Claude Code Source Code Leaked via npm: 512,000 Lines Exposed — What You Need to Know , Definable Perspective

The Biggest AI Source Code Leak of 2026: Claude Code Exposed

On March 31, 2026, the AI world woke up to one of the most jaw-dropping security incidents in recent memory — not a sophisticated cyberattack, not a nation-state hack, but a single missing line in a config file.

Anthropic, the safety-first AI lab behind Claude, accidentally published the entire source code of Claude Code — its flagship AI coding agent — inside a publicly available npm package. Within hours, developers around the globe had downloaded, dissected, mirrored, and rewritten the code. A clean-room Python rewrite hit 50,000 GitHub stars in two hours, likely making it the fastest-growing repository in GitHub history.

This is the full story of what happened, what was found, and what it means for the AI industry.

--- https://youtu.be/dYG8JxtSgmM?si=jTuYxBLz3DLpTJ_A

How Did the Claude Code Leak Happen?

The answer is almost embarrassingly simple: a missing .npmignore entry.

Claude Code is built on Bun (a JavaScript runtime Anthropic acquired in late 2025). Bun generates source map files (.map files) by default during builds. Source maps exist to help developers debug minified code in production — but they contain something powerful: the original source code embedded as a JSON array.

The file cli.js.map, shipped with @anthropic-ai/claude-code version 2.1.88, contained a sourcesContent JSON array holding every original TypeScript file — readable, commented, and completely intact across roughly 1,900 files and 512,000 lines.

All it took was:

npm pack @anthropic-ai/[email protected]
# untar the archive and read the .map file

Security researcher Chaofan Shou spotted the exposure at approximately 4:23 AM ET and posted on X. The tweet accumulated over 21 million views. Anthropic pulled the package within hours, calling it "a release packaging issue caused by human error, not a security breach."

The irony? Claude Code contains an entire system called Undercover Mode — designed specifically to prevent internal information from leaking. They built a whole subsystem to stop their AI from revealing internal codenames in commits... then shipped the entire source in a .map file.

---

What Was Inside the Claude Code Source Code?

The leaked codebase is a masterclass in production-grade AI engineering — and a roadmap of everything Anthropic didn't want competitors to see. Here's a breakdown of the most significant discoveries.

---

1. KAIROS: An Always-On Background AI Agent

The most technically ambitious feature in the codebase is KAIROS — an autonomous daemon mode referenced over 150 times in the source.

KAIROS is not your typical coding assistant. It's a persistent, always-running background agent that:

• Maintains append-only daily log files of observations and decisions
• Receives regular <tick> prompts to decide whether to act proactively
• Has a 15-second blocking budget — any action taking longer gets deferred
• Can push notifications to your device and subscribe to GitHub pull request activity

Nested inside KAIROS is a feature called ULTRAPLAN — which offloads complex planning tasks to a remote cloud session running Opus 4.6 with up to 30 minutes of dedicated think time. Results are approved from the browser and "teleported" back to your terminal.

KAIROS is completely absent from external builds, gated behind compile-time feature flags.

---

2. The Dream System: Claude Literally Consolidates Memories While You're Away

One of the most philosophically fascinating discoveries is autoDream — a background memory consolidation engine that runs as a forked subagent.

The dream system triggers only when three gates all pass:

• Time gate: 24 hours since last dream
• Session gate: At least 5 sessions since last dream
• Lock gate: Acquires a consolidation lock to prevent concurrent dreams

When all three pass, the dream subagent follows four phases:

1. Orient — Read the memory directory and existing topic files
2. Gather Recent Signal — Identify new information worth persisting from logs and transcripts
3. Consolidate — Write or update memory files, converting relative dates to absolute, deleting contradicted facts
4. Prune and Index — Keep MEMORY.md under 200 lines and ~25KB, resolve contradictions

The dream agent gets read-only bash access — it can observe your project but not modify anything. The system prompt literally says:

"You are performing a dream — a reflective pass over your memory files."

---

3. Undercover Mode: Claude Hiding Itself in Open-Source Repos

Undercover Mode (utils/undercover.ts, ~90 lines) activates when Anthropic employees use Claude Code on public repositories. When active, it injects a system prompt telling Claude to:

• Never mention it is an AI
• Never include Co-Authored-By attribution in commits
• Strip all internal codenames (animal names like Capybara, Tengu) from PR descriptions
• Hide internal Slack channels, short links, and tooling names

The activation logic has no force-OFF switch. If Claude Code isn't confident it's in an internal repo, it stays undercover. This means Anthropic has been contributing to open-source software via Claude Code without disclosure — a revelation that sparked fierce debate in the developer community.

---

4. Anti-Distillation Mechanisms: Poisoning Competitor Training Data

The ANTI_DISTILLATION_CC flag triggers two mechanisms designed to prevent competitors from extracting value from Claude Code's API traffic:

• Fake tool definitions injected into API requests to poison the training data of any competitor recording API calls
• Cryptographic summaries of assistant reasoning between tool calls, so eavesdroppers get only summaries, not full chain-of-thought output

The Hacker News community was quick to note both are trivially defeated by stripping fields via a proxy — but the intent reveals how seriously Anthropic takes competitive intelligence.

---

5. BUDDY: A Tamagotchi Pet System Inside Your Terminal

Among the more delightful discoveries: BUDDY, a full Tamagotchi-style companion pet system with:

• 18 species across rarity tiers: Common (60%), Uncommon (25%), Rare (10%), Epic (4%), Legendary (1%)
• A 1% shiny chance independent of rarity (Shiny Legendary Nebulynx = 0.01% chance)
• Procedurally generated stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK
• ASCII art sprites with multiple animation frames, idle animations, and a Claude-generated personality on first hatch

The companion was planned as an April 1–7 teaser with a full launch in May 2026. It's not just cosmetic — the buddy has its own system prompt and can respond when addressed by name.

---

6. Internal Model Codenames Exposed

The source confirmed internal Anthropic codenames that had never been publicly disclosed:

Codename	Maps To
Capybara	Claude 4.6 (with a "capybara-v2-fast" variant in development)
Fennec	Opus 4.6
Numbat	Unreleased model
Tengu	Claude Code's internal project codename

References to Opus 4.7 and Sonnet 4.8 also appear in the codebase — models not yet publicly announced at the time of the leak.

Internal benchmarks revealed that Capybara v8 has a 29–30% false claims rate, a regression from 16.7% in v4. A bug fix comment also disclosed that 250,000 API calls per day were being wasted due to autocompact failures.

---

7. Fast Mode Is Internally Called "Penguin Mode"

The internal API endpoint for Fast Mode:

/api/claude_code_penguin_mode

Config key: penguinModeOrgEnabled. Kill-switch: tengu_penguins_off. Penguins all the way down.

---

8. Multi-Agent Orchestration: A Full Coordinator System

The coordinator/ directory contains a multi-agent orchestration system that transforms Claude Code from a single agent into a coordinator that spawns and directs parallel worker agents:

Phase	Who	Purpose
Research	Workers (parallel)	Investigate codebase, find files
Synthesis	Coordinator	Read findings, craft specifications
Implementation	Workers	Make targeted changes per spec
Verification	Workers	Test changes

The system prompt explicitly teaches parallelism: "Parallelism is your superpower. Workers are async. Launch independent workers concurrently whenever possible."

---

9. 40+ Tools in the Registry

The full tool registry includes everything from standard file operations to KAIROS-exclusive tools like PushNotification, SubscribePR, and SendUserFile. Notable entries include:

• BashTool with 2,500 lines of security validation
• WebBrowserTool for full browser control
• ScheduleCronTool for cron job automation
• REPLTool for interactive VM shell access
• CtxInspectTool for context window inspection

---

The claw-code Phenomenon: 50,000 Stars in Two Hours

Korean developer Sigrid Jin — profiled by the Wall Street Journal for consuming 25 billion Claude Code tokens in a single year — woke at 4 AM to the news. Concerned about legal exposure, Jin took a different approach: a clean-room Python rewrite of Claude Code using architectural patterns from the leak, without copying proprietary source.

The repository, instructkr/claw-code, became a phenomenon:

• 50,000 GitHub stars in approximately two hours
• Over 55,800 stars and 58,200 forks by April 1
• A Rust rewrite already underway on a separate branch
• Described as possibly "the fastest repo in history to surpass 50K stars"

The clean-room methodology mirrors the legal precedent from Phoenix Technologies v. IBM (1984) — the same approach used to clone the IBM BIOS. Whether copyright protects the architectural patterns, not just the source expression, is now a live legal question.

---

The Broader Security Context

The source code leak coincided with a completely unrelated supply-chain attack on the axios npm package — malicious versions containing a Remote Access Trojan were published between 00:21 and 03:29 UTC on March 31, creating a window where npm users could have been exposed.

More significantly, the Claude Code leak is Anthropic's second major exposure in five days. On March 26, a CMS misconfiguration leaked draft blog posts about the unreleased Mythos model. Two operational security failures in one week from a company positioning itself as the safety-first AI lab.

Known CVEs already existed before the leak — including code injection via untrusted directories (CVSS 8.7) and API key exfiltration (CVSS 5.3). Full source access means these can now be audited at a fundamentally different depth.

---

What This Means for the AI Industry

For Anthropic: The strategic damage likely exceeds the code exposure. Feature flag names, model codenames, internal benchmarks, and anti-competitive countermeasures are now public knowledge. Enterprise customers partly pay for the belief that their vendor's technology is proprietary and protected. That assurance has been complicated.

For the ecosystem: The exposed multi-agent coordination patterns, permission system, and sandboxing approach may become de facto industry standards — they are now the only fully documented, production-grade implementation available. Open-source projects like claw-code can build on battle-tested patterns rather than guessing.

For developers: Multiple community voices argued the CLI should have been open source from the start. Google's Gemini CLI and OpenAI's Codex are already open. The models are the moat, not the shell around them.

---

Key Takeaways

• 512,000 lines of Claude Code source exposed via a missing .npmignore entry
• KAIROS: an always-on background daemon mode with proactive AI behaviour
• Undercover Mode: Claude hiding its AI identity in open-source contributions
• autoDream: a background memory consolidation system that runs while you're idle
• BUDDY: a full Tamagotchi companion system planned for May 2026
• Unreleased models: Capybara (Claude 4.6), Opus 4.7, Sonnet 4.8 all confirmed
• claw-code: a clean-room rewrite that hit 50,000 GitHub stars in two hours
• Second Anthropic security incident in five days

---

Tags: Claude Code, Anthropic, AI Coding Agent, Source Code Leak, npm Security, KAIROS, Claude AI, Developer Tools, AI News 2026, Open Source AI