Anthropic Accidentally DMCA'd 8,100 GitHub Repos After Claude Code Source Leak

Anthropic DMCA Takedown of 8100 GitHub Repositories After Claude Code Leak

Anthropic found itself at the center of a developer controversy after its attempt to clean up a source code leak resulted in the mass takedown of 8,100 GitHub repositories. The incident started when Anthropic accidentally published its internal Claude Code source code in an npm package, then filed DMCA notices that swept up thousands of innocent repos — including legitimate forks of its own public repository.

How the Leak Happened

On March 31, 2026, Anthropic pushed version 2.1.88 of its Claude Code npm package. Buried in the update was a 60-megabyte source map file containing approximately 513,000 lines of unobfuscated TypeScript across 1,906 internal files.

This was not a hack. It was a packaging error — someone forgot to exclude the source map from the published npm bundle. Within hours, developers noticed the exposed code and began forking and mirroring it on GitHub.

The DMCA Overreaction

Anthropic's response was swift but heavy-handed. The company filed DMCA takedown notices with GitHub to remove copies of the leaked code. But because GitHub's fork network structure links repositories together, the takedown request cascaded:

  • Anthropic claimed that most forks infringed to the same extent as the parent repository
  • GitHub disabled the entire fork network of over 8,100 repositories
  • The sweep caught legitimate forks of Anthropic's own public Claude Code repo — repositories that contained only skills, examples, and documentation
  • Developer Danila Poyarkov received a takedown notice for simply forking the public repo

The irony was thick: Anthropic was actively encouraging developers to build with Claude Code, while simultaneously sending DMCA notices to developers who had forked the public project.

The Retraction

After developer backlash, Anthropic engineer Boris Cherny acknowledged the overreach: "This was not intentional, we've been working with GitHub to fix it. Should be better now."

Anthropic retracted the bulk of the DMCA notices, narrowing the takedown to one repository and 96 forks that actually contained the accidentally released source code. The remaining 8,000+ repos were restored.

What Was in the Leaked Code?

The leaked source revealed Claude Code's internal architecture:

  • The full TypeScript codebase for the CLI tool
  • Internal prompt structures and system messages
  • Tool implementation details
  • Agent orchestration logic

Security researchers noted that while the code itself was not a security risk, it provided significant insight into how Anthropic builds its agentic AI products.

Lessons for the Industry

This incident highlights several ongoing issues in the tech industry:

Issue What Happened
npm security Source maps and internal files shipped in production packages
DMCA abuse Broad takedown requests affecting thousands of innocent repos
GitHub fork networks Single DMCA can cascade to thousands of linked repos
Developer trust Legitimate contributors caught in legal crossfire

Bottom Line

Anthropic made two mistakes: first, accidentally leaking its source code through an npm packaging error; second, filing overly broad DMCA takedowns that punished innocent developers. To their credit, they retracted the notices quickly. But the incident is a reminder that even AI safety-focused companies can stumble badly on basic software engineering practices and legal overreach. For the 8,000+ developers whose repos were briefly taken offline, "sorry, it was an accident" is cold comfort.