Anthropic accidentally published the entire TypeScript source code of Claude Code to npm on March 31, 2026. This was the second time. Copyright will protect the expression. Trade secret law will not protect most of what was exposed. The gap between those two outcomes flows from case law that courts will apply without modification, because the doctrine has not changed and does not need to.
What actually happened
Version 2.1.88 of the @anthropic-ai/claude-code npm package shipped with a 59.8 MB source map file that should never have been included. Source maps are debugging artifacts. They bridge minified production code and the original human-readable source. Claude Code is built on Bun's bundler, which generates source maps by default unless explicitly disabled. The .map file was not excluded via .npmignore or bundler configuration.
The .map file referenced a publicly accessible Cloudflare R2 storage bucket containing the full, unobfuscated TypeScript source as a ZIP archive. No authentication. No access controls. No terms of use. Security researcher Chaofan Shou found it and posted the discovery to X at 4:23 AM ET. Within hours, the codebase was mirrored across multiple GitHub repositories across 1,900 files. Major technology publications dissected it. The original post accumulated millions of views.
What was exposed: the full system prompt; tool orchestration architecture; permission model; multi-agent coordination logic (Coordinator Mode); unreleased features including an always-on daemon codenamed KAIROS; internal model codenames; internal quality metrics showing a 29-30% false claims rate in the latest Capybara iteration; and a feature called "Undercover Mode" designed to erase AI traces from commit records when Anthropic employees contribute to public open-source repositories. What was not exposed: model weights, training data, API keys, customer data.
Anthropic pulled the package and attributed the incident to human error in release packaging. The irony is pointed. Anthropic built Undercover Mode specifically to prevent information leakage from AI-assisted commits. It defeated that system with a build configuration oversight. And this was not the first time: a substantially identical source map exposure occurred in early 2025 and was patched. The same class of failure, with actual notice, repeated.
The copyright floor
The copyright analysis is favorable to Anthropic and clean.
Copyright attaches automatically to original works of authorship at the moment of creation. 17 U.S.C. § 102. Registration is not required for protection to exist, though it is required to sue for statutory damages and attorney's fees in federal court. Anthropic is the author and owner of the Claude Code source. Accidental publication does not abandon copyright. There is no finders-keepers doctrine. Publication without a license is not a license.
The GitHub mirror repositories are straightforward infringement: unauthorized reproduction and distribution under 17 U.S.C. § 106. DMCA takedowns are the immediate remedy. At least one of the original uploaders removed his mirror voluntarily, citing concern about legal liability for hosting Anthropic's intellectual property.
Copyright has a structural ceiling that matters here. 17 U.S.C. § 102(b) provides that copyright does not extend to "any idea, procedure, process, system, method of operation, concept, principle, or discovery." Copyright protects expression. It does not protect architectural patterns, design concepts, or functional logic embedded in that expression.
In the Claude Code leak, disassembly was not necessary. Anthropic handed the unobfuscated source to the public directly. Sega established the fair use floor for reverse engineering the functional elements of copyrighted software. The leak eliminated the need for reverse engineering entirely. The architectural concepts, tool-calling patterns, permission model, and multi-agent orchestration logic are now reachable by anyone who reads the code, and the copyright claim cannot stop that.
Anthropic can force takedowns of verbatim mirrors. It can sue anyone who copies code line-for-line or creates derivative works incorporating its protectable expression. It cannot stop anyone from reading, understanding, and independently reimplementing the architectural concepts. Those are ideas and methods of operation. Under § 102(b), they are free to study and free to rebuild.
The trade secret problem
Trade secret law is where Anthropic's position fractures.
Trade secret protection under the Defend Trade Secrets Act, 18 U.S.C. § 1839(3), and the Uniform Trade Secrets Act requires three elements: the information derives independent economic value from not being generally known to persons who can obtain value from its disclosure; the information is not readily ascertainable by proper means; and the owner has taken reasonable efforts to maintain its secrecy. The critical asymmetry from copyright: trade secret protection can be destroyed by the holder's own conduct. Copyright cannot. Ruckelshaus states the governing rule:
If an individual discloses his trade secret to others who are under no obligation to protect the confidentiality of the information, or otherwise publicly discloses the secret, his property right is extinguished.
Extinguished. Not diminished. Extinguished.
The prosecution's best case. If you are defending Anthropic's trade secret position, you build from the principle that the law requires reasonable measures, not perfect ones.
Anthropic did take protective steps. Claude Code was distributed as obfuscated, minified JavaScript. The company maintained the product as proprietary, closed-source software. The .map file inclusion was a build pipeline error, not a deliberate act of publication. A single misconfiguration within an otherwise comprehensive security program does not automatically negate reasonable measures.
The prosecution would also invoke the "obscure or transient" publication doctrine.
The .map file was buried inside an npm package, not linked on a public webpage and not indexed by search engines. Specific sub-components among those 512,000 lines may not have been individually parsed and disseminated before removal. For those elements, trade secret status survives.
The prosecution would also invoke the Netcom line on continuing intent.
Anthropic's immediate takedown and public assertion of proprietary rights fits within Netcom. And even after broad disclosure, a competitor that acquires the code with actual knowledge of its trade secret origin and uses it commercially may face liability. The combination of all exposed elements into an integrated system may independently qualify as a combination trade secret, even if individual components became publicly known.
That is the prosecution's best case. It is credible in part, and it fails in whole.
The defense wins. Anthropic published the code to npm, the world's largest JavaScript package registry. npm is a public platform. Anyone in the world could download the package. No NDA attached to the download. No terms of service restricting access to the .map file contents. No encryption on the R2 bucket. No password. No access control. Under Ruckelshaus, disclosure to persons under no obligation to maintain confidentiality extinguishes the property right.
Arkeyo catalogued what "reasonable measures" require in the software context: random URL names, HTTPS encryption, password protection, code obfuscation, and terms of use restricting reverse engineering. Anthropic failed on every metric with respect to the source map file and the R2 bucket. Arkeyo is particularly instructive because, like the Claude Code leak, it involved software distributed as a downloadable archive. The plaintiff argued that distributing executable code rather than source preserved secrecy. The court rejected the argument: the executable "could be translated into source code through the relatively simple process of decompilation," and the position that software was not publicly available because it appeared only in executable form was unjustifiable. Anthropic's position is weaker. It distributed the actual source.
In CSS v. Herrington, the court found that placing source code on a server without any confidentiality requirements could not constitute reasonable measures. Swap "county servers" for "npm registry" and the facts are functionally identical.
The repeat failure is decisive. Anthropic had actual notice from the 2025 incident that its build pipeline could publish source maps to the public npm registry. It patched the issue. The same class of failure recurred. Courts evaluating "reasonable measures" consider the totality of the protection program. A repeat identical failure after actual notice is among the worst facts a trade secret holder can present.
The "obscure publication" defense fails on the facts too. Netcom held that posting works to the internet makes them "generally known to the relevant people" where millions could access them. The original X post accumulated millions of views. Major technology outlets covered the story within hours. The code was mirrored across multiple public repositories. The relevant competitors are precisely the people most likely to have seen it.
Once a trade secret is posted on the internet, it is effectively part of the public domain, impossible to retrieve.
And it was Anthropic, not a third-party bad actor, that placed the code in the public domain.
Accessing a file published to a public registry by the trade secret holder is, by definition, discovery through the holder's own accidental disclosure. Downstream users face no trade secret liability. Anyone who downloaded the @anthropic-ai/claude-code package through npm's standard interface committed no misconduct under Lerma.
The competitor question
Every IP lawyer reading this is asking the same question: what can Google, OpenAI, Cursor, and every other AI coding tool developer legally do with this information?
Direct code copying is copyright infringement and potentially trade secret misappropriation for any elements retaining protection. Proving direct copying requires forensic analysis of the competitor's codebase, discovery, and litigation. Given that many of the architectural patterns in Claude Code (tool-calling, multi-agent orchestration, permission gates) are becoming industry-standard, proving copying over independent development will be extremely difficult.
Architectural inspiration without code copying is a different legal situation. A competitor reads the leaked code, understands the design patterns, and writes its own implementation from scratch. Under § 102(b), ideas and methods of operation are not copyrightable. Under Kewanee, independent development is a defense to trade secret misappropriation. Under Sega, extracting functional elements from copyrighted software is fair use. This scenario is legally permissible and practically inevitable.
The clean room defense has been standard practice since Sega (1993) and Sony Computer Entertainment, Inc. v. Connectix Corp., 203 F.3d 596 (9th Cir. 2000). One team reads and documents the concepts. A separate team that never saw the original code implements based on the documented concepts. Sophisticated competitors are already running this playbook.
The competitive intelligence dimension may matter more than the code itself. The leak revealed internal model performance benchmarks: a 29-30% false claims rate in the latest Capybara variant, an actual regression from earlier iterations. It revealed the full product roadmap, the feature pipeline, and architectural decisions that took Anthropic years to develop. Code can be rewritten. The disclosure that your frontier model has a 30% false claims rate cannot be undone. Competitors can now calibrate their own products against Anthropic's internal benchmarks with precision that would previously have required a different kind of access.
There is also the self-hosting question. The leaked code is the CLI client, not the model weights. The orchestration logic, tool-calling system, system prompts, and memory architecture could in principle be wired to a different LLM backend. Using Anthropic's actual code to do this is copyright infringement. Rewriting the concepts from scratch, based on the now-public architectural knowledge, occupies the space that § 102(b) was designed to leave open. Cleanroom replicas are being developed. The real moat was never the CLI. Model quality, API infrastructure, enterprise trust, and brand are the moat. The CLI is a sophisticated wrapper. A valuable one. But a wrapper.
How a court would rule
If Anthropic sought a preliminary injunction enjoining distribution and asserting broad trade secret protection, the outcome breaks cleanly.
Copyright injunction: granted. Anthropic can force takedowns of verbatim mirrors and pursue infringement claims against anyone who copies or redistributes the source in its original form. The copyright analysis is clean. The harm is irreparable.
Broad trade secret injunction: denied. The combination of unprotected publication to a public registry, a publicly accessible R2 bucket without authentication, a prior identical failure in early 2025 that put the company on actual notice, and the massive scale and speed of public dissemination forecloses a finding of reasonable measures or continuing secrecy for the broadly disseminated elements. Ruckelshaus, Arkeyo, and CSS v. Herrington cover this ground.
Narrow trade secret claims: possible, but Anthropic bears the burden. Specific, narrowly defined sub-components that were not individually parsed and disseminated may retain protection. A blanket assertion over the entire codebase is insufficient given the scope of dissemination. A court would likely permit Anthropic to identify, under seal, specific code segments for which it asserts continuing protection and require particularized showings.
Downstream user liability: denied. Under Lerma, individuals who downloaded code from public sources committed no misconduct. Downloading a published npm package is not an improper act.
For in-house counsel
This incident is a case study in preventable IP destruction. If you are advising an AI company, the takeaways are operational.
Audit your build pipelines. Run npm pack --dry-run before every release. Source maps are source code. This is a build configuration problem, not a security architecture problem. That makes it both more embarrassing and more preventable.
Layer your IP protection. Trade secrets are fragile. Copyright is not. Do not rely on trade secret protection alone when copyright, patent (where applicable), and contractual protections (license terms, terms of service, access restrictions) should all be operating in parallel. A single build pipeline failure can vaporize your trade secret position overnight. Copyright survives.
Implement the Arkeyo checklist. For any proprietary software distributed over the internet, courts will measure your "reasonable measures" against a concrete set of industry-standard protections: encryption, access controls, password protection, code obfuscation, confidentiality labels, and terms of use restricting reverse engineering. If you are not checking every one of those boxes, you are building a legal position that the first adverse ruling will collapse.
Assume your code will leak. Design your competitive moat around elements that survive disclosure: model quality, data assets, customer relationships, enterprise trust, speed of execution. If your moat depends on keeping your CLI source code secret, your moat is made of sand.
Document your security program. Courts evaluate "reasonable measures" based on the totality of the protection program. A robust program that suffers a single accidental disclosure presents a stronger argument than a program with documented gaps. Documentation is evidence. Absence of documentation is evidence too.
Respond immediately. Speed of response matters for the "continuing intent to maintain secrecy" argument under Netcom. Anthropic's rapid takedown strengthens its partial-survival argument for narrow sub-components. Delay would have been fatal even to those narrow claims.
The doctrine's limitations
There is no federal AI source code protection framework. There is no statute that addresses what happens when a $2.5 billion AI product accidentally publishes itself to a public package registry. This will be litigated under copyright law from 1976, trade secret doctrine rooted in Ruckelshaus (1984), and fair use principles from Sega (1993). Courts are not inventing new rules for AI companies. They are applying the same framework they have always applied to software trade secrets.
And that framework says: if you cannot keep it secret, you do not get to call it a secret.
The UTSA was drafted in 1979. The key internet-disclosure cases are from the mid-1990s, when "posting to the internet" meant a Usenet newsgroup, not npm. The doctrinal framework is sound. The threat surface has changed by orders of magnitude. A single misconfigured .npmignore accomplishes in seconds what industrial espionage used to take months to execute.
The fundamental asymmetry is the moat question for every AI company building proprietary tooling. Copyright survives any disclosure. Trade secrets do not. The real legal moat is copyright protecting expression. The real competitive moat is the model, which was not leaked. The CLI architecture was always one misconfigured build pipeline away from becoming public knowledge.
And now it is.
[^1]: The Vertical Bridge REIT court's "reasonable measures" language tracks the broader UTSA and DTSA standard. The case involved misappropriation of infrastructure site-selection data, a factually different context from source code distribution, but the "question of fact" holding on reasonable measures is directly applicable to the motion-stage posture of any Anthropic trade secret claim.
[^2]: Art of Living Foundation v. Does 1-10, No. 5:10-cv-05022 (N.D. Cal. Jun. 15, 2011) applied the "obscure or transient" doctrine from DVD CCA v. Bunner to third-party publication of religious texts. The factual parallel to the Claude Code leak is limited because in Art of Living the publication was by a third party, not the trade secret holder itself. The case is cited in the draft but omitted from the body here because the Bunner principle is cleaner and the third-party/self-publication distinction matters analytically.
[^3]: The "combination trade secret" theory holds that the combination of individually known elements may itself qualify as a protectable secret when the combination provides economic value not derivable from the components. This is the strongest residual trade secret argument Anthropic has for the integrated architecture. But applying it requires Anthropic to identify, with specificity, which combinations are protectable and to demonstrate that those combinations were not themselves disseminated. Given the technical depth of the Hacker News threads and VentureBeat analysis, that showing will be difficult.