You've probably seen the repo. "All telemetry removed, security-prompt guardrails stripped, all experimental features enabled." That description raises two questions in sequence: what actually changed, and what does "guardrails stripped" mean for a model that's already trained to behave a certain way?
The short answers: the changes are real but narrower than the framing suggests, and the model's behavior is not meaningfully different. Here's what free-code actually is, what it does and doesn't change, and what to check before running it.
What Happened on March 31, 2026
Version 2.1.88 of the @anthropic-ai/claude-code npm package shipped with a 59.8 MB JavaScript source map file (cli.js.map) that should never have been included. A source map is a debugging artifact that maps minified production JavaScript back to the original readable source. In this case, it also pointed directly to a publicly accessible Cloudflare R2 storage bucket containing the complete, unobfuscated TypeScript codebase.
Nobody had to exploit anything. The file was just there.
Security researcher Chaofan Shou (@Fried_rice), an intern at Solayer Labs, discovered it and posted a direct download link on X at approximately 4:23 AM ET. VentureBeat reported the post reached millions of views within hours. The codebase — approximately 512,000 lines of TypeScript across 1,906 files — was downloaded, mirrored to GitHub, and analyzed before Anthropic could respond.
Anthropic's official statement to The Hacker News and other outlets: "This was a release packaging issue caused by human error, not a security breach. No sensitive customer data or credentials were involved or exposed." The company confirmed it was rolling out measures to prevent recurrence — notably, this was the second similar incident, with a comparable source map leak having occurred with an earlier Claude Code version in February 2025, as InfoQ documented.
What the leak contained: the complete CLI agent harness, permission enforcement logic, telemetry architecture, system prompts, memory systems, and 88 feature flags — 54 of which, per the free-code README, compile cleanly. What it did not contain: model weights, training data, backend infrastructure, or customer credentials.
One important security note for this specific date: An unrelated npm supply-chain attack on the axios package was also active on March 31, 2026 between 00:21 and 03:29 UTC. Developers who installed or updated Claude Code via npm during that window may have pulled trojanized axios versions (1.14.1 or 0.30.4). If you did, audit your dependencies and rotate credentials. This attack was entirely unrelated to Anthropic and the source map leak.
What free-code Is
free-code (GitHub: paoloanzn/free-code) is a fork of the Claude Code CLI built from the leaked source snapshot. Its README describes it as "a clean, buildable fork of Anthropic's Claude Code CLI." The repo itself acknowledges the origin directly: "The original Claude Code source is the property of Anthropic. This fork exists because the source was publicly exposed through their npm distribution."
The fork makes three categories of changes to the upstream source:
Telemetry removal. The official Claude Code binary sends usage data through OpenTelemetry/gRPC, GrowthBook analytics, Sentry error reporting, and custom event logging. free-code dead-code-eliminates or stubs all outbound telemetry endpoints. GrowthBook feature flag evaluation still runs locally (needed for runtime feature gates) but does not report back to external servers.
Experimental features unlocked. Claude Code ships with 88 feature flags gated behind Bun compile-time switches. The public npm release has most of these disabled. free-code enables the 54 flags that compile cleanly. The README links to a FEATURES.md for the full audit. Flags that appear in community documentation include ULTRAPLAN, ULTRATHINK, BRIDGE_MODE, DAEMON, VOICE_MODE, AGENT_TRIGGERS, and MONITOR_TOOL.
Multi-provider support. free-code exposes five API providers via environment variable: Anthropic's API directly, OpenAI Codex, AWS Bedrock, Google Cloud Vertex AI, and a fifth configurable endpoint. Switching providers requires no code changes — set the corresponding environment variable and restart.
What is not changed. The underlying model's safety training is unaffected. Claude's trained behaviors — how it reasons, what it declines, its values — live in the model weights served by Anthropic's API, not in the CLI source code. What the fork removes are CLI-layer additions: telemetry calls and compile-time feature gates. The distinction matters: unlocking CLI features does not alter what the model itself will or won't do.
Repo status as of April 2026. The paoloanzn/free-code repository shows a notice: "Parent repo is migrating ownership, until the operation is done this repo is blocked." At the time of writing, the repo had accumulated significant stars and forks (current figures at github.com/paoloanzn/free-code). Multiple mirrors exist across GitHub — verify any mirror's provenance independently before cloning.
How to Install It
The README install command as of the time of writing:
curl -fsSL https://raw.githubusercontent.com/paoloanzn/free-code/main/install.sh | bashPer the README, this script: checks your system, installs Bun if needed, clones the repo, builds with all experimental features enabled, and symlinks free-code on your PATH. After installation, authenticate using the /login command with your preferred model provider.
Before running this: Verify the repository is accessible and the README install command matches what is shown above. The repo was in an ownership migration state as of early April 2026, and the install script URL depends on the main branch being active at that path.
The manual build path, also from the README:
git clone https://github.com/paoloanzn/free-code
cd free-code
bun install
bun run build:dev:full # builds with all experimental featuresTo enable specific flags selectively:
bun run ./scripts/build.ts --feature=ULTRAPLAN --feature=ULTRATHINKKey Limitations
The repo may not be stable. The ownership migration notice means the primary repository was in an undefined state as of April 2026. Any mirror you find may be outdated relative to the original, or may not be the original at all.
It does not sync with official Claude Code updates. free-code is a snapshot of version 2.1.88. When Anthropic ships new Claude Code versions with bug fixes, security patches, or capability improvements, free-code does not automatically receive those updates.
Experimental features may be experimental for good reasons. The 54 unlocked flags represent features that Anthropic had built but not shipped. Some may be stable. Others may be incomplete, interact unexpectedly with other features, or produce behavior that hasn't been tested at scale.
You still need an API key. free-code is a CLI tool. The model inference still runs on whichever provider's API you configure. It does not give you free access to Claude — it gives you a different client for the same APIs you would otherwise use.
Model safety behavior is unchanged. This is worth repeating clearly because some community descriptions frame free-code as "guardrails stripped." What is stripped is the CLI-level system prompt injection that Anthropic adds for certain contexts. The model's trained disposition — what Claude itself will and won't do — is not affected by changes to the CLI layer. Anyone expecting meaningfully different model behavior will find the actual differences much narrower than the framing suggests.
Legal and Ethical Context
The free-code README is direct about the situation: the original source is Anthropic's property. It exists in this fork because Anthropic accidentally made it publicly accessible. Anthropic has issued DMCA takedowns against mirrors of the leaked code. Some repositories have been removed; others remain accessible across forks and decentralized mirrors.
Using leaked proprietary software is legally distinct from using open-source software, regardless of how the code became publicly available. Anthropic's code was not published under any open-source license. The leak does not change its licensing status. This article describes what free-code is — it does not constitute legal advice, and the licensing situation is something each organization should evaluate independently if it's relevant to their context.
There is a separate security risk worth stating plainly: Zscaler's ThreatLabz team identified multiple repositories distributing trojanized versions of forked Claude Code, including one delivering Vidar Stealer and GhostSocks malware through a Rust-based dropper. Their published research documents active campaigns seeding fake "Claude Code leak" repositories to exploit developer interest in the story. If you are evaluating free-code or any Claude Code fork: verify you are looking at the known repository (paoloanzn/free-code or its documented mirrors), not a lookalike. Running install scripts from unverified sources is how these infections happen.
FAQ
Does free-code give you access to Claude for free?
No. You still need an Anthropic API key (or an account with one of the other supported providers). free-code is a client-side CLI tool — it changes how you interact with the API, not whether you pay for it.
What are the 54 experimental features that get unlocked?
The README points to a FEATURES.md for the full list. Commonly cited examples in community coverage include ULTRAPLAN, ULTRATHINK, BRIDGE_MODE, DAEMON mode, VOICE_MODE, and AGENT_TRIGGERS. These are compile-time flags that were present in the Claude Code codebase but disabled in the public npm release. Their stability and behavior in practice varies — they are experimental for a reason.
Is the model's safety training affected?
No. Claude's values, refusals, and reasoning patterns are properties of the model weights served by Anthropic's API. They are not properties of the CLI code. free-code removes CLI-level telemetry and enables CLI-level feature flags. It does not — and cannot — modify how the underlying model responds.
Will Anthropic take down the free-code repository?
Anthropic has issued DMCA takedowns against mirrors of the leaked source. Whether any specific repository remains accessible depends on GitHub's response to those notices and the repository owner's actions. As of early April 2026, paoloanzn/free-code was publicly accessible but flagged as migrating ownership.
Is it safe to install?
The primary risk is installing a lookalike repository rather than the actual one. Zscaler has documented active campaigns distributing malware through fake "leaked Claude Code" repositories. Verify you have the correct repository URL before running any install script. Beyond that, you are building and running code from a source that is not maintained by Anthropic and does not receive official security updates.
Conclusion
free-code is a CLI fork built from Anthropic's accidentally leaked Claude Code source. It removes telemetry and unlocks experimental feature flags that were present in the codebase but disabled in the public release. The underlying model behavior is not meaningfully altered. The code remains Anthropic's proprietary property regardless of how it became available, the repository's continuity is uncertain while an ownership migration is in progress, and the surrounding ecosystem includes active malware distribution through fake forks. For teams evaluating whether to use it: the realistic use case is developers who want zero telemetry and access to unshipped CLI features — not a fundamentally different coding agent.
Related Reading
- Claw Code: Claude Code, OpenClaw, and What Each Actually Does — The broader Claude Code ecosystem, including OpenClaw and Claude Code Max pricing, explained.
- LLM Knowledge Base for Coding Agents: Beyond RAG — How to structure persistent context for coding agents, applicable regardless of which Claude Code client you use.
- Claude Code vs Verdent: Multi-Agent Architecture Compared — For teams evaluating coding agent infrastructure beyond the CLI layer.
- What Is G0DM0D3? — Another tool in the open-source AI tooling space, with a similar "run your own multi-model interface" premise.
- godmod3 Review 2026 — A tested review of a different open-source AI tool, for comparison on the tradeoffs of unofficial tooling.
