Anthropic's DMCA Shotgun Blast: How a Packaging Error Led to 8,100 GitHub Repos Going Dark

On March 31, 2026, someone at Anthropic forgot to add *.map to a .npmignore file. That single omission published a 59.8 MB JavaScript source map inside version 2.1.88 of the @anthropic-ai/claude-code npm package, exposing roughly 512,000 lines of proprietary TypeScript across nearly 1,900 files [1][6]. Within hours, copies of the source code were proliferating across GitHub. What happened next — a DMCA takedown that disabled 8,100 repositories, most of them unrelated to the leak — turned a self-inflicted packaging error into one of the largest collateral-damage incidents in GitHub's history.

The Leak: A Missing Line in a Config File

Security researcher Chaofan Shou was the first to publicly flag the exposure on X, noting that Claude Code's source code was accessible through a source map file bundled in the npm registry [6]. Source maps are development artifacts that link minified, bundled JavaScript back to its original source. In production releases, they are routinely excluded. Anthropic did not exclude them.

Boris Cherny, Anthropic's head of Claude Code, later confirmed the root cause: "a plain developer error" [2]. A routine update to Claude Code had shipped with an internal debug file that pointed to a zip archive containing the full, unobfuscated source [3]. Anthropic described it as "a release packaging issue caused by human error, not a security breach" [6].

The exposed code was not model weights or safety-critical training infrastructure. It was the agentic harness — the orchestration layer that wraps the underlying Claude model, instructing it on tool usage, managing permissions, and enforcing behavioral guardrails [5]. But the leak was far from trivial. The source revealed 44 unreleased feature flags, an internal background daemon codenamed "KAIROS," a "persistent assistant" mode, references to an unreleased model variant called "Capybara," and an internal feature labeled "Undercover Mode" designed to prevent Claude from disclosing Anthropic's proprietary details [7][10].

A Pattern, Not an Isolated Incident

The npm leak landed just five days after a separate misconfiguration had exposed roughly 3,000 internal files from an unsecured data store, including details about an unreleased model called "Mythos" and logistics for an exclusive CEO event [9]. Two accidental disclosures in seven days raised pointed questions about operational controls at a company valued at approximately $350 billion and reportedly considering an IPO in Q4 2026 [11].

Fortune characterized it as "a second major security breach" [9]. A Medium analysis titled "Three 'Accidents' in Seven Days" asked whether Anthropic's pre-IPO posture amounted to "transparency theater or just bad luck" [11].

The Takedown: 8,100 Repos Disabled

As copies of the leaked code spread across GitHub, Anthropic moved fast. On March 31, the company filed a DMCA takedown notice with GitHub targeting a repository at github.com/nirholas/claude-code — an account that had uploaded the leaked source [4]. The notice, now public in GitHub's DMCA repository, declared that "the entire repository is infringing" and asserted that "all or most of the forks were infringing to the same extent as the parent repository" [4].

That assertion triggered a critical mechanism in GitHub's DMCA enforcement system. When a takedown notice claims an entire fork network is infringing, and the network exceeds 100 repositories, GitHub disables the entire network rather than evaluating each fork individually [2][4]. The result: approximately 8,100 repositories went dark, including legitimate forks of Anthropic's own publicly released Claude Code repository — forks that contained contributions, pull requests, and personal modifications with no connection whatsoever to the leaked proprietary source [1][2].

Source: TechCrunch, BleepingComputer, EFF

Data as of Apr 1, 2026CSV

The Collateral Victims

The fallout was immediate and personal. Developer Theo Browne (known as t3.gg), a prominent tech YouTuber, found his Claude Code fork disabled despite it containing nothing from the leaked source — only a pull request where he had edited a skill file. "This is an actual violation of the DMCA. Anthropic just broke the law," he posted on X [8].

Developers Danila Poyarkov and Daniel San reported similar experiences: their forks, created from Anthropic's own public repository, were taken down without any review of their contents [8]. Gergely Orosz, author of the widely read Pragmatic Engineer newsletter, called it "DMCA abuse," writing that it is "neither OK, nor legal to file a DMCA takedown for something that breaks no copyright" [8].

The disruption extended beyond inconvenience. Developers working on time-sensitive projects reported broken CI/CD pipelines and interrupted deployments [3]. For repositories that served as dependencies for other projects, the takedown created cascading failures. The exact scope of downstream breakage remains unclear, but multiple developers reported having to scramble to restore access to their own code.

The Retraction

Within roughly 24 hours, Anthropic filed a partial retraction with GitHub [12]. The retraction withdrew the notice from all but the original nirholas/claude-code repository and 96 specific forks individually listed in the original filing that contained actual copies of the leaked source [2][12]. Cherny acknowledged the overreach publicly: "This was not intentional, we've been working with GitHub to fix it" [8].

GitHub restored access to the affected repositories. But the retraction notice itself offered minimal explanation — no apology, no acknowledgment of the scope of disruption, and no mention of remediation for affected developers [12]. As of publication, Anthropic has not announced any compensation process or formal outreach to the thousands of developers whose repositories were temporarily disabled.

How GitHub's DMCA System Failed

The incident exposed a structural weakness in how GitHub processes DMCA takedowns. Under Section 512 of the Digital Millennium Copyright Act, platforms like GitHub qualify for "safe harbor" protection from copyright liability if they "expeditiously" remove material upon receiving a valid takedown notice [14]. In practice, this creates a strong incentive for platforms to act quickly and ask questions later.

GitHub's policy compounds this for fork networks. When a claimant asserts that an entire fork tree is infringing, GitHub's semi-automated system can disable thousands of repositories in a single action without individually verifying whether each fork actually contains the claimed material [4]. There is no pre-takedown review for proportionality. The burden falls on affected developers to file counter-notices — a process that can take 10 to 14 business days [13].

GitHub reformed its DMCA process once before, after the 2020 youtube-dl incident. The Recording Industry Association of America had filed a takedown against the popular download tool, not because it contained copyrighted material, but because it could theoretically be used to circumvent digital protections [15]. After significant backlash, GitHub reinstated the repository, committed to expert review of Section 1201 claims, and donated $1 million to a developer defense fund [15].

But those reforms were narrowly targeted at Section 1201 circumvention claims. The Anthropic takedown was a standard Section 512 notice — exactly the type of claim that GitHub's system is designed to process automatically and at scale. No expert review was triggered. No proportionality check was applied.

Legal Exposure and Developer Recourse

Under 17 U.S.C. § 512(f), anyone who "knowingly materially misrepresents" that material is infringing in a DMCA notice can be held liable for damages [14]. The question is whether Anthropic's blanket assertion that "all or most" forks infringed meets that threshold. A plausible defense for Anthropic is that it did not intend to take down legitimate forks — it targeted a specific infringing repository and the fork network mechanism swept more broadly than anticipated. But intent and knowledge are distinct legal concepts, and Anthropic signed a notice asserting infringement across a network it had not individually reviewed.

Affected developers could theoretically pursue claims for lost access, broken deployments, or reputational harm from having their repositories flagged as infringing. In practice, individual damages are likely small enough to make litigation impractical without a class action or organized legal effort. No such effort has been publicly announced.

The Case for Aggressive Action

There is a reasonable counter-argument to the criticism Anthropic has faced. The leaked code represented the full architecture of a product generating an estimated $2.5 billion in annualized recurring revenue [11]. Competitors could reverse-engineer the agentic harness to improve their own products [5]. Security researchers — and less benign actors — gained a roadmap for bypassing Claude Code's permission prompts and guardrails [5].

Within hours of the leak, developers were using AI tools to rewrite the functionality in other languages like Rust and Python, explicitly to preserve the information while avoiding copyright claims [7]. One programmer stated their effort aimed at "keeping the information available without risking a takedown" [7]. The code was spreading fast, and Anthropic had a narrow window to act.

In this context, filing a broad DMCA notice — even one that swept too wide — may have been a calculated trade-off: accept the blowback from overreach in exchange for limiting the spread of proprietary source code before competitors and bad actors could fully exploit it. The alternative — carefully vetting each of 8,100 repositories before taking action — would have given the leaked material more time to proliferate.

Whether this trade-off was legally defensible is a separate question from whether it was strategically rational. Anthropic may face lawsuits. It has certainly faced reputational damage. But the company also managed to retract the overbroad notice within a day and limit the final takedown to 97 repositories that actually contained the leaked code.

The Streisand Effect and Its Limits

Multiple commentators invoked the Streisand Effect — the idea that attempting to suppress information only draws more attention to it [7]. Slashdot commenters noted the irony of "a company whose business is built on other people's works" aggressively enforcing copyright [7]. Developers pointed out that clean-room reimplementations in other languages likely fall outside copyright protection, meaning the functional knowledge Anthropic tried to contain is now permanently public in a form the company cannot legally challenge.

But the Streisand Effect has limits. While the knowledge embedded in the leaked code is now widely distributed, the actual proprietary TypeScript source — the specific implementation details, the exact prompt engineering, the precise orchestration logic — has been substantially contained. The 96 forks that remained targeted after the retraction represented the direct copies. The functional reimplementations, while informed by the leak, are not identical copies.

What Comes Next

The incident has reopened a policy debate about whether DMCA Section 512's notice-and-takedown framework is adequate for the AI era. Academic proposals for an "AI harbour" — a standalone set of liability protections with role-specific duties for data suppliers, model developers, and deployers — have gained attention in legal scholarship [14]. The U.S. Copyright Office's ongoing Section 512 study has flagged concerns about the current system's susceptibility to abuse in bulk takedown scenarios [14].

For GitHub, the incident is a stress test of its intermediary role. The platform processed the takedown exactly as its system is designed to work — and the result was 8,000 developers losing access to their own code. Whether GitHub should be required to verify the accuracy and proportionality of bulk takedown requests before executing them is a question the platform has so far declined to address.

For Anthropic, the fallout is manageable but not costless. The company's security practices are under scrutiny at a sensitive moment ahead of a potential IPO [11]. The DMCA overreach, while quickly corrected, handed critics a talking point about corporate recklessness. And the underlying leak — 512,000 lines of source code for the company's flagship developer tool — remains the more significant long-term problem, with the full architecture of Claude Code now studied, discussed, and reimplemented across the open-source ecosystem.

The missing .npmignore entry has been fixed. The harder problems have not.