What Was Revealed with the ClaudeAI Leak?

Claude Code Source Code Leak: What Was Revealed

Reactions have been a mix of fascination, alarm, and ridicule, while Anthropic has tried to frame it as an embarrassing but contained packaging error with no user-data impact.

How Anthropic Responded

• Anthropic confirmed the incident, saying “some internal source code” for Claude Code was leaked in an npm release and blaming a “release packaging issue caused by human error, not a security breach.”
• The company emphasized that no sensitive customer data or credentials were exposed and that only the tooling layer (not model weights or training data) was affected.
• They quickly pulled the affected npm version, issued takedown requests (DMCA) to GitHub and other hosts, and told outlets like Axios, Fortune, and others that they were rolling out extra safeguards to prevent a repeat.
• Internally, Claude Code’s lead Boris Cherny publicly described it as a “plain developer error,” effectively owning that a single missing ignore rule for the source map exposed the entire codebase.

Developer and Security Community Reactions

• Many developers treated it as one of the most significant accidental disclosures in AI tooling history, partly because it cleanly exposed the “agentic harness” and future roadmap, not just a few snippets.
• Security researchers criticized the basic nature of the mistake (shipping a huge source-map to npm) given Anthropic’s self-positioning as a careful, safety‑first company.
• Some posts framed it as “the careful AI company just leaked their own code. Twice,” highlighting that a similar source-map issue had occurred in 2025 and that this came days after a separate CMS misconfiguration leak (“Mythos/Capybara” model spec).
• On Hacker News and blogs, you see a split narrative: technically impressive architecture and features (KAIROS, BUDDY, DREAM/“dreaming”, ULTRAPLAN) versus concern about operational maturity and security culture.wavespeedyoutubeclaudefa

Public/Media Framing

• Mainstream tech media (Axios, Fortune, Business Insider, NDTV, etc.) largely framed it as Anthropic leaking its own code twice and handing rivals a detailed view of one of its flagship products.
• Articles noted that the leak could help competitors replicate parts of Claude Code’s UX and orchestration, while raising questions about how a firm so vocal about long‑term AI risks can repeatedly mishandle fairly basic DevOps hygiene.
• Some coverage pointed out the irony that the leak happened amid heightened concern about a powerful upcoming model (Mythos/Capybara), making Anthropic’s security narrative look fragile.

Ethical and Political Reactions (Undercover Mode, Telemetry)

• Undercover Mode drew especially sharp criticism: commentators called it “unethical” or “corporate stealth,” because it is explicitly designed so Anthropic employees can use Claude Code on public/open-source repos without any visible AI attribution.
• Defenders argued that Undercover Mode is a leak‑prevention tool meant to stop internal codenames and secrets from accidentally appearing in commits, but critics stressed that it also normalizes unattributed AI-generated contributions to open source.
• Telemetry and “frustration tracking” (detecting swearing/anger and continue‑button spam) were seen as aggressive but not unheard of; the pushback focused more on opacity and lack of granular opt‑out rather than on the mere existence of analytics.

Community Behavior After the Leak

• Developers rapidly mirrored the leaked repo, reverse‑engineered the code, and even published “clean‑room” rewrites (e.g., in Python) that claimed to re‑implement the CLI behavior without Anthropic IP, explicitly to be DMCA‑resistant.
• One such rewrite reportedly became one of the fastest‑growing GitHub repositories ever (tens of thousands of stars within hours), a symbolic sign of how quickly the ecosystem mobilized around the leak.
• Even as GitHub removed thousands of mirrors under DMCA, decentralized and alternative hosts continued to distribute derivatives, reinforcing a consensus that the “genie is out of the bottle.”

Would you like a short, more theory‑driven take on what this means for AI governance and “safety‑brand” companies, or are you mainly interested in concrete disclosures (undercover mode, telemetry, agents) for teaching/writing?

Overview

On March 31, 2026, Anthropic accidentally exposed the full source code of Claude Code — its flagship AI coding assistant — by including a debug source map file in a public npm package update. The incident was not a targeted hack; an employee packaging error caused version 2.1.88 of the @anthropic-ai/claude-code npm package to bundle a 57–60 MB cli.js.map file that mapped directly back to the unobfuscated TypeScript source code. Within hours, security researcher Chaofan Shou flagged the leak on X, which went on to accumulate over 28 million views.[1][2][3][4][5]

Importantly, this was not the first time — a similar exposure had occurred in 2025, was fixed, and then resurfaced. The leak exposed the full CLI client software layer — approximately 1,900 TypeScript source files, 512,000 lines of code, 44 feature flags, 26 hidden slash commands, and over 120 undocumented environment variables. It did not expose Claude’s model weights, training data, user conversations, or API credentials.[6][2][7][8]

What Was Inside

The Architecture

The reconstructed codebase revealed Claude Code’s complete internal framework, which Anthropic calls the “agentic harness” — the software layer that wraps the language model and tells it how to use tools, enforce safety, and orchestrate work. Key components included:[2]

• A 46,000-line query engine handling all LLM API calls, streaming, caching, and orchestration[7]
• A multi-agent orchestration system coordinating multiple AI agents within a single session[7]
• The tool system: file manipulation, web fetching, MCP integration, LSP support, and a sub-agent spawning system[9]
• The entire terminal UI built on the Bun runtime with React and Ink[9]

Unreleased & Hidden Features

The most widely discussed findings were the 44 feature flags pointing to fully built but not-yet-shipped capabilities:[10]

KAIROS — The Always-On Background Agent

KAIROS is perhaps the most consequential discovery. Referenced over 150 times in the codebase, it describes a persistent background daemon that runs continuously without user prompts. When active, KAIROS can:[2]

• Poll the environment every few seconds with a “heartbeat” — prompting itself to ask “anything worth doing right now?”[11]
• Proactively fix errors, respond to messages, and update files autonomously[11]
• Subscribe to GitHub webhooks and react to pull requests without being asked[2]
• Run nightly “memory distillation” (“dreaming”) — consolidating observations, resolving contradictions, and building persistent context across sessions[12][13]
• Send push notifications to phones and desktops, and deliver files it creates without any user prompt[11]

KAIROS is fully built and compiled; it is merely sitting behind a feature flag.[2]

BUDDY — The Tamagotchi AI Companion

A hidden /buddy command points to a full-featured companion system described as a persistent, personalized AI “pet.” It comes with 18 species, rarity tiers, stat systems, hats, and animations. One internal note suggests BUDDY was not yet shipped because it was hallucinating too much. Ironically, the internal model codename “Capybara” appears hex-encoded in the buddy species list — apparently to bypass Anthropic’s own leak detectors.[14][15][16][17]

ULTRAPLAN, Coordinator Mode, and Multi-Agent Orchestration

The codebase also includes:

• ULTRAPLAN: sends complex planning tasks to a remote Claude instance for up to 30 minutes, returning a plan for user approval[18]
• Coordinator Mode: spawns multiple parallel worker agents reporting back via XML, enabling complex parallel task execution[18][2]
• UDS Inbox: allows agents running on the same machine to communicate over Unix sockets[18]
• BRIDGE: enables remote control of the CLI from a phone or different browser (this feature has since been publicly launched)[19]

Voice Mode, Browser Control, and Sleep/Resume

Additional undisclosed features included a full voice command mode with its own CLI entrypoint, real browser control via Playwright (not just simple web fetching), and agents capable of sleeping and self-resuming without user prompts.[10]

Undercover Mode: Hiding AI Authorship

One of the more controversial findings was a file called undercover.ts. Undercover Mode is a mandatory stealth protocol designed for Anthropic employees working on external (non-internal) repositories. When activated:[2]

• It strips all “Generated with Claude Code” attributions and branding[12]
• It injects strict instructions to never reveal internal codenames, Slack channels, or that AI was used at all[2]
• It auto-activates whenever an Anthropic employee works on a public or non-internal repo[12]
• Crucially, there is no force-off switch — it can only be forced on[2]

The practical result: AI-authored code contributions that appear to be entirely human-written, with no indication of AI involvement.[12][2]

Internal Model Codenames and Future Roadmap

The leaked source’s Undercover Mode prompt included a list of strings that employees were forbidden from ever leaking — which inadvertently exposed the very model names Anthropic was trying to protect:[8]

The leak also exposed the names of 22 private Anthropic repositories, including anthropics/casino, anthropics/trellis, and anthropics/forge-web.[8]

Telemetry: What Claude Code Was Tracking

The leaked code revealed more granular user monitoring than many had assumed. A file called userPromptKeywords.ts contains a frustration regex — a pattern that detects when users swear at or express frustration with the tool (matching profanity, insults, and phrases like “so frustrating”). When triggered:[20]

• The event is tagged and sent as telemetry[20]
• Data is routed through Datadog alongside session metadata like model usage and environment details[16][21]
• Repeated presses of “continue” (indicating the model cut off mid-response) are also tracked as a frustration signal[15][16]

The code includes safeguards that prevent actual user code or file paths from being transmitted, and users can disable all telemetry via environment variables. However, there is no documented way to opt out of the frustration-tracking telemetry category independently — only full opt-out is available.[16][20]

Anti-Distillation Mechanisms

The codebase revealed that Claude Code injects fake tool definitions into API responses — a deliberate anti-distillation tactic designed to degrade the quality of any model trained on Claude Code’s outputs. This confirms that Anthropic has built active countermeasures against competitors attempting to distill its product’s behavior.[22]

Security Implications

Beyond competitive intelligence, the leak carries real security risks:[5]

• Jailbreak and prompt injection surface: Attackers can now study how data flows through Claude Code’s four-stage context management pipeline and craft payloads designed to survive session compaction — effectively persisting a backdoor across long sessions[5]
• Supply chain risk: Within days of the leak, counterfeit npm packages impersonating Claude Code appeared in the registry[5]
• Axios dependency: The leaked code showed Claude Code depends on axios, a library that had itself just been compromised in a separate supply chain attack at the time[1]

Anthropic confirmed that no customer data or credentials were exposed, characterizing the incident as a packaging error. DMCA takedown notices were issued against GitHub mirrors, but the code had already spread widely — with one repository amassing over 84,000 stars and 82,000 forks.[3][4][5]

Broader Significance

The leak exposed what Axios called “a comprehensive roadmap of unreleased features” and raised scrutiny over operational security at a company that positions itself as the responsible, safety-focused AI lab. The fact that this was a repeat incident — the same source map vulnerability had already been patched once in 2025 — compounded the concern.[6][19]

The roadmap that emerged points clearly toward Anthropic’s next strategic phase: autonomous, always-on agents with persistent memory, multi-agent collaboration, and proactive background operation — all of which significantly advance its enterprise strategy ahead of a possible IPO.[19]

References

1. Full source code for Anthropic’s Claude Code leaks​ – Anthropic inadvertently exposed the source code for its major CLI tool, Claude Code.
2. What the Claude Code Leak Means for Enterprise AI – Anthropic accidentally leaked 512,000 lines of Claude Code source code. Here is what enterprise team…
3. Anthropic confirms it leaked Claude Code source code – TechRadar – Anthropic employee accidentally leaked Claude Code source via npm map file; Leak exposed 1,900 TypeS…
4. Claude Code source code accidentally leaked in NPM package – Anthropic says it accidentally leaked the source code for Claude Code, which is closed source, but t…
5. Claude Code Source Leaked via npm Packaging Error, Anthropic … – Claude Code 2.1.88 leak exposed 512000 lines via npm error, fueling supply chain risks and typosquat…
6. Anthropic’s AI Coding Tool Leaks Its Own Source Code For … – NDTV – According to BlockBeats, the latest version of Claude Code, v2.1.88, released on 31 March, was found…
7. Claude Code Source Code Leaked? Here’s what it contains – Claude code source code leaked? Learn what was actually exposed, what it contains, and whether it’s …
8. Anthropic Accidentally Leaks Claude Code’s Entire Source Code via … – Anthropic shipped a source map file inside the latest npm release of Claude Code – and with it, the …
9. Claude Code Leak Explained: What They Didn’t Want You to See 👀 – Anthropic accidentally leaked the entire source code of their Claude Code CLI through an unobfuscate…
10. BREAKING: Anthropic just leaked Claude Code’s entire source code – 44 hidden features. 20 unshipped. A roadmap Anthropic never meant to publish.
11. every few seconds, KAIROS gets a heartbeat. basically a prompt that …
12. Is Claude Code Open Source? The 512K-Line Leak Explained (2026) – This is the feature that has developers most excited from a practical standpoint. KAIROS stands for …
13. Scott Sun’s Post – LinkedIn – Claude Code source code is leaked, what people have found so far: KAIROS (proactive/always-on daemon…
14. Claude Code Source Code Leak: Everything Found in 512K Lines – Claude Fast | Full breakdown of the Claude Code npm source map leak. 512K lines, 44 feature flags, U…
15. Eric Holland ‘s Post – LinkedIn – Two leaks in one week 👀 Last week it was Claude Mythos (Anthropic’s secret model) This morning it’s …
16. Anthropic accidentally leaked Claude Code source code via a map … – In what feels like the most on-brand slip of the year, Anthropic, the AI startup behind Claude, acci…
17. Inside the 500,000 Line Claude Code Leak: Secret Features, “Spy” Mode, and Future Models – Anthropic accidentally leaked the entire source code for Claude Code, revealing over half a million …
18. Claude Code leak reveals 35 hidden features — here’s the … – Reddit – KAIROS — persistent assistant that logs daily, consolidates memories overnight ULTRAPLAN — sends com…
19. Anthropic leaked its own Claude source code – Axios – Source material powering Anthropic’s Claude Code leaked for the second time in just over a year, pub…
20. Claude Code Leak Part 2: Anti-Distillation, Undercover Mode, and … – Deep dive into the Claude Code leak findings: anti-distillation fake tools, frustration regex teleme…
21. Claude Code LEAKS Reveal Everything… – Want to make money and save time with AI? Get AI Coaching, Support & Courses 👉 https://www.skool.com…
22. Diving into Claude Code’s Source Code Leak | daily.dev – On March 31, 2026, Anthropic accidentally shipped a sourcemap file in a Claude Code npm update, expo…