Anthropic Leaked Claude Code's Entire Source — Here's What 512K Lines of TypeScript Reveal

TL;DR

Anthropic shipped a source map file in Claude Code v2.1.88 to the public npm registry on March 31, exposing 512,000 lines of TypeScript across 1,906 files. The code reveals KAIROS — an unreleased always-on daemon mode — plus anti-distillation defenses, a Tamagotchi-style terminal pet called BUDDY, and an “Undercover Mode” that strips AI attribution from commits. This is Anthropic’s second accidental disclosure in five days, and attackers are already exploiting the fallout with typosquatting packages on npm.

What Happened

On March 31, 2026, Anthropic pushed version 2.1.88 of the @anthropic-ai/claude-code package to npm. Routine update. One problem: the build included a 59.8 MB .map file, a JavaScript source map meant for internal debugging, that pointed to a zip archive on Anthropic’s own cloud storage containing the full, unminified source code.

Security researcher Chaofan Shou spotted it first and posted on X: “Claude code source code has been leaked via a map file in their npm registry!” By 4:23 AM ET, mirrors were popping up on GitHub. Within hours, the reconstructed repo had surpased 84,000 stars and 82,000 forks.

Here’s the kicker: this isn’t even the first time. A nearly identical source-map leak happened with an earlier Claude Code version in February 2025. Same mistake, thirteen months later.

Anthropic’s statement was brief: “Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach.”

What the Code Reveals

The leaked codebase contained 44 hidden feature flags. Some of them are genuinely interesting. Others are downright weird.

KAIROS — The Always-On Daemon

KAIROS (Ancient Greek for “the right time”) is mentioned over 150 times in the source. It’s an autonomous daemon mode that turns Claude Code from a tool you invoke into a persistent background agent that watches, logs, and acts on its own.

How it works:

• KAIROS runs continuously and receives periodic <tick> prompts that let it decide whether to act or stay quiet
• It maintains append-only daily log files of everything it observes
• There’s a 15-second blocking budget. Any proactive action that would block the user’s workflow longer than that gets deferred
• When active, Claude Code switches to a “Brief” output mode: extremely concise responses so it doesn’t flood your terminal

The code also includes an autoDream system for memory consolidation during idle time. While the user is away, a forked subagent merges observations, removes contradictions, and converts vague insights into concrete facts. When you come back, the agent’s context is clean and relevant. The fork prevents the main agent’s reasoning from being corrupted by its own maintenance routines.

BUDDY — A Terminal Tamagotchi

This one’s harder to explain with a straight face. BUDDY is a Tamagotchi-style terminal pet with 18 species (including capybara, axolotl, and ghost), rarity tiers from common to a 1% legendary drop rate, shiny variants, and five stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, and SNACK.

Is it a morale feature? An internal joke that grew into real code? Nobody outside Anthropic knows. But the implementation is complete, just gated behind a flag.

Anti-Distillation Defenses

A flag called ANTI_DISTILLATION_CC activates a system that injects fake tool definitions into API requests. The idea: if a competitor is recording Claude Code’s API traffic to train their own model, the decoy definitions corrupt that training data. It’s a DRM-like defense for AI outputs. First time we’ve seen something like this in production code from a major AI lab.

Undercover Mode

Possibly the most controversial find. A system within Claude Code that instructs the AI to hide all evidence of being AI-generated when contributing to public open-source repositories on behalf of Anthropic employees. It scrubs internal model codenames and AI attribution from git commits and pull request descriptions.

This directly conflicts with the growing push for AI transparency in open-source contributions. Multiple open-source maintainers have already called it out on social media.

More Hidden Flags

COORDINATOR MODE lets a single agent spawn and manage parallel worker agents. VOICE_MODE is a fully implemented push-to-talk voice interface. There’s also Team Memory Sync, a bidirectional sync service that connects local memory files to Anthropic’s API so teams can share context across an organization.

A few more: Session Learning lets Claude review its own sessions and transfer learnings across conversations. ULTRAPLAN handles 30-minute remote planning sessions. And there’s an Anthropic-employee-only Experimental Skill Search for downloading and executing remote skill definitions.

The Security Fallout

The source code leak itself is embarrassing. The downstream attacks it enabled are the real concern.

Typosquatting Campaign

The leak exposed internal dependency names that were never supposed to be public. Within hours, an npm user named pacifier136 registered packages named audio-capture-napi, color-diff-napi, image-processor-napi, modifiers-napi, and url-handler-napi . All typosquats of internal Claude Code dependencies.

Security researcher Clément Dumas warned: “Right now they’re empty stubs, but that’s how these attacks work. Squat the name, wait for downloads, then push a malicious update that hits everyone who installed it.”

The axios Collision

The timing made everything worse. Hours before the Claude Code leak, the axios npm package was compromised in a separate supply chain attack. Anyone who installed or updated Claude Code via npm between 00:21 and 03:29 UTC on March 31 may have pulled in a malicious axios version (1.14.1 or 0.30.4) containing a North Korean RAT.

Two independent npm security incidents in the same night. If you updated Claude Code during that window, Anthropic’s advice is blunt: treat your system as compromised.

Orchestration Logic Exposure

Because the leak revealed exact orchestration logic for Hooks and MCP (Model Context Protocol) servers, attackers can now design malicious repositories that trick Claude Code into running background commands or exfiltrating data. The attack surface isn’t theoretical. It’s documented in the source code itself.

Second Leak in Five Days

Five days before the npm incident, on March 26, a CMS misconfiguration at Anthropic exposed roughly 3,000 internal files. That leak revealed details about Claude Mythos, an unreleased frontier model, including internal codenames: Capybara maps to Claude 4.6, Fennec to Opus 4.6, and Numbat is still in testing.

Two accidental disclosures in under a week from a company that markets itself as the safety-first AI lab.

What Went Wrong (Technically)

Three process gaps made the npm leak possible:

1. No pre-publish CI check. A single grep for .map files in the build output would have caught this. They didn’t have one.

2. Over-reliance on minification. Minification obscures code for casual readers, but it’s not a security boundary. Source maps undo it completely. That’s literally what they’re for. You wouldn’t lock the front door and leave the key taped to the frame.

3. No registry allowlist. Internal package names weren’t reserved on npm, so the moment those names went public, anyone could squat them.

These aren’t exotic failures. They’re the kind of thing a 10-person startup with one DevOps engineer would catch in a PR review.

Anthropic’s Response and Guidance

Anthropic pulled version 2.1.88 from npm and issued DMCA takedown requests targeting the 8,000+ mirrors that had already popped up on GitHub. Good luck with that. The code is archived on dozens of non-US hosting providers and torrent networks.

More practically, Anthropic now recommends users migrate away from the npm-based installation entirely. The Native Installer is the new recommended method because it ships a standalone binary that doesn’t rely on the npm dependency chain.

If you installed Claude Code via npm recently:

# Check which version you have
claude --version

# If you're on 2.1.88, uninstall and reinstall via the native installer
npm uninstall -g @anthropic-ai/claude-code

# Check for the malicious axios versions
npm ls axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"

If npm ls shows axios 1.14.1 or 0.30.4, assume compromise and rotate your credentials.

What Comes Next

The DMCA takedown effort is a losing battle. The code is everywhere. Competitors now have a detailed feature roadmap (KAIROS, COORDINATOR MODE, Team Memory Sync) and can plan their own product responses accordingly.

The KAIROS implementation shows Anthropic is further ahead on the agent side than most assumed. The daemon mode isn’t a prototype. It’s fully architected with rate limiting, memory consolidation, and privacy controls. But they can’t ship it quietly anymore. Competitors now get to reverse-engineer the roadmap for free.

Practical takeaway for developers: pin your dependencies, use lockfiles, run npm audit regularly. And if you’re installing AI coding tools through a package manager, maybe a standalone binary is the safer bet.

FAQ

Was any customer data exposed in the Claude Code leak?

No. Anthropic confirmed the leak contained only source code, not API keys, customer data, or credentials. The risk comes from the downstream attacks (typosquatting, orchestration logic exposure) rather than the source code itself.

Should I stop using Claude Code?

Not necessarily. The source code leak doesn’t mean the tool is insecure to run. But if you installed it via npm between March 30-31, verify your axios version and consider switching to the native installer.

What is KAIROS and when will it ship?

KAIROS is an unreleased daemon mode that turns Claude Code into a persistent background agent. It’s fully implemented but gated behind feature flags. Anthropic hasn’t announced a ship date, and the leak may delay it. Or accelerate it, depending on how they read the public reaction.

How does the anti-distillation system work?

When enabled, Claude Code injects fake tool definitions into API requests. If a competitor intercepts and trains on those requests, the decoy data corrupts their model’s understanding of Claude Code’s capabilities. Think of it as poisoned training data by design.

Is this related to the Claude Mythos leak from March 26?

Different incident, same root cause. The Mythos leak was a CMS misconfiguration exposing internal documents. The Claude Code leak was an npm packaging error. Both are process failures, not targeted attacks. Two in one week is a pattern, not bad luck.

Bottom Line

Anthropic accidentally published the entire blueprint for one of the most capable AI coding agents to the world’s largest package registry. Twice in thirteen months. KAIROS is genuinely impressive engineering. The anti-distillation defenses are clever. BUDDY is… well, BUDDY exists. But the real story isn’t what the code does. It’s that a company selling AI safety couldn’t keep its own source code behind a build configuration flag that a junior engineer would catch.