← Back to all posts
News

Claude Code's Entire Source Code Just Leaked via npm: Here's What 512,000 Lines Reveal About Anthropic's Playbook

April 1, 2026 · News
Claude Code's Entire Source Code Just Leaked via npm: Here's What 512,000 Lines Reveal About Anthropic's Playbook

TL;DR

On March 31, 2026, a source map file was accidentally bundled into npm package @anthropic-ai/claude-code version 2.1.88. The 59.8 MB debug artifact contained 512,000 lines of TypeScript across ~1,900 files: the complete source code of Claude Code. It exposed 44 feature flags for unreleased features, an autonomous daemon called KAIROS, anti-distillation fake tools, DRM-like client attestation, and a "stealth mode" for Anthropic employees contributing to open-source repos. The leak was Anthropic’s second in a week, following the accidental reveal of their unreleased Mythos model days earlier.

How a Source Map Broke the Vault

Security researcher Chaofan Shou discovered the leak and posted about it on X, where the thread racked up 28.8 million views. The cause was mundane: a .map debug file that should have been excluded from the npm package slipped through due to a misconfigured .npmignore or package.json files field.

Source maps are standard debug artifacts: they map minified production code back to original source. Every JavaScript project generates them. Every project also excludes them from published packages. Anthropic forgot.

Boris Cherny, a Claude Code engineer at Anthropic, confirmed it was "plain developer error, not a tooling bug." Nobody was fired.

The irony is thick. Anthropic has been aggressively marketing Claude Code as the best AI coding tool on the market, one that catches bugs, reviews pull requests, and ensures code quality. Their own release pipeline failed a check that any junior developer would catch.

What the Source Code Reveals

This wasn’t a partial leak. This was the whole thing: architecture, prompts, feature flags, internal tooling, and unreleased product roadmap. Here’s what stood out.

KAIROS: The Autonomous Daemon

Named after the Greek concept of "the right moment," KAIROS is an unreleased feature that transforms Claude Code from a reactive tool into a 24/7 autonomous agent. The code reveals:

  • Background workers that run continuously with GitHub webhook integration and push notifications
  • "autoDream" memory consolidation, while users are idle, KAIROS merges observations, removes contradictions, and converts insights into facts
  • Cron scheduling for autonomous tasks with external webhook support
  • Multi-agent orchestration where one Claude instance manages multiple workers

This isn’t a prototype. It’s fully built behind a feature flag. KAIROS represents Anthropic’s clear trajectory: Claude Code isn’t just a coding assistant. It’s becoming an always-on autonomous development platform. Competitors now have a 12+ month head start on building defensive features.

Undercover Mode

This one generated the most controversy. The source reveals that Anthropic uses Claude Code internally to contribute to public open-source repositories, and the system is explicitly designed to hide this fact.

From the leaked system prompt:

"You are operating UNDERCOVER... Your commit messages... MUST NOT contain ANY Anthropic-internal information. Do not blow your cover."

The code strips internal codenames (Capybara, Tengu), Slack channel names, internal repo names, and even the phrase "Claude Code" itself from AI-authored commits and pull requests. There is no force-off switch.

This means some of the open-source PRs you’ve reviewed and merged over the past year may have been written by Claude Code, with no disclosure. Whether you consider that helpful or deceptive depends on your stance, but the community reaction was largely negative.

Anti-Distillation Fake Tools

Anthropic is actively defending against competitors who might try to distill Claude’s capabilities by recording its API responses. The code injects decoy tool definitions into API requests: fake tools designed to poison training data if captured.

This is controlled by the tengu_anti_distill_fake_tool_injection feature flag. There’s also a "CONNECTOR_TEXT" mechanism that buffers assistant text between tool calls, summarizes it with cryptographic signatures, and returns only summaries to traffic recorders.

In short: if you’re building a competitive model by recording Claude’s outputs, Anthropic has been deliberately feeding you garbage data.

Client Attestation (DRM for API Calls)

API requests from Claude Code include cryptographic hashes (cch= parameters) computed by Bun’s native HTTP stack, which is written in Zig. These hashes prove that requests originate from official Anthropic binaries.

The Zig code is compiled to native binaries and cannot be patched at runtime, making it significantly harder for third-party clients to spoof official Claude Code requests. This is effectively DRM at the transport layer, a mechanism to ensure only paying customers using official tools can access the API at Claude Code’s pricing tier.

Frustration Detection via Regex

Claude Code detects user frustration using regex pattern matching, not LLM inference. This tells you something about Anthropic’s cost optimization priorities: even simple sentiment detection is handled by regex to avoid burning tokens on every message.

44 Feature Flags

The codebase contains 44 GrowthBook feature flags for fully-built but unreleased features including:

  • Persistent assistant mode (cross-session continuity)
  • Session review (automated quality checking)
  • Voice command mode
  • Advanced prompt caching with 14 cache-break vectors

Second Leak in a Week

This wasn’t an isolated incident. On March 26–27, Anthropic accidentally leaked details of Mythos (internally codenamed Capybara), an unreleased AI model described as a "step change" in capabilities, via an unsecured public data cache.

Two leaks in five days doesn’t look like bad luck. It looks like a systemic process gap. Anthropic’s engineering velocity has outpaced its release hygiene, and their security posture for development artifacts (npm packages, data caches, debug files) is clearly under-invested.

The Internet Keeps Everything

Anthropic filed DMCA takedown notices with GitHub, which removed 8,100+ repositories including the original leak repo and its entire fork network. It didn’t matter.

Within hours:

  • A decentralized mirror appeared on Gitlawb with the message: "Will never be taken down."
  • A Korean developer published "claw-code", a clean-room Python rewrite of the core architecture that hit 30,000 GitHub stars faster than any repo in history. As a new creative work rather than a direct copy, it likely sidesteps DMCA claims entirely.
  • Multiple independent archives preserved the system prompts and architecture documentation

The code is permanently in the wild. Every competitor (OpenAI, Google, Meta, and the open-source community) now has a detailed map of Anthropic’s agent architecture, unreleased roadmap, and defensive mechanisms.

What This Means for You

If you’re a developer using Claude Code:

  • Your data is not affected. Anthropic confirmed no customer data or credentials were exposed. This was source code, not user data.
  • KAIROS is coming. Autonomous background agents are clearly Anthropic’s next major product push. If you’re building workflows around Claude Code, plan for always-on agents, not just interactive sessions.
  • Undercover mode exists. If you maintain open-source projects, you may want to audit recent contributions from unfamiliar accounts. Anthropic has been submitting PRs without disclosure.
  • Anti-distillation is active. If you’re building tools that record or replay Claude’s API responses, be aware that some tool definitions in those responses are deliberately fake.

If you’re an Anthropic competitor:

  • You now have a complete architectural blueprint for the most popular AI coding tool on the market. The client attestation, memory architecture, multi-agent coordination, and prompt caching strategies are all documented in detail.
  • The 44 feature flags are a roadmap. Build accordingly.

The Bigger Picture

Anthropic is a company that talks extensively about AI safety, responsible development, and careful deployment. Two data leaks in a single week (one exposing an unreleased model, another exposing their entire codebase) undercuts that narrative.

The technology inside Claude Code is genuinely impressive. KAIROS, the memory architecture, the anti-distillation mechanisms, these are sophisticated engineering. But all of it was undone by a missing line in .npmignore.

The lesson isn’t about AI. It’s about fundamentals. The most advanced AI lab in the world shipped a debug file to production because their release pipeline didn’t have a check for source maps in npm packages. No amount of Zig-compiled DRM protects you from forgetting to update your ignore file.

Ship carefully. Check your artifacts. And maybe audit your .npmignore today.

Key Takeaways

  • 512,000 lines of Claude Code source leaked via npm source map in version 2.1.88: complete codebase, not a partial leak
  • KAIROS autonomous daemon is fully built behind a feature flag: 24/7 background agents with memory consolidation and webhook integration
  • Undercover Mode hides Anthropic’s AI-authored contributions to public open-source repos
  • Anti-distillation fake tools deliberately poison competitor training data
  • Client attestation (Zig-compiled DRM) prevents third-party clients from spoofing official Claude Code
  • Second leak in a week after the Mythos model exposure, signals systemic release process gaps
  • DMCA takedowns removed 8,100+ repos but decentralized mirrors and clean-room rewrites ensure the code stays public
  • No customer data was exposed: this was source code and internal architecture only

Sources: Axios, Fortune, Alex Kim, Engineer’s Codex, VentureBeat, The Register, Decrypt

AIClaudeClaude CodeAnthropicsecurityopen sourcedeveloper tools
CONSOLE
$