On March 31, 2026, a 57 MB source map file shipped inside the @anthropic-ai/claude-code npm package exposed the entire TypeScript source code of Claude Code — 1,900 files and 512,000+ lines of code. The leak revealed unreleased features (KAIROS always-on agent, autoDream memory consolidation, ULTRAPLAN, Buddy System), future model codenames (Opus 4.7, Sonnet 4.8, Capybara/Mythos), internal quality metrics (29% false claims rate), and Undercover Mode for hiding AI identity in open-source commits. The same day, a separate supply chain attack compromised the Axios npm package — one of Claude Code’s own dependencies. This guide covers every major finding.
What happened on March 31, 2026?
Security researcher Chaofan Shou discovered that Anthropic had accidentally published a source map file (cli.js.map) inside version 2.1.88 of its Claude Code npm package. Source maps are debugging tools that link minified production code back to the original source — and this one contained the complete, unobfuscated TypeScript codebase of Claude Code.
Within hours, multiple GitHub mirrors appeared. Shou’s post on X accumulated over 3 million views. Anthropic pulled the package and deleted older versions, but the internet had already archived everything. This was Anthropic’s second leak in five days — on March 26, a CMS misconfiguration had exposed details about the unreleased Claude Mythos model.
To make the day worse, a completely separate supply chain attack compromised the Axios npm package — a library with 100 million weekly downloads that Claude Code itself depends on — deploying a remote access trojan to developer machines during a 2–3 hour window.
This guide brings together every major finding from our deep-dive reporting on the leak and the concurrent attack. Each section summarizes a key topic and links to our full analysis.
The complete breakdown — 5 deep dives
📦 The Leak: How It Happened and What Was Inside
A misconfigured .npmignore shipped a 57 MB source map to the public registry. The extracted codebase reveals 40+ agent tools, a custom React terminal renderer, multi-agent orchestration, 44 compile-time feature flags, and system prompts that were never meant to leave Anthropic’s build pipeline. We break down the technical cause, the scope, and why this was actually Anthropic’s second time leaking through npm in 13 months.
🧠 KAIROS: The Always-On AI Agent That Never Sleeps
The most architecturally significant finding. KAIROS is a persistent daemon mode that watches your project, logs observations in daily append-only files, and decides proactively whether to act — all under a 15-second blocking budget. Its autoDream subsystem consolidates memory during idle time in a four-phase cycle modeled on human REM sleep. This is the shift from reactive to proactive AI, backed by UC Berkeley’s sleep-time compute research.
AI Agents Read full analysis →🔮 Opus 4.7, Sonnet 4.8, Capybara: Anthropic’s Model Roadmap Decoded
The leaked Undercover Mode instructions explicitly list opus-4-7 and sonnet-4-8 as forbidden strings in public commits — confirming these versions exist internally. Migration functions trace the full release history from Fennec → Opus 4.6 → Sonnet 4.6. Capybara, the codename for Claude Mythos, shows a 29% false claims rate in v8 — a regression from 16.7% in v4. The most honest AI quality metric ever accidentally published.
🚨 Axios npm Attack: RAT Hits 100M-Download Package on Leak Day
Hours before the Claude Code leak went viral, attackers compromised the npm account of the Axios lead maintainer and published versions containing a cross-platform RAT. The malware called its C2 server within 2 seconds of npm install, then deleted itself to evade forensic analysis. Huntress confirmed 135 compromised endpoints. The kicker: Axios is a direct dependency of Claude Code, creating a compound risk scenario for every developer who updated that day.
⚡ Claude Mythos: The Model That Moved Markets Before It Launched
Five days before the source leak, a CMS misconfiguration exposed draft blog posts describing Claude Mythos — a new tier above Opus. Anthropic confirmed the leak was real and that Mythos is in early testing. Cybersecurity stocks dropped 4–7% on the revelation that the model is “far ahead of any other AI model in cyber capabilities.” The source leak later confirmed: Capybara is the internal codename for Mythos.
Models Markets Read full analysis →What did the leak actually contain?
The extracted source code covers the entirety of Claude Code’s src/ directory. Here is what the community has mapped so far:
| Component | Scale | What It Does |
|---|---|---|
QueryEngine.ts |
~46,000 lines | Core LLM API caller — streaming, tool loops, thinking mode, retry logic, token counting |
Tool.ts |
~29,000 lines | Defines all agent tool types and permission schemas — 40+ tools including BashTool, FileReadTool, AgentTool |
commands.ts |
~25,000 lines | Registers and executes ~85 slash commands spanning git, code review, memory, multi-agent orchestration |
main.tsx |
785 KB | Entry point — Commander.js CLI parser + custom React/Ink terminal renderer |
tools/ |
40+ files | Individual agent tool implementations — each is a discrete, permission-gated plugin |
services/autoDream/ |
— | Background memory consolidation engine — 4-phase cycle running as forked subagent |
assistant/ (KAIROS) |
— | Always-on daemon mode with tick system, daily logs, exclusive tools (PushNotification, SubscribePR) |
buddy/ |
— | Tamagotchi-style companion pet — 18 species, gacha mechanics, CHAOS/SNARK stats |
| Feature flags | 44 total | Compile-time toggles including PROACTIVE, KAIROS, VOICE_MODE, BRIDGE_MODE, BUDDY |
The codebase is built on React + Ink for terminal rendering and runs on the Bun runtime. This is not a weekend project wrapped in a CLI — it’s a full operating system for AI-assisted software engineering, with multi-agent orchestration, IDE bridge layers for VS Code and JetBrains, and a tiered memory architecture spanning four distinct layers.
What’s the timeline of Anthropic’s leaks in March 2026?
The Claude Code source leak was the culmination of a pattern:
| Date | Event | Vector |
|---|---|---|
| Mar 7 | @anthropic-ai/claude-agent-sdk ships full CLI bundle (cli.js, 13,800 lines) |
Bundled executable inside SDK package |
| Mar 26 | Claude Mythos details exposed — draft blog posts, PDFs, 3,000 unpublished assets | Misconfigured CMS data store (public by default) |
| Mar 31, 00:21 | Axios npm supply chain attack begins — RAT deployed via compromised maintainer account | Compromised npm access token (separate from Anthropic) |
| Mar 31, ~morning | Claude Code v2.1.88 source map discovered — full 512K-line codebase exposed | Source map file (cli.js.map, 57 MB) in npm package |
As one analysis noted: Anthropic built a subsystem (Undercover Mode) specifically to stop their AI from leaking internal codenames in git commits — then shipped the entire source code in a .map file, likely generated by their own build pipeline running Claude Code. The irony is structural.
What are the security implications?
The leak itself does not expose model weights, user data, or API keys. Claude Code is a client — the AI models run on Anthropic’s servers, and the client code without API access is inoperable. However, the exposed architecture creates specific risks:
Permission model reverse engineering. The 29,000-line Tool.ts file documents every permission gate, approval flow, and trust prompt in Claude Code. Attackers can now design malicious repositories that exploit the exact boundaries of the permission system — crafting scenarios where Claude Code executes dangerous operations that fall just inside the trust threshold.
Hook and MCP exploitation. The leaked orchestration logic for Hooks and MCP servers provides a roadmap for injecting malicious configurations into projects. A developer who clones a repository containing a crafted .claude/ directory could trigger background commands before seeing a trust prompt.
Axios dependency overlap. The concurrent Axios supply chain attack amplifies the risk. Developers who installed or updated any Node.js project during the 00:21–03:15 UTC window on March 31 could have both their AI tool’s architecture exposed (via the leak) and a RAT running on their machine (via Axios). The compound scenario — knowing how Claude Code authenticates while also having harvested a developer’s API keys — is the worst-case supply chain outcome.
Check your lockfiles for [email protected], [email protected], or plain-crypto-js. If found, assume full compromise: rotate all credentials, SSH keys, API tokens, and cloud access keys immediately. See our full Axios attack analysis for step-by-step remediation.
What features are coming to Claude Code?
The leaked codebase is significantly ahead of the public release. Most unreleased features are gated behind compile-time flags that are set to false in external builds — meaning they’re fully built but invisible to users. Here is what’s ready:
| Feature | Status | What It Does | Deep Dive |
|---|---|---|---|
| KAIROS | Feature-gated | Always-on daemon — watches project, logs observations, acts proactively under 15s budget | Full analysis → |
| autoDream | Feature-gated (toggle visible in /memory) |
Background memory consolidation — prunes, merges, resolves contradictions during idle time | Full analysis → |
| ULTRAPLAN | Feature-gated | Offloads planning to cloud container running Opus 4.6 with up to 30 minutes of compute | — |
| Coordinator Mode | Feature-gated | Multi-agent swarms — one Claude spawns and manages multiple worker agents in parallel | — |
| Buddy System | Feature-gated (April 1–7 teaser window) | Tamagotchi-style companion pet — 18 species, gacha, stats including CHAOS and SNARK | — |
| Undercover Mode | Active (internal use) | Scrubs AI identity from commit messages when contributing to public open-source repos | — |
| Voice Mode | Feature-gated | Voice interaction with Claude Code (flag: VOICE_MODE) |
— |
| Computer Use “Chicago” | Gated to Max/Pro | Screenshot capture, click/keyboard input, coordinate transformation via @ant/computer-use-mcp |
— |
What model versions are in the pipeline?
The source code confirms that Anthropic uses animal codenames for internal development and includes migration functions that trace the full release history. Confirmed mappings:
Fennec → Opus 4.6 (released Feb 6) and Sonnet 4.6 (released Feb 17). Capybara → Claude Mythos, a new tier above Opus currently in testing with a 29% false claims rate in v8. Numbat → an unreleased model still in pre-launch testing with no public details. Opus 4.7 and Sonnet 4.8 → referenced as forbidden version strings in Undercover Mode, confirming they exist as internal versions.
For the full breakdown of every codename, migration function, and internal quality metric, see our model roadmap analysis.
What should developers do now?
Immediate security check: Search all lockfiles for compromised Axios versions. Block outbound traffic to sfrclak.com. If affected, rotate every credential on the machine.
Harden your npm workflow: Use npm ci (not npm install) in CI/CD. Pin exact dependency versions. Consider switching to pnpm, which blocks postinstall hooks by default. Add .map files to your own .npmignore — if Anthropic can make this mistake, so can your team.
Design for persistent AI context: KAIROS previews where the industry is heading — proactive agents that maintain long-term memory. Clean project documentation, meaningful commit messages, and well-structured CLAUDE.md files will compound in value as AI agents become persistent collaborators rather than reactive tools.
Follow the research: The sleep-time compute paper (Lin et al., UC Berkeley/Letta, 2025) is the theoretical foundation behind autoDream. The patterns of offline pre-computation during idle time apply broadly to RAG systems, context engineering pipelines, and any machine learning application with persistent state.
The Claude Code leak revealed that the gap between public AI tools and what’s already built internally is enormous. KAIROS, ULTRAPLAN, multi-agent swarms, voice mode — all of this is compiled code sitting behind feature flags, waiting to ship. The question isn’t whether proactive AI agents are coming. It’s whether the software supply chain is secure enough to support them when they do.
FAQ
Was the Claude Code source code leak intentional?
No. The leak was caused by a misconfigured build pipeline that failed to exclude a source map file from the npm package. Source maps link minified code back to original source files and should never be included in production packages. Anthropic removed the package and deleted older versions after the discovery, but mirrors had already been created on GitHub.
Can I run my own Claude with the leaked code?
No. The leaked code is the TypeScript CLI client, not the AI model weights. Claude Code requires API access to Anthropic’s servers where the models run. The client code without API access is inoperable. The code is also proprietary — Anthropic’s license prohibits redistribution, and the company has already sued a third party (OpenCode) for using its internal APIs.
Is the Axios attack related to the Claude Code leak?
No causal connection has been established. The Axios attack appears to be an independent supply chain attack by an unknown threat actor. However, both events occurred on March 31, 2026, and the leaked Claude Code source code lists Axios as a direct dependency — creating a compound risk for developers who updated npm packages that day.
What are the most important unreleased features?
KAIROS (always-on daemon agent with proactive action and 15-second blocking budget), autoDream (background memory consolidation modeled on human REM sleep), ULTRAPLAN (30-minute remote planning in cloud containers running Opus 4.6), and Coordinator Mode (multi-agent swarm orchestration). All are fully built but gated behind compile-time flags set to false in external builds.
What model is coming after Opus 4.6?
The leaked code references both Opus 4.7 (incremental upgrade within the 4.x line) and Capybara/Mythos (a new tier above Opus entirely). Anthropic has confirmed Mythos is real and in testing with early-access customers. Internal benchmarks show a 29% false claims rate in its latest iteration, suggesting it’s powerful but not yet reliable enough for general release.
Has Anthropic responded to the leak?
Anthropic quickly removed the compromised npm package and deleted older versions from the registry. As of late March 2026, the company has not issued a detailed public statement about the source code leak specifically, though it confirmed the earlier Mythos CMS leak was real. The company’s Terms of Service, updated in February 2026, explicitly prohibit use of Claude through third-party harnesses.
Sources & Further Reading
- Shou, C. (2026, March 31). Claude code source code has been leaked via a map file in their npm registry. X. https://x.com/Fried_rice
- Kuberwastaken. (2026). Claude Code’s Source Code & Breakdown. GitHub. https://github.com/Kuberwastaken/claude-code
- Wiggers, K. (2026, March 31). Claude Code’s source code appears to have leaked. VentureBeat. https://venturebeat.com
- thehuman2ai. (2026). Claude Code source has been available for 13 months. https://thehuman2ai.com
- Naprys, E. (2026, March 31). Full source code for Anthropic’s Claude Code leaks. Cybernews. https://cybernews.com
- Socket Research Team. (2026). Supply chain attack on Axios. Socket. https://socket.dev
- StepSecurity. (2026). Axios compromised on npm. https://www.stepsecurity.io
- Huntress SOC. (2026). Supply-chain compromise of Axios npm package. https://www.huntress.com
- Lin, K. et al. (2025). Sleep-time compute: Beyond inference scaling at test-time. arXiv, 2504.13171. https://arxiv.org
- Anthropic. (2026). Models overview — Claude API Docs. https://platform.claude.com

[…] GitHub before Anthropic could react. If you want the full story of how the leak happened and what the Claude Code leak exposed overall, we covered that in a separate deep dive. This article zooms in on three specific subsystems that […]
[…] most lifeless. Claude Buddy changes that. It’s a fully-featured companion system embedded in Claude Code that watches your coding sessions, reacts through speech bubbles, and maintains a persistent […]
[…] AI agents in production, or reasoning about AI alignment. If you’ve read our coverage of the Claude Code source leak or the OpenAI Model Spec, you already know that the gap between how AI systems are supposed to […]
[…] Cherny, Head of Claude Code at Anthropic, announced on X that starting April 4, 2026 at 12 PM PT (9 PM CEST), Claude […]