🎧 Prefer to listen? Audio version below — approximately 9 minutes.
On 14 May 2026, a pull request landed in the Bun repository. One million lines of Rust, ported from Zig by Anthropic’s Claude Code, merged in a single commit. The Bun team’s creator, Jarred Sumner, was candid about the process — the team hadn’t been writing code themselves for months. The AI did it. The test suite passed. Ship it.
It is, by any measure, an impressive demonstration of what AI-assisted development can do at velocity. It is also, if you squint slightly, a demonstration of something Anthropic almost certainly didn’t intend to demonstrate.
A follow-up pull request — the housekeeping commit removing the 600,000-odd lines of Zig code the Rust port had replaced — was automatically closed by GitHub’s bulk activity tripwire. Too fast. Too large. Too automated for the runway. A platform Anthropic doesn’t control made a governance call about the output of the product Anthropic sells. Nobody from Anthropic appears to have found it worth addressing publicly.
That detail matters. But it is not the worst example of what happens when you build your infrastructure on someone else’s platform. For that, we need to go back six weeks.
On 31 March 2026, Anthropic pushed version 2.1.88 of the Claude Code package to the public Node Package Manager registry. Bundled with it was a 59.8 megabyte debugging artefact — a source map file that should never have shipped in a production build. The map file referenced a ZIP archive sitting in an Anthropic-owned cloud storage bucket, publicly accessible, no authentication required. Within hours, security researcher Chaofan Shou had spotted it, posted the link on X, and the entire 512,000-line TypeScript codebase — 1,906 files, internal model codenames, system prompts, unreleased feature flags — was mirrored across GitHub and permanently in the wild.
The mechanism was a confluence of failures. A missing exclusion line in the configuration file. A known open bug in the Bun bundler, filed eleven days before the incident, that generated source maps in production builds even when explicitly disabled. Anthropic had acquired Bun in December 2025 to serve as the core infrastructure powering Claude Code. Their own newly acquired toolchain contributed to exposing their own product. Anthropic’s official statement called it a release packaging issue caused by human error, not a security breach. That is accurate as far as it goes. It does not go very far.
The code contained, among other things, a feature called Undercover Mode — a subsystem built specifically to prevent internal Anthropic secrets from appearing in public commits. They built a secrecy mechanism, then accidentally published everything around it.
What happened next is the piece.
Anthropic needed to contain the leak. They did not control the ledger. They could not hit a kill switch on their own infrastructure and isolate the breach. Instead, they filed a Digital Millennium Copyright Act takedown notice with GitHub — Microsoft’s platform, running Microsoft’s automated systems — instructing it to remove repositories containing the leaked code.
GitHub processed the notice against an entire fork network. The automated system swept up approximately 8,100 repositories. The vast majority contained no leaked code whatsoever. They were legitimate forks of Anthropic’s own public Claude Code repository — scaffolding, documentation, skill files, bug report forks. Developer Theo Browne, a paid Claude Code user, received an automatic Digital Millennium Copyright Act strike against a fork in which he had changed exactly one word in a skill file.
Boris Cherny, head of Claude Code at Anthropic, had to take to X to acknowledge the collateral damage. “This was not intentional, we’ve been working with GitHub to fix it. Should be better now.” Anthropic retracted the bulk of the notices within hours, narrowing enforcement to one repository and 96 forks that actually contained the leaked material.
While Anthropic’s lawyers were scrambling on a platform they didn’t control, the internet was already several steps ahead. Clean-room rewrites appeared the same day. Decentralised mirrors went live. The code was permanently in the wild regardless of what any Digital Millennium Copyright Act notice said or didn’t say.
The containment failed because the infrastructure was outsourced. When Anthropic needed to pull the emergency brake, the brake belonged to someone else.
There is a compounding irony that deserves its own paragraph.
Cherny confirmed that in the thirty days prior to the incident, 100 percent of his contributions to Claude Code had been written by Claude Code. The United States Copyright Office’s position is that AI-generated work does not carry automatic copyright protection. If the leaked code was substantially AI-generated — and Anthropic’s own people have implied as much — the legal basis for the Digital Millennium Copyright Act notices that took down 8,100 repositories was, at minimum, legally untested. Anthropic used Microsoft’s automated legal infrastructure to enforce an untested copyright claim over code their own AI may have written, on a platform their competitor runs, taking down repositories belonging to their own paying users in the process.
The alternative is not complicated. Forgejo is mature, actively maintained, and backed by the Sovereign Tech Fund — the European public sector body funding exactly this kind of critical open source infrastructure — precisely because self-hosted, auditable Git matters. Organisations with considerably fewer engineering resources than Anthropic run it without difficulty. It is not a frontier technology. It is a solved problem.
Self-hosted Git does not make Anthropic less American. It does not move their legal exposure one inch. What it does is put Anthropic’s tooling in charge of Anthropic’s process. Their rules. Their automated decisions. Their audit trail. Their emergency brake.
When a governance call gets made about a Claude Code commit, it should be made by infrastructure Anthropic wrote, runs, and is accountable for — not by a bulk activity tripwire on a platform owned by the company whose AI product competes directly with the one doing the committing.
There is a term for this in development culture: dogfooding. You use your own product. You live with its decisions. You feel its friction. It makes the product better and it makes the claim credible.
Anthropic sells Claude Code as the future of software development. The proposition is that AI-assisted development, done properly, is faster, more auditable, and more trustworthy than the alternative. It is a proposition worth taking seriously. It is also a proposition that currently rests on a foundation where the emergency damage control is outsourced to a competitor’s automated legal bot, and where that bot, when asked to act, took out 8,100 innocent repositories before anyone could stop it.
Anthropic does not need to escape American law. They need to own their ledger.
The pull request is still closed.
GitHub’s automated tripwire made its call, and the 600,000 lines of Zig that Claude Code’s Rust port was supposed to replace are still sitting in the repository, next to the million lines that replaced them, because the housekeeping commit moved too fast for the runway.
That is, in miniature, the entire argument. When you build the future of software development on someone else’s infrastructure, someone else decides when you are allowed to take out your own garbage.
You are selling auditable AI. Audit your own infrastructure. Commit to it.
The Register, “Anthropic’s Bun Rust rewrite merged at speed of AI”, 14 May 2026
The Register, “Anthropic accidentally exposes Claude Code source code”, 31 March 2026
TechCrunch, “Anthropic took down thousands of GitHub repos trying to yank its leaked source code”, 1 April 2026
InfoQ, “Anthropic Accidentally Exposes Claude Code Source via npm Source Map File”, 7 April 2026
VentureBeat, “Claude Code’s source code appears to have leaked”, 31 March 2026
Bun repository, commit 23427dbc12fdcff30c23a96a3d6a66d62fdc091d, 14 May 2026
Bun Issue #28001, oven-sh/bun, filed 11 March 2026
Boris Cherny (@bcherny) on X, 1 April 2026
Jarred Sumner (@jarredsumner) on X, May 2026
The Sovereign Auditor covers digital sovereignty, cybersecurity governance, and data protection policy -- with a particular focus on Isle of Man jurisdiction and Crown Dependency issues.
Payments via PayPal. Credentials delivered by email. No Substack. No Stripe. No middlemen.
