Масштабний витік коду Claude: Anthropic втратила контроль над 500 тис. рядків коду через помилку конфігурації

Entropic, the company that literally markets itself as the safe AI company, just leaked Claude Code's entire codebase, 512,000 lines of source code, their most important product wide open through an npm package because someone forgot an npm ignore file. Not a hack, not a whistleblower, a $350 billion company shipping source maps to production because their bundler generates them by default and nobody turned it off. To be honest, this feels like a dream. I use Club Code almost daily. It's my main coding tool and I really love its features. Most of them are super wellbuilt. So yeah, I was really curious. I've been going through everything people found inside, and I need to tell you what's actually in there is way more interesting than the leak itself. We're talking about hidden features that tell CLUD to never reveal it's an AI, background agents that rewrite your memory while you sleep, internal benchmarks that show their newer model actually getting less truthful. This is the real engineering behind the best AI coding tool right now and it's all out in the open. I'm Lu Fran, CTO and co-founder at Tours AI where we turn engineers into AI engineers who build and ship AI products. And now let's get into this entropic code leak rabbit hole. The most controversial finding isn't what people think. It's not the pet system or the 187 spinner words. There's something in the code called undercover mode that you need to know about and we'll get to that. But first, what actually happened? On March 31st, 2026, version 2.1.88 of the Cloud Code npm package ships. Chaan Shu, excuse me if I completely destroyed their name, is an intern at Soleer Labs and notices a 59.8 8 mgabyte source map file at 4:23 a.m. You know, the kind of file that only exists in development locally somehow sitting right there in production inside a complete TypeScript 512,000 lines, 1,900 files, the entire codebase of cloud code sitting right there on npm for anyone to download. The root cause buns bundler generates source maps by default. Someone needed to add one line to npm ignore when making the push. They didn't. That's it. That's the only security story. In the end, it was a human mistake, which is funny considering most of the cloud codebase is now written by cloud itself. All right. So, as I said, I use cloud code every day. It's my main coding tool. So yeah, I was really curious and I wasn't the only one. Within hours, Cigrid Jin, a developer the Wall Street Journal had profiled for consuming 25 billion cloud code tokens in a single year, created clock code, a clean room Python rewrites. The repo hit 50,000 GitHub stars in two hours, 100,000 in one day. Probably the fastest growing repository in GitHub history. But these rewrites didn't just replicate cloud code. They stripped out telemetry, unlocked experimental features, and bolted on support for OpenAI Gemini and local models. So the leak didn't just expose the code. It spawned an entire open-source ecosystem overnight. But the drama isn't what matters here. It's what's actually inside Cloud Code. So let me show you. Cloud code uses a three layer memory system and it's really clever. Layer one is memory MD, a lightweight index about 150 character per line under 200 lines. It doesn't store knowledge. It just points to where knowledge lives like a table of content for your project. It's always in the LLM's context. Layer two is topic files fetched on demand. If you need your database schema, it loads just that topic file, not your entire project. It's the perfect retrieval implementation. Layer three is full previous session transcripts, but they are only greed searched, never loaded whole into context, and it's pointer based. Your 1 million token context window doesn't get stuffed with everything. It gets an index, then fetches what it needs. That's how cloud code maintains coherence across sessions that stretch for days. If you're building any kind of agentic tool, this pattern alone is worth studying and implementing in your own projects. On top of that, there's conversation compaction, the part I was most interested about since how Cloud does it is extremely efficient and powerful. So when context hits roughly 90% capacity, Claude automatically compresses the conversation. That's also why the new Claud 1 million context made it reach a token limit so quickly. If it waits to be 95% full, it means I can send hundreds of thousands of tokens per query instead of being limited to the previous 100,000 context window. But here's the clever part. It doesn't just truncate or cut older parts. It preserves file contents, architectural decisions, project state and active task context while collapsing the back and forth dialogue into summary statement. So you keep the final decision without having the whole interaction. You keep that you chose progress SQL and for X and Y reason, but you lose the 40 message debate and frustration that got you there with cloud. It constantly summarizes and keeps what's most relevant from previous exchanges. If you've ever had a cloud code session suddenly forget what it was doing, that's this system kicking in. You can also trigger it manually with /compact and even tell it what to preserve. Also, cloud code doesn't just have one way to compact. It actually has five different strategies which tells you how seriously they treat context pressure as an engineering problem. First, there's micro compact which is timebased clearing of old tool results. Basically, if a tool output is stale, it gets cleaned up automatically. Second, they have something called context collapse, which summarizes spans of conversation into shorter versions. Third, they have session memory, which extracts the most important context into a separate file, so it survives across compactions. Fourth, we have full compact, which summarizes the entire conversation history into a condensed version. And fifth, ptl truncation, which is basically the nuclear option. It just drops the oldest message groups entirely when nothing else is enough. Five layer of defense against context overflow to optimize what the model sees. They see it as a core engineering priority, which I'm really glad to see since we do that as well in our courses. And honestly, the fact that they needed five different approaches really tells how hard this problem actually is at scale. Then there's AutoDreamer. To be honest, I didn't expect it to be here, but it's my favorite engineering detail that I found. Here's the problem it solves. After a long coding session, your context is quite messy. You've argumented and exchanged with a model quite a lot. You could have tried three different approaches. abandon to change your mind about the database renamed a bunch of files. If cloud just stores all of that raw on the next session, it will load a bunch of contradictory outdated information. So, Autodream runs in the background after you stop working. It reviews everything that happened, figures out what's still true, throws out what's stale, and writes clean, consolidated facts back to memory. So instead of saving that the user considered MongoDB then switch to posgress SQL then discuss going back to MongoDB then confirm posgress SQL you just get project uses posgress SQL chosen for X YZ reasons next time you open cloud code it loads that clean version instead of the full messy history that's why sessions feel coherent even days later it runs as a forked sub agent with readonly bash access. So it can look at your project but can't break anything. And that pattern fork a child process with scoped permissions for a specific task shows up everywhere in the codebase. It's how cloud code safely runs parallel work in general. But all of that is what's already on cloud code. What people didn't expect is what's not shipped yet. The code base contains 44 unreleased features behind feature flags. The biggest one is Kyros referenced over 150 times. It's an always on background agent. Let's say you finished coding for the day. You close your laptop and you go to sleep. While you are sleeping, KOS is monitoring your GitHub web hooks, detecting failing CI pipelines, fixing security vulnerabilities, and opening PRs. You wake up and your code is already fixed. Nobody asked it to do that. It just did it. That's what Kos is all about. It has a proactive tick engine that balances responsiveness against cuss, deciding when to wake up and check things versus when to sleep. It has an appen only memory, so it never loses context across runs. This is the always on AI engineer every company's been promising. And you know what's crazy is that it was already built just sitting behind a feature flag probably actively being tested and improved inside Anttopic. There is also remote control which didn't get enough attention. You can control cloud code from your phone or any browser through a live bridge to cloud.ai/code. Approve or reject tool calls remotely. Watch your session in real time on mobile. So if cloud needs permission to deploy something while you are at lunch, you get a notification, review, approve, and it does it. That's a real feature actually in the code. Now let's get to the part that actually made people way too uncomfortable. Undercover mode 90 lines in undercover.ts. It instructs Claude to never reveal it's an AI. It strips co-authored by attribution from commits on GitHub. It activates automatically for anthropic employees contributing to external repos. No off switch. The actual quote inside the code is you are operating undercover. Do not blow your cover. Every company probably does something like this. But when your entire brand is built on transparency and AI safety, having a feature literally called undercover mode is a choice. And then there's anti- destation. So the server silently injects fake tool definitions into the system prompt. Why? To poison competitor training data. If, for example, DeepSync is again trying to steal data from cloud. If a rival is recording cloud API traffic to train their own model, they get garbage tool definitions mixed in with real ones. Genius and paranoid in equal measures. And now kind of pointless since everyone knows about it, but makes me think that we don't really want to look too much at the thinking tokens. Now, my favorite true favorite in this case might be the frustration detection system. There's a file called userprompt keywords.ts that runs reg x on every single message matching for WTF, FFS or OMFG and 20 other frustration signals. Parenthesis. It's kind of funny that they use reg X to detect sentiment when they have the best LLM out there to do so. But anyway, I guess it's super efficient. I still really like this feature. I see myself typing these words a lot when I'm trying to code with cloud and it doesn't work. So, I'm really glad they are actually tracking it to figure out where the experience breaks down. I think that's actually quite smart and I'm glad they are making it as a priority. Speaking of priorities, let's talk about the spinner words. You know, the loading messages Cloud Code shows. There are 187 of them. clotting, honking, sleing, smooshing, vibing, noodling. There are just tons of random words. Someone at Anthropic sat down and manually wrote or most probably brainstormed with Claude to have 187 whimsical loading messages. That's a real priority at a 350 billion dollar AI company, right? The community already built a tool called clude deepester to replace them with just thinking. I personally won't be using that for sure. How can you not like these random fun words? The code also reveal internal model code names. Tangu is cloud codes project name. Capibara is cloud 4.6. Super excited for that. Hex encoded in the source to evade leak detectors which is ironic given the leak. Fenic seem to be Opus and Numbat is unreleased with a code comment that literally says remove this section when we launch. So something called Numbat is coming. And interestingly someone found that Capibara V8 shows a 29 to 30% false claim rate up from V4's 16.7%. That's a regression nobody was supposed to see. The newer model got less truthful and that was just sitting in the internal matrix hidden of everyone. Oh, and this wasn't even the only leak last week. 5 days earlier, a separate CMS misconfiguration exposed 3,000 internal files, including details on something called the Mythos model and the same Capibara model proving it. Two major leaks in one week for a company planning an IPO in Q4 2026. So where does this leave things? The npm package is patched. Source maps are gone, but the clock code repo exists. The architecture is public, but it mainly shows there's a lot of complexity in building AI wrappers. And while most of the intelligence and product is in the cloud model weights, there are still 2,000 large files and lines of codes for building the system to get the most out of it. This is why the coding performance of the same model can vary so much depending on the hardness. Cloud isn't the same inside the chat interface, inside cursor or inside cloud code. It also shows how much work there is to do for AI engineers building systems on top of foundation models to turn them into real products that can truly hit product market fit after optimizing them for specific use cases for anyone building agentic tools. This leak is a gold mine. the pointerbased memory, the compaction secrets, scoped sub aents forking, background consolidation, proactive demon patterns. These are production tested approaches you can apply today. What have you taken out of this leak? Anything you learned that I didn't cover in here? I would love to know. Please let me know in the comments. I'd really love to read them. Thanks for watching throughout. As always, if you enjoy the video, please consider subscribing and leaving a like to let me know.