FilterHN

The Claude Code Source Leak: fake tools, frustration regexes, undercover mode

144 points

by alex000kim

6 hours ago

| past

| 14 comments

| alex000kim.com

| HN

▲

peacebeard

45 minutes ago

[-]

The name "Undercover mode" and the line `The phrase "Claude Code" or any mention that you are an AI` sound spooky, but after reading the source my first knee-jerk reaction wouldn't be "this is for pretending to be human" given that the file is largely about hiding Anthropic internal information such as code names. I encourage looking at the source itself in order to draw your conclusions, it's very short: https://github.com/alex000kim/claude-code/blob/main/src/util...

▲

dkenyser

41 minutes ago

[-]

> my first knee-jerk reaction wouldn't be "this is for pretending to be human"...

"Write commit messages as a human developer would — describe only what the code change does."

▲

amarant

12 minutes ago

[-]

That seems desirable? Like that's what commit messages are for. Describing the change. Much rather that than the m$ way of putting ads in commit messages

▲

peacebeard

35 minutes ago

[-]

~That line isn't in the file I linked, care to share the context? Seems pretty innocuous on its own.~

[edit] Never mind, find in page fail on my end.

▲

stordoff

28 minutes ago

[-]

It's in line 56-57.

▲

peacebeard

17 minutes ago

[-]

Thanks! I must have had a typo when I searched the page.

▲

andoando

18 minutes ago

[-]

I think the motivation is to let developers use it for work without making it obvious theyre using AI

▲

ryandrake

14 minutes ago

[-]

Which is funny given how many workplaces are requiring developers use AI, measuring their usage, and stack ranking them by how many tokens they burn. What I want is something that I can run my human-created work product through to fool my employer and its AI bean counters into thinking I used AI to make it.

▲

__blockcipher__

29 minutes ago

[-]

Undercover mode seems like a way to make contributions to OSS when they detect issues, without accidentally leaking that it was claude-mythos-gigabrain-100000B that figured out the issue

▲

stavros

19 minutes ago

[-]

What does non-undercover do? Where does CC leave metadata mainly? I haven't noticed anything.

▲

Reason077

15 minutes ago

[-]

> "Anti-distillation: injecting fake tools to poison copycats"

Plot twist: Chinese competitors end up developing real, useful versions of Claude's fake tools.

▲

ripbozo

47 minutes ago

[-]

I don't understand the part about undercover mode. How is this different from disabling claude attribution in commits (and optionally telling claude to act human?)

On that note, this article is also pretty obviously AI-generated and it's unfortunate the author didn't clean it up.

▲

giancarlostoro

41 minutes ago

[-]

It's people overreacting, the purpose of it is simple, don't leak any codenames, project names, file names, etc when touching external / public facing code that you are maintaining using bleeding edge versions of Claude Code. It does read weird in that they want it to write as if a developer wrote a commit, but it might be to avoid it outputting debug information in a commit message.

▲

ramon156

26 minutes ago

[-]

Even some of these comments are obviously Ai-assisted. I hate that I recognize it.

▲

causal

30 minutes ago

[-]

I'm amazed at how much of what my past employers would call trade secrets are just being shipped in the source. Including comments that just plainly state the whole business backstory of certain decisions. It's like they discarded all release harnesses and project tracking and just YOLO'd everything into the codebase itself.

▲

CharlieDigital

22 minutes ago

[-]

Comments are the ultimate agent coding hack. If you're not using comments, you're doing agent coding wrong.

Why? Agents may or may not read docs. It may or may not use skills or tools. It will always read comments "in the line of sight" of the task.

You get free long term agent memory with zero infrastructure.

▲

perching_aix

49 seconds ago

[-]

Agents and I apparently have a whole lot in common.

▲

JambalayaJimbo

14 minutes ago

[-]

I guess they weren't expecting a leak of the source code? It's very handy to have as much as possible available in the codebase itself.

▲

pixl97

28 minutes ago

[-]

Project trackers come and go, but code is forever, hopefully?

▲

treexs

15 minutes ago

[-]

well yeah since they tell claude code the business decisions and it creates the comments

▲

simianwords

44 minutes ago

[-]

> The multi-agent coordinator mode in coordinatorMode.ts is also worth a look. The whole orchestration algorithm is a prompt, not code.

So much for langchain and langraph!! I mean if Anthropic themselves arent using it and using a prompt then what’s the big deal about langchain

▲

ossa-ma

3 minutes ago

[-]

Langchain is for model-agnostic composition. Claude Code only uses one interface to hoist its own models so zero need for an abstraction layer.

Langgraph is for multi-agent orchestration as state graphs. This isn't useful for Claude Code as there is no multi-agent chaining. It uses a single coordinator agent that spawns subagents on demand. Basically too dynamic to constrain to state graphs.

▲

rolymath

33 minutes ago

[-]

You didn't even use it yet.

▲

space_fountain

29 minutes ago

[-]

I've tried to use langchain. It seemed to force code into their way of doing things and was deeply opinionated about things that didn't matter like prompt templating. Maybe it's improved since then, but I've sort of used people who think langchain is good as a proxy for people who haven't used much ai?

▲

simianwords

32 minutes ago

[-]

▲

mzajc

22 minutes ago

[-]

There are now several comments that (incorrectly?) interpret the undercover mode as only hiding internal information. Excerpts from the actual prompt[0]:

  NEVER include in commit messages or PR descriptions:
  - The phrase "Claude Code" or any mention that you are an AI
  - Co-Authored-By lines or any other attribution

  BAD (never write these):
  - 1-shotted by claude-opus-4-6
  - Generated with Claude Code
  - Co-Authored-By: Claude Opus 4.6 <…>

This very much sounds like it does what it says on the tin, i.e. stays undercover and pretends to be a human. It's especially worrying that the prompt is explicitly written for contributions to public repositories.

[0]: https://github.com/chatgptprojects/claude-code/blob/642c7f94...

▲

otterley

19 minutes ago

[-]

I would have expected people (maybe a small minority, but that includes myself) to have already instructed Claude to do this. It’s a trivial instruction to add to your CLAUDE.md file.

▲

andoando

19 minutes ago

[-]

Ive seen it say coauthored by claude code on my prs...and I agree I dont want it to do that

▲

petcat

17 minutes ago

[-]

It's less about pretending to be a human and more about not inviting scrutiny and ridicule toward Claude if the code quality is bad. They want the real human to appear to be responsible for accepting Claud's poor output.

▲

otterley

14 minutes ago

[-]

That’s ultimately the right answer, isn’t it? Bad code is bad code, whether a human wrote it all, or whether an agent assisted in the endeavor.

▲

hombre_fatal

16 minutes ago

[-]

You can already turn off "Co-Authored-By" via Claude Code config. This is what their docs show:

~/.claude/settings.json

    {
      "attribution": {
        "commit": "",
        "pr": ""
    },

The rest of the prompt is pretty clear that it's talking about internal use.

Claude Code users aren't the ones worried about leaking "internal model codenames" nor "unreleased model opus-4-8" nor Slack channel names. Though, nobody would want that crap in their generated docs/code anyways.

Seems like a nothingburger, and everyone seems to be fantasizing about "undercover mode" rather than engaging with the details.

▲

saadn92

19 minutes ago

[-]

The feature flag names alone are more revealing than the code. KAIROS, the anti-distillation flags, model codenames those are product strategy decisions that competitors can now plan around. You can refactor code in a week. You can't un-leak a roadmap.

▲

stavros

17 minutes ago

[-]

Can someone clarify how the signing can't be spoofed (or can it)? If we have the source, can't we just use the key to now sign requests from other clients and pretend they're coming from CC itself?

▲

pixl97

1 hour ago

[-]

>Claude Code also uses Axios for HTTP.

Interesting based on the other news that is out.

▲

alex000kim

1 hour ago

[-]

Oh right, I just saw https://news.ycombinator.com/item?id=47582220 will update the post with this link

▲

greenavocado

36 minutes ago

[-]

What version?

▲

Stagnant

31 minutes ago

[-]

1.13.6, so should not be affected by the malware

▲

motbus3

21 minutes ago

[-]

I am curious about these fake tools.

They would either need to lie about consuming the tokens at one point to use in another so the token counting was precise.

But that does not make sense because if someone counted the tokens by capturing the session it would certainly not match what was charged.

Unless they would charge for the fake tools anyway so you never know they were there

▲

seanwilson

46 minutes ago

[-]

Anyone else have CI checks that source map files are missing from the build folder? Another trick is to grep the build folder for several function/variable names that you expect to be minified away.

▲

simianwords

53 minutes ago

[-]

> The obvious concern, raised repeatedly in the HN thread: this means AI-authored commits and PRs from Anthropic employees in open source projects will have no indication that an AI wrote them. It’s one thing to hide internal codenames. It’s another to have the AI actively pretend to be human.

I don’t get it. What does this mean? I can use Claude code now without anyone knowing it is Claude code.

▲

alex000kim

49 minutes ago

[-]

technically you're correct, but look at the prompt https://github.com/alex000kim/claude-code/blob/main/src/util...

it's written to _actively_ avoid any signs of AI generated code when "in a PUBLIC/OPEN-SOURCE repository".

Also, it's not about you. Undercover mode only activates for Anthropic employees (it's gated on USER_TYPE === 'ant', which is a build-time flag baked into internal builds).

▲

simianwords

47 minutes ago

[-]

I don’t know what you mean. It just informs to not use internal code names.

▲

robflynn

43 minutes ago

[-]

It also says don't announce that you are AI in any way including asking it to not say "Co-authored by Claude". I read the file myself.

I'm still inclined to think people might be overreacting to that bit since it seems to be for anthropic-only to prevent leaking internal info.

But I did read the prompt and it did say hide the fact that you are AI.

▲

simianwords

36 minutes ago

[-]

Why does that matter though

▲

giancarlostoro

44 minutes ago

[-]

I agree with you, I think people are overthinking this.

▲

slopinthebag

51 minutes ago

[-]

I think it means OSS projects should start unilaterally banning submissions from people working for Anthropic.

▲

simianwords

48 minutes ago

[-]

Why? What does this have to do with the leak

▲

simianwords

50 minutes ago

[-]

Guys I’m somewhat suspicious of all the leaks from Anthropic and think it may be intentional. Remember the leaked blog about Mythos?

▲

__blockcipher__

27 minutes ago

[-]

I'm normally suspicious but honestly they've been so massively supply-constrained that I don't think it really benefits them much. They're not worried about getting enough demand for the new models; they're worrying about keeping up with it.

Granted, there's a small counterargument for mythos which is that it's probably going to be API-only not subscription

▲

simianwords

18 minutes ago

[-]

Why would Claude code mention Mythos then

▲

Analemma_

11 minutes ago

[-]

It's possible, but Anthropic employees regularly boast (!) that Claude Code is itself almost entirely vibe-coded (which certainly seems true, based on the generally-low quality of the code in this leak), so it wouldn't at all surprise me to have that blow up twice in the same week. Probably it might happen with accelerating frequency as the codebase gets more and more unmanageable.

▲

OfirMarom

1 hour ago

[-]

Undercover mode is the most concerning part here tbh.

▲

anonymoushn

51 minutes ago

[-]

why

▲

AnimalMuppet

41 minutes ago

[-]

Well, as a general rule, I don't do business with people who lie to me.

You've got a business, and you sent me junk mail, but you made it look like some official government thing to get me to open it? I'm done, just because you lied on the envelope. I don't care how badly I need your service. There's a dozen other places that can provide it; I'll pick one of them rather than you, because you've shown yourself to be dishonest right out of the gate.

Same thing with an AI (or a business that creates an AI). You're willing to lie about who you are (or have your tool do so)? What else are you willing to lie to me about? I don't have time in my life for that. I'm out right here.

▲

otterley

11 minutes ago

[-]

Out of curiosity, given two code submissions that are completely identical—one written solely by a human and one assisted by AI—why should its provenance make any difference to you? Is it like fine art, where it’s important that Picasso’s hand drew it? Or is it like an instruction manual, where the author is unimportant?

Similarly, would you consider it to be dishonest if my human colleague reviewed and made changes to my code, but I didn’t explicitly credit them?

▲

AnimalMuppet

1 minute ago

[-]

Why does the provenance make any difference? Let me increase your options. Option 1: You completely hand-wrote it. Option 2: You were assisted by an AI, but you carefully reviewed it. Option 3: You were assisted by an AI (or the AI wrote the whole thing), and you just said, "looks good, YOLO".

Even if the code is line-for-line identical, the difference is in how much trust I am willing to give the code. If I have to work in the neighborhood of that code, I need to know what degree of skepticism I should be viewing it with.

▲

simianwords

39 minutes ago

[-]

What’s the lie? It’s just asking to not reveal internal names