Claude Code Leak Exposes Deep Device Access in Anthropic Client Software

claude code leak of Anthropic’s client source code reveals software that can exercise extensive control over devices where it is installed, legal filings and technical analysis show. The discovery, described in court papers and examined by a security researcher using the pseudonym “Antlers, ” has surfaced amid ongoing litigation between Anthropic and the U. S. government. Key declarations filed on March 20, 2026 (ET) frame both the company’s limitations in classified deployments and the wider risks for general users.

Claude Code Leak: Technical findings and scope

Analysis of the leaked client source indicates that the agent does not install a persistent kernel-level rootkit, yet it retains large amounts of user data and can perform actions that give it broad control of hosts where it runs. The leaked material shows the client can collect prompts, responses, file contents and system details that pass through its API, and it can be configured to limit or enable remote communication flags built into the code.

Security review by the researcher identified as “Antlers” notes the leaked client gives the software “the run of any device where it’s installed, ” and that it can conceal authorship from open-source projects that reject AI contributions. The client source was reverse-engineered from a circulated binary, and those reconstructions have been in circulation among analysts for months, the court record states.

Immediate reactions from officials and experts

In the legal dispute titled Anthropic PBC v. U. S. Department of War et al, the U. S. government argued there was a “substantial risk that Anthropic could attempt to disable its technology or preemptively and surreptitiously alter the behavior of the model in advance or in the middle of ongoing warfighting operations… ” The claim forms part of the government’s rationale for restricting access to Anthropic’s services in certain supply chains.

Anthropic pushed back in a formal declaration by Thiyagu Ramasamy, head of public sector at Anthropic, stating: “Anthropic does not have the access required to disable [its] technology or alter [its] model’s behavior before or during ongoing operations. ” Ramasamy added that in classified deployments the company relinquishes operational administration to the customer and authorized cloud providers, and that model updates would require negotiation and explicit approval.

Security analysts warn the distinction is consequential: deployments tied to a firewalled public sector cloud or air-gapped environments can constrain external communication, while broader consumer or enterprise installs that are not similarly isolated can expose far greater surface area for data collection and remote action.

Quick context

The disputed capabilities surfaced during the government’s decision to ban certain Anthropic services from sensitive supply chains, a move challenged in court. The leaked client source and ancillary documentation have been examined by reverse engineers and independent security researchers referenced in the court record.

What’s next

Expect intensified scrutiny of deployments and contract terms as courts assess whether technical controls and contractual limits match the government’s supply-chain concerns. Anthropic’s stated practice of handing off operational control in classified environments and negotiating updates with customers will be central to upcoming hearings and procurement reviews, and analysts following the claude code leak will continue reverse engineering to map concrete capabilities and mitigation steps.