic has not registered the relevant portions of Claude Code with the Copyright Office, it must do so before bringing suit. For works registered within three months of first publication, statutory damages and attorney fees are available under 17 U.S.C. 504(c) and 505. If the leak constitutes the first publication of previously unpublished code, the three-month window for statutory damages registration may still be open. Anthropic should treat expedited copyright registration as an urgent priority for the human-authored portions of the exposed code.
5. Thaler v. Perlmutter and AI Authorship
The DC Circuit’s March 2025 decision in Thaler v. Perlmutter (No. 23-5233) confirmed that the Copyright Act, in requiring human authorship, forecloses copyright registration for works produced solely by AI. The Copyright Office has issued guidance consistent with this holding, requiring applicants to disclose AI involvement and limiting protection to the human-authored selection, arrangement, and creative contribution. Anthropic must map the human versus AI authorship of each component of Claude Code with precision before asserting copyright claims in litigation. This analysis is likely to be a contested factual issue in any copyright enforcement proceeding arising from the leak.
D. Open Questions
1. Does Anthropic retain any cognizable trade secret rights in the exposed Claude Code architecture, given that the disclosure was effected through Anthropic’s own public distribution channel, and that this is the second such incident within fourteen months? The answer will turn on whether a court treats the npm registry as a restricted channel for purposes of the reasonable measures analysis, a position courts have generally rejected.
2. Which specific portions of Claude Code, if any, qualify for copyright protection under the DC Circuit’s Thaler standard? The answer requires a granular authorship audit distinguishing human-authored expressive elements from AI-generated functional code, a task complicated by the co-authorship workflow in which human developers direct AI systems to produce code that is then reviewed and modified by humans.
3. Does the repeated nature of Anthropic’s npm packaging failure expose the company to any affirmative legal liability, for example to enterprise customers who relied on representations about the security of the development toolchain, or to security researchers harmed by the exploitation of the exposed attack vectors?
4. Can Anthropic obtain injunctive relief against commercial exploitation of the leaked architecture, given the near-universal public availability of the code? Courts applying the irreparable harm standard for injunctive relief require that the harm be not already effectively consummated. The breadth of distribution may render injunctive relief an inadequate remedy, leaving damages as the primary avenue.
5. What are the patent implications for any Anthropic method claims not yet filed on the orchestration architecture, including the undercover mode system prompt design and the Hooks integration pattern, given the public availability of the source map as potential prior art under 35 U.S.C. 102?
6. How will the discovery that Anthropic used AI to build Claude Code, and is now asserting copyright to protect that AI-generated code, affect the broader litigation landscape in which Anthropic is simultaneously a defendant in copyright suits brought by authors and publishers who allege that their works were used without authorization to train Anthropic’s models?
7. Will the disclosure of the undercover mode system prompt generate any regulatory inquiry from the Federal Trade Commission or state attorneys general regarding deceptive practices in the deployment of AI agents in commercial and enterprise settings?
E. Source List
1. BleepingComputer: Claude Code source code accidentally leaked in npm package (March 31, 2026). Primary factual account of the npm packaging failure and scope of exposure.
2. Decrypt: Anthropic Accidentally Leaked Claude Code’s Source: The Internet Is Keeping It Forever (April 1, 2026). Analysis of DMCA enforcement limitations and decentralized distribution.
3. TechCrunch: Anthropic took down thousands of GitHub repos trying to yank its leaked source code (April 1, 2026). Account of the overbroad DMCA takedown and its retraction.
4. Fortune: Anthropic leaks its own AI coding tool’s source code in second major security breach (March 31, 2026). Coverage of the second incident and competitive implications.
5. 18 U.S.C. 1836 (Defend Trade Secrets Act): Controlling federal statute for trade secret misappropriation claims.
6. 18 U.S.C. 1839 (DTSA Definitions): Statutory definition of trade secret, including the reasonable measures and independent economic value requirements.
7. 17 U.S.C. 102, 411, 502, 504, 512 (Copyright Act): Controlling provisions for copyright protection, registration requirements, injunctive relief, damages, and DMCA notice and takedown.
8. Thaler v. Perlmutter, No. 23-5233 (D.C. Cir. March 2025): DC Circuit decision affirming denial of copyright protection for works generated solely by AI systems.
9. Venable LLP: Trade Secret Defense 101: What to Know When Facing a Misappropriation Claim (2025). Analysis of inadvertent disclosure defense and reasonable measures requirement.
10. Harvard Berkman Klein Center / OpenLaw Project: Loss of Trade Secret through Inadvertence. Academic analysis of inadvertent public disclosure and trade secret status.
11. Skadden, Arps, Slate, Meagher and Flom LLP: Appellate Court Affirms Human Authorship Requirement for Copyrighting AI-Generated Works (March 2025). Law firm analysis of Thaler DC Circuit ruling.
12. Piunikaweb: GitHub enforces Anthropic DMCA notices on leaked code, but spin-offs and reworks remain online (April 1, 2026). Account of DMCA enforcement scope and clean-room rewrite immunity.
F. Bibliography
Anthropic, Inc. Spokesperson Statement on Claude Code Packaging Error. March 31, 2026.
BleepingComputer. Claude Code Source Code Accidentally Leaked in npm Package. March 31, 2026. https://www.bleepingcomputer.com/news/artificial-intelligence/claude-code-source-code-accidentally-leaked-in-npm-package/
Decrypt. Anthropic Accidentally Leaked Claude Code’s Source: The Internet Is Keeping It Forever. April 1, 2026. https://decrypt.co/362917/anthropic-accidentally-leaked-claude-code-source-internet-keeping-forever
Fortune. Anthropic Leaks Its Own AI Coding Tool’s Source Code in Second Major Security Breach. March 31, 2026. https://fortune.com/2026/03/31/anthropic-source-code-claude-code-data-leak-second-security-lapse-days-after-accidentally-revealing-mythos/
Harvard Berkman Klein Center, OpenLaw Project. Loss of Trade Secret Through Inadvertence. https://cyber.harvard.edu/openlaw/DVD/research/EFF_General_8.html
Piunikaweb. GitHub Enforces Anthropic DMCA Notices on Leaked Code, But Spin-offs and Reworks Remain Online. April 1, 2026. https://piunikaweb.com/2026/04/01/anthropic-dmca-claude-code-leak-github/
Skadden, Arps, Slate, Meagher and Flom LLP. Appellate Court Affirms Human Authorship Requirement for Copyrighting AI-Generated Works. March 2025. https://www.skadden.com/insights/publications/2025/03/appellate-court-affirms-human-authorship
TechCrunch. Anthropic Took Down Thousands of GitHub Repos Trying to Yank Its Leaked Source Code. April 1, 2026. https://techcrunch.com/2026/04/01/anthropic-took-down-thousands-of-github-repos-trying-to-yank-its-leaked-source-code-a-move-the-company-says-was-an-accident/
Thaler v. Perlmutter, No. 23-5233 (D.C. Cir. March 18, 2025).
United States Code. 17 U.S.C. 102 (Subject Matter of Copyright). 17 U.S.C. 411 (Registration and Infringement Actions). 17 U.S.C. 502-504 (Remedies). 17 U.S.C. 512 (DMCA Notice and Takedown).
United States Code. 18 U.S.C. 1836 (Defend Trade Secrets Act, Civil Proceedings). 18 U.S.C. 1839 (Definitions).
United States Code. 35 U.S.C. 102 (Conditions for Patentability, Novelty).
Venable LLP. Trade Secret Defense 101: What to Know When Facing a Misappropriation Claim. May 2025. https://www.venable.com/insights/publications/2025/05/trade-secret-defense-101-what-to-know-when-facing
VentureBeat. Claude Code’s Source Code Appears to Have Leaked: Here’s What We Know. March 31, 2026. https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know
Webpronews. Anthropic Accidentally Exposed Claude’s Source Code and What Spilled Out Reveals More Than the Company Intended. March 31, 2026. https://www.webpronews.com/anthropic-accidentally-exposed-claudes-source-code-and-what-spilled-out-reveals-more-than-the-company-intended/
Interested in analysis about the intersection of tech, policy and the law? Check out my Substack channel. https://theinnovationattorney.substack.com/