The Claude Code Source Leak: fake tools, frustration regexes, undercover mode

Posted by alex000kim 6 hours ago

The Claude Code Source Leak: fake tools, frustration regexes, undercover mode(alex000kim.com)

167 points | 64 comments

peacebeard 51 minutes ago|

The name "Undercover mode" and the line `The phrase "Claude Code" or any mention that you are an AI` sound spooky, but after reading the source my first knee-jerk reaction wouldn't be "this is for pretending to be human" given that the file is largely about hiding Anthropic internal information such as code names. I encourage looking at the source itself in order to draw your conclusions, it's very short: https://github.com/alex000kim/claude-code/blob/main/src/util...

dkenyser 47 minutes ago||

> my first knee-jerk reaction wouldn't be "this is for pretending to be human"...

"Write commit messages as a human developer would — describe only what the code change does."

amarant 17 minutes ago|||

That seems desirable? Like that's what commit messages are for. Describing the change. Much rather that than the m$ way of putting ads in commit messages

peacebeard 41 minutes ago|||

~That line isn't in the file I linked, care to share the context? Seems pretty innocuous on its own.~

[edit] Never mind, find in page fail on my end.

stordoff 34 minutes ago||

It's in line 56-57.

peacebeard 23 minutes ago||

Thanks! I must have had a typo when I searched the page.

andoando 24 minutes ago|||

I think the motivation is to let developers use it for work without making it obvious theyre using AI

ryandrake 20 minutes ago||

Which is funny given how many workplaces are requiring developers use AI, measuring their usage, and stack ranking them by how many tokens they burn. What I want is something that I can run my human-created work product through to fool my employer and its AI bean counters into thinking I used AI to make it.

__blockcipher__ 34 minutes ago|||

Undercover mode seems like a way to make contributions to OSS when they detect issues, without accidentally leaking that it was claude-mythos-gigabrain-100000B that figured out the issue

stavros 25 minutes ago||

What does non-undercover do? Where does CC leave metadata mainly? I haven't noticed anything.

sprobertson 1 minute ago||

it likes mentioning itself in commit messages, though you can just tell it not to.

stavros 18 seconds ago||

Ah, thanks, it hasn't done it for mine so I was wondering if there's something lower-level somehow.

Reason077 21 minutes ago||

> "Anti-distillation: injecting fake tools to poison copycats"

Plot twist: Chinese competitors end up developing real, useful versions of Claude's fake tools.

ripbozo 52 minutes ago||

I don't understand the part about undercover mode. How is this different from disabling claude attribution in commits (and optionally telling claude to act human?)

On that note, this article is also pretty obviously AI-generated and it's unfortunate the author didn't clean it up.

giancarlostoro 47 minutes ago||

It's people overreacting, the purpose of it is simple, don't leak any codenames, project names, file names, etc when touching external / public facing code that you are maintaining using bleeding edge versions of Claude Code. It does read weird in that they want it to write as if a developer wrote a commit, but it might be to avoid it outputting debug information in a commit message.

ramon156 31 minutes ago||

Even some of these comments are obviously Ai-assisted. I hate that I recognize it.

causal 35 minutes ago||

I'm amazed at how much of what my past employers would call trade secrets are just being shipped in the source. Including comments that just plainly state the whole business backstory of certain decisions. It's like they discarded all release harnesses and project tracking and just YOLO'd everything into the codebase itself.

CharlieDigital 27 minutes ago||

Comments are the ultimate agent coding hack. If you're not using comments, you're doing agent coding wrong.

Why? Agents may or may not read docs. It may or may not use skills or tools. It will always read comments "in the line of sight" of the task.

You get free long term agent memory with zero infrastructure.

perching_aix 6 minutes ago||

Agents and I apparently have a whole lot in common.

Only being half ironic with this. I generally find that people somehow magically manage to understand how to help, when the subject is a helpless LLM. Instead of pointing it to a random KB page, they give it context. They then shorten that context. They then interleave context as comments. They provide relevant details. They go out of their way to collect relevant details. Things they somehow don't do for their actual colleagues.

This only gets worse when the LLM captures all that information better than certain human colleagues somehow, justifying the additional effort.

JambalayaJimbo 20 minutes ago|||

I guess they weren't expecting a leak of the source code? It's very handy to have as much as possible available in the codebase itself.

pixl97 34 minutes ago|||

Project trackers come and go, but code is forever, hopefully?

treexs 20 minutes ago||

well yeah since they tell claude code the business decisions and it creates the comments

simianwords 49 minutes ago||

> The multi-agent coordinator mode in coordinatorMode.ts is also worth a look. The whole orchestration algorithm is a prompt, not code.

So much for langchain and langraph!! I mean if Anthropic themselves arent using it and using a prompt then what’s the big deal about langchain

ossa-ma 9 minutes ago||

Langchain is for model-agnostic composition. Claude Code only uses one interface to hoist its own models so zero need for an abstraction layer.

Langgraph is for multi-agent orchestration as state graphs. This isn't useful for Claude Code as there is no multi-agent chaining. It uses a single coordinator agent that spawns subagents on demand. Basically too dynamic to constrain to state graphs.

simianwords 2 minutes ago||

You may have a point but to drive it further, can you give an example of a thing I can do with langgraph that I can't do with Claude Code?

rolymath 38 minutes ago||

You didn't even use it yet.

space_fountain 35 minutes ago|||

I've tried to use langchain. It seemed to force code into their way of doing things and was deeply opinionated about things that didn't matter like prompt templating. Maybe it's improved since then, but I've sort of used people who think langchain is good as a proxy for people who haven't used much ai?

simianwords 38 minutes ago|||

mzajc 28 minutes ago||

There are now several comments that (incorrectly?) interpret the undercover mode as only hiding internal information. Excerpts from the actual prompt[0]:

  NEVER include in commit messages or PR descriptions:
  - The phrase "Claude Code" or any mention that you are an AI
  - Co-Authored-By lines or any other attribution

  BAD (never write these):
  - 1-shotted by claude-opus-4-6
  - Generated with Claude Code
  - Co-Authored-By: Claude Opus 4.6 <…>

This very much sounds like it does what it says on the tin, i.e. stays undercover and pretends to be a human. It's especially worrying that the prompt is explicitly written for contributions to public repositories.

[0]: https://github.com/chatgptprojects/claude-code/blob/642c7f94...

otterley 25 minutes ago||

I would have expected people (maybe a small minority, but that includes myself) to have already instructed Claude to do this. It’s a trivial instruction to add to your CLAUDE.md file.

andoando 24 minutes ago|||

Ive seen it say coauthored by claude code on my prs...and I agree I dont want it to do that

petcat 23 minutes ago|||

It's less about pretending to be a human and more about not inviting scrutiny and ridicule toward Claude if the code quality is bad. They want the real human to appear to be responsible for accepting Claud's poor output.

otterley 20 minutes ago||

That’s ultimately the right answer, isn’t it? Bad code is bad code, whether a human wrote it all, or whether an agent assisted in the endeavor.

hombre_fatal 21 minutes ago||

You can already turn off "Co-Authored-By" via Claude Code config. This is what their docs show:

~/.claude/settings.json

    {
      "attribution": {
        "commit": "",
        "pr": ""
    },

The rest of the prompt is pretty clear that it's talking about internal use.

Claude Code users aren't the ones worried about leaking "internal model codenames" nor "unreleased model opus-4-8" nor Slack channel names. Though, nobody would want that crap in their generated docs/code anyways.

Seems like a nothingburger, and everyone seems to be fantasizing about "undercover mode" rather than engaging with the details.

saadn92 25 minutes ago||

The feature flag names alone are more revealing than the code. KAIROS, the anti-distillation flags, model codenames those are product strategy decisions that competitors can now plan around. You can refactor code in a week. You can't un-leak a roadmap.

stavros 23 minutes ago||

Can someone clarify how the signing can't be spoofed (or can it)? If we have the source, can't we just use the key to now sign requests from other clients and pretend they're coming from CC itself?

MadsRC 3 minutes ago|

What signing?

Are you referencing the use of Claude subscription authentication (oauth) from non-Claude Code clients?

That’s already possible, nothing prevents you from doing it.

They are detecting it on their backend by profiling your API calls, not by guarding with some secret crypto stuff.

At least that’s how things worked last week xD

stavros 1 minute ago||

I'm referring to this signing bit:

https://alex000kim.com/posts/2026-03-31-claude-code-source-l...

Ah, it seems that Bun itself signs the code. I don't understand how this can't be spoofed.

pixl97 1 hour ago||

>Claude Code also uses Axios for HTTP.

Interesting based on the other news that is out.

alex000kim 1 hour ago||

Oh right, I just saw https://news.ycombinator.com/item?id=47582220 will update the post with this link

greenavocado 42 minutes ago||

What version?

Stagnant 37 minutes ago||

1.13.6, so should not be affected by the malware

motbus3 26 minutes ago|

I am curious about these fake tools.

They would either need to lie about consuming the tokens at one point to use in another so the token counting was precise.

But that does not make sense because if someone counted the tokens by capturing the session it would certainly not match what was charged.

Unless they would charge for the fake tools anyway so you never know they were there

More comments...