After a momentous source code leak from the US company Anthropic, it is becoming apparent that its developer tool Claude Code contains significantly deeper system accesses and data collection routines than previously known. The complete source code, which was accidentally published on the developer platform npm at the end of March, shows extensive telemetry and remote maintenance functions, according to independent analyses.

According to security experts, more than 500,000 lines of TypeScript code became unprotected after Anthropic accidentally integrated an internal “source map” file into version 2.1.88. The company confirmed the error and spoke of “human error”, but stressed that there had been no external attack and no leakage of personal customer data.

However, experts who have examined the published code report an in-depth insight into how the system works. Claude Code logs almost every action locally, including files read, executed shell commands, and code changes made. In addition, the application contains routines for hourly communication with Anthropic servers and allows the provider to change configurations and functions remotely. According to code comments, at least six hidden “killswitches” even allowed the immediate shutdown of a running instance.

In addition, the existence of internal, previously unpublished developments became apparent. These include the DiscoverSkills tool for automatic search and assignment of programming skills, an autonomous agent mode (KAIROS) and a so-called “undercover mode” that can disguise AI use in open repositories.

The incident is already the second data breach at Anthropic within a week. Only shortly before, details of an as yet unreleased model called Mythos had become known due to a misconfiguration in a content management system.

For developers who use Claude Code productively, the leak raises significant privacy and compliance questions. Experts recommend reviewing and restricting the tool’s local access rights as long as it remains unclear to what extent telemetry data can continue to be transmitted to Anthropic. The company said it had removed the faulty versions and initiated “intensified internal review processes”.

The article was originally published by LabNews Media LLC.

Editor: X-Press Journalistenbüro GbR

Gender Notice. The personal designations used in this text always refer equally to female, male and diverse persons. Double/triple naming and gendered designations are used for better readability. ected.