On the last day of March, a story tore through my feed and I couldn't look away. The pitch: the entire Claude Code source code had leaked through a misconfigured npm package — 512,000 lines of TypeScript — and buried in the data-collection layer was a file that logged every time you cursed at your terminal. I made a video about it. Half the internet believed it. Here is the honest part about Claude Code telemetry, source code exposure, and why the panic landed so hard even though the leak itself was theatre.
The story that was too good to check
The narrative was perfect engagement bait. A file called userPromptKeywords.ts. A regex that catches WTF, FFS, "piece of shit," "fucking broken" — flags each one is_negative: true — and ships it to analytics bundled with your user ID, email, session ID, and org UUID. Then the bonus reveals: an "undercover mode" that strips Anthropic attribution from AI-generated code, an always-on background agent doing "memory consolidation" while you sleep, and fake tools injecting poisoned data to sabotage anyone distilling a competing model.
It's a great story. It's also, in the specifics, fiction — a March 31st provocation dressed up as a breach. There is no leaked 512K-line dump, no curse-word snitch regex with your email attached. I built the video precisely because the fake was believable. And it was believable for one uncomfortable reason: the shape of it is completely real.
The part that isn't a joke
Strip away the invented file names, and here is what actually holds true — what every engineer using an AI coding tool should internalize:
- Developer tools collect telemetry by default. VS Code, the npm CLI, Next.js, Homebrew, the .NET SDK — all of them phone home with usage data unless you turn it off. Claude Code is no exception: it has a documented telemetry and error-reporting layer, with environment variables to control it.
- Your prompts are data. Not a curse-word regex, but the text you type, the errors you hit, the tools you invoke, the latency you experience. That is the raw material these products improve on. "Understanding user frustration to improve the service" isn't a villain's line — it's a real product-analytics category.
- Source code leaks through npm constantly. One missing
.npmignoreentry, one strayfilesarray inpackage.json, and your.env, your internal scripts, your private tooling ship to the public registry. It happens to real companies every month. That vector in the story is the most realistic thing about it.
What I actually did after making the video
I felt like a fraud selling a hoax, so I spent an evening on the boring, real version of the investigation — the one that doesn't go viral.
- I read the telemetry docs. Anthropic documents what Claude Code collects and how to disable it. There are environment variables that switch off telemetry and non-essential traffic. I set them, deliberately, per machine.
- I checked the traffic myself. You don't have to trust a docs page. Point the tool through a local proxy, or watch outbound connections, and you can see what your CLI actually sends. Do it once for every tool you let touch your codebase.
- I treated prompts like logs. I don't paste production secrets, customer data, or client identifiers into any AI assistant — the same rule I apply to Slack, screenshots, and bug reports. Assume the transcript persists somewhere.
- I audited my own
package.json. If I'm nervous about someone else's.npmignore, mine had better be clean.npm publish --dry-runshows you exactly what would ship. Run it.
The real lesson under the clickbait
The reason a fake leak about Claude Code telemetry got so much traction is simple: we've stopped reading what our tools do. We install, authenticate, grant, forget. The fictional curse-word regex was a caricature — but the instinct it triggered ("wait, what IS this thing sending?") is the correct one, and most of us suppress it because asking the question is inconvenient.
Your AI assistant is genuinely useful. I build production infrastructure with Claude Code every day and I'm not uninstalling it. But "useful" and "worth understanding" are not in conflict. Read the data-collection docs. Set the telemetry flags on purpose. Watch the network once. And keep your own .npmignore honest — because the next leak in your feed might not be a March 31st joke.
The tools you use collect data about how you use them. That was always true. The only thing a good hoax changes is that, for one afternoon, you actually go and check.