HomeArtificial IntelligenceClaude Code Source Code Leaked — 7 Things We Learned

Claude Code Source Code Leaked — 7 Things We Learned

Last updated: March 2026

On March 31, 2026, security researcher Chaofan Shou discovered that Anthropic accidentally shipped a source map file inside the @anthropic-ai/claude-code npm package (version 2.1.88). The 57 MB file exposed the full TypeScript source code of Claude Code — roughly 1,900 files and 512,000+ lines — including unreleased features, internal codenames, system prompts, and a complete multi-agent orchestration system. This is the second time a source map leak has occurred with this package.

Claude Code Source Code Leak npm Security AI Coding Tools

What Happened? How Claude Code’s Source Was Exposed

When developers publish JavaScript or TypeScript packages to npm, the build process often generates source map files (.map files). These files exist for debugging — they map minified production code back to the original source. If a .map file accidentally ends up in a published npm package, anyone can read the full, unobfuscated source code.

That is exactly what happened. Version 2.1.88 of @anthropic-ai/claude-code shipped with a 57 MB source map file that pointed directly to a Cloudflare R2 storage bucket containing the complete source as a downloadable ZIP archive. Within hours, the code was mirrored across multiple GitHub repositories, de-minified, analyzed, and discussed on Hacker News, Reddit, and X. One backup repository alone surpassed 1,100 stars and 1,900 forks on the same day.

Crucially, this is the second time this has happened. A similar source map exposure was reportedly patched in early 2025 — making the recurrence particularly embarrassing for Anthropic, a company that positions itself as the safety-first AI lab.

⚠️ Important clarification

This leak exposed only the CLI client code — the terminal-side agent that developers install via npm. No model weights, no training data, no proprietary LLM architecture were compromised. Think of it as the steering wheel and dashboard being exposed, not the engine.

What Does the Leaked Codebase Reveal?

The exposed code goes far beyond what most developers expected from an AI coding assistant. Claude Code is not a simple chat wrapper around an API — it is a production-grade, heavily architected system built on Bun (not Node.js), using React with Ink for terminal rendering, with modular tool architecture and multi-agent orchestration.

Here are the numbers that stood out to the developer community:

Component Scale
Total TypeScript files~1,900
Lines of code512,000+
Built-in tools~40
Slash commands~50
Feature flags44 (20+ unreleased)
Query engine module46,000 lines
Base tool definition29,000 lines

What Are the 7 Biggest Reveals From the Leak?

1. Multi-Agent Orchestration (“Coordinator Mode”)

Claude Code includes a full multi-agent system in the coordinator/ directory, activated by setting CLAUDE_CODE_COORDINATOR_MODE=1. When enabled, Claude Code transforms from a single agent into a coordinator that can spawn, direct, and manage multiple worker agents in parallel — each with its own context and tool permissions. The community calls these sub-agents “swarms,” and the coordinator system prompt found in the code has been described as a masterclass in multi-agent design.

2. “Undercover Mode” — Hiding AI Authorship

Perhaps the most debated finding: a subsystem in utils/undercover.ts is designed specifically for situations where Anthropic employees use Claude Code to contribute to public open-source repositories. When active, it injects instructions into the system prompt telling Claude to avoid revealing that it is an AI — no “Claude Code” mentions, no AI-specific attribution, no internal codenames in commit messages or PR descriptions. Internal users are identified by USER_TYPE === 'ant'.

This has sparked significant debate. Critics argue it raises transparency concerns about undisclosed AI contributions to community-maintained projects. Others note it is standard practice for companies to keep internal tooling details private.

3. BUDDY — A Tamagotchi-Style AI Pet

One of the most surprising discoveries: a complete virtual pet system gated behind the BUDDY feature flag. Each user gets a deterministic pet “hatched” from their user ID hash using a Mulberry32 pseudo-random number generator. The system includes 18 species (duck, dragon, axolotl, capybara, mushroom, ghost, and more), rarity tiers from common to 1% legendary, shiny variants, cosmetics like hats, and five stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, and SNARK. Claude generates a unique name and personality description on first hatch. Internal documents indicate a teaser rollout was planned for April 1–7, 2026, with full availability in May.

4. KAIROS — “Always-On Claude”

Codenamed KAIROS, this feature represents a persistent assistant mode where Claude keeps working across sessions. It stores memory logs in a private directory, performs nightly “dreaming” to consolidate and tidy up context, and can proactively initiate tasks. The code includes careful midnight boundary handling to ensure the dream consolidation process doesn’t break across day transitions — a level of engineering detail that suggests this feature was close to production readiness.

5. Internal Model Codenames

The source references a previously unknown model family codenamed “Capybara” with three tiers: capybara, capybara-fast, and capybara-fast[1m]. The codename “Tengu” appears hundreds of times as a prefix for feature flags and analytics events — almost certainly Claude Code’s internal project name. Other animal-based codenames are scattered throughout, indicating Anthropic’s internal model naming convention.

6. Full System Prompt Exposed

The complete system prompt that governs Claude Code’s behavior is included in the client-side code. This is notable because system prompts are typically treated as proprietary — they define how the model reasons about tasks, enforces safety limits, and handles edge cases. For security researchers and competitors, this provides a detailed map of how Anthropic structures its agent’s decision-making. For prompt engineers, it’s an invaluable reference for writing production-grade system prompts.

7. Frustration Telemetry

A detail that went viral: Claude Code’s telemetry system literally tracks when users swear at Claude (logged as a “frustration metric”) and how frequently users type “continue” — a proxy for how often Claude interrupts itself mid-response. This kind of behavioral analytics is standard in product development, but seeing it spelled out in code gave many developers pause about the depth of usage data being collected.

How Did the Leak Happen Technically?

The root cause is a build configuration oversight. Claude Code uses Bun’s bundler, which generates source maps by default unless explicitly disabled. Someone at Anthropic — or, ironically, Claude Code itself contributing to its own repository — failed to add *.map to the .npmignore file or configure the bundler to skip source map generation for production builds.

Bash
# What should have been in .npmignore:
*.map
src/

# Or in Bun build config:
Bun.build({
  sourcemap: "none"  // instead of default "external"
})

# How to check before publishing:
npm pack --dry-run | grep ".map"

The irony is hard to miss. Claude Code contains an entire “Undercover Mode” subsystem specifically designed to prevent internal information from leaking in commits — and then the entire source code shipped in a .map file that may have been published by Claude itself.

What Does This Mean for Security?

The leak does not expose user data, API keys, or model internals. However, it does reveal the complete permission enforcement logic, OAuth 2.0 authentication flows, the full tool-calling architecture, and every safety guardrail in the client. For a determined attacker, this is a detailed blueprint for identifying potential bypass vectors in Claude Code’s permission system.

For the broader developer community, this is a powerful reminder: source maps are source code. Any npm package that ships with .map files is effectively open-source, regardless of the maintainer’s intent. The npm pack --dry-run command should be part of every CI/CD pipeline publishing to npm.

The incident is also relevant in the context of AI agent security. As AI coding tools gain access to file systems, shell commands, and network resources, the security surface area of these tools becomes increasingly critical. Understanding how tools like Claude Code enforce permissions — now publicly visible — is valuable for any organization deploying AI-assisted development workflows.

What Has Anthropic Said?

As of publication, Anthropic has not issued an official public statement. The affected npm package version (2.1.88) has been pulled from the registry, but cached copies and GitHub mirrors remain widely available. Previous coverage of similar source map leaks suggests Anthropic will likely treat this as a packaging error rather than a security breach, since no model weights or user data were compromised.

Why This Matters for the AI Industry

Beyond the immediate drama, this leak provides a rare, unfiltered look at the engineering bar for production-grade AI coding tools. What the community discovered is that Claude Code is not a thin API wrapper — it is a 512,000-line system with multi-agent orchestration, IDE integration bridges, persistent memory, and dozens of unreleased features already built and gated behind compile-time flags.

For developers building MCP-based integrations or competing AI tools, the architectural patterns exposed — tool permission gating, sub-agent spawning, dream-based memory consolidation — represent a detailed reference implementation of where AI-assisted development is heading in 2026.

The 44 feature flags essentially serve as an unintentional product roadmap. Features like voice mode, proactive task initiation, and always-on assistance suggest Anthropic’s vision extends well beyond reactive coding help toward a persistent AI development partner that works alongside you — even when you’re away from the terminal.

FAQ

Was the Claude AI model itself leaked?

No. The leak exposed only the client-side CLI code (TypeScript) — the terminal agent that developers install via npm. No model weights, training data, or proprietary LLM architecture were compromised. The leaked code is essentially the interface layer, not the AI engine.

How did the Claude Code source code get exposed?

A source map file (.map) was accidentally included in version 2.1.88 of the @anthropic-ai/claude-code npm package. Source map files map minified code back to the original source for debugging, effectively exposing the entire readable codebase. This happened because Bun’s bundler generates source maps by default, and the build pipeline didn’t exclude them.

Is this the first time Claude Code’s source has leaked?

No, this is the second time. A similar source map exposure was discovered and patched in early 2025, making this recurrence a notable security oversight.

What is Claude Code’s “Undercover Mode”?

Undercover Mode is a subsystem that activates when Anthropic employees use Claude Code on public or open-source repositories. It instructs Claude to avoid revealing internal information — model codenames, internal project names, or any indication that the commits were written by an AI — in commit messages and pull requests.

What is the BUDDY feature found in the leak?

BUDDY is an unreleased Tamagotchi-style virtual pet system for Claude Code users. Each user’s pet is deterministically generated from their user ID, with 18 possible species, rarity tiers, and personality traits. A teaser rollout was reportedly planned for April 2026.

Should I be worried about my data if I use Claude Code?

There is no evidence that any user data was compromised in this leak. The exposed code is the client application logic, not server-side systems. However, the leak did reveal telemetry details, including what usage metrics are collected, which is worth reviewing if data privacy is a concern for your workflow.

What should npm package maintainers learn from this?

Always verify what files are included in your published packages by running npm pack --dry-run. Add *.map to your .npmignore file. If using Bun, explicitly set sourcemap: "none" in your production build config. Source maps are source code — treat them accordingly.

Sources & References

  1. Shou, C. (2026, March 31). Claude code source code has been leaked via a map file in their npm registry. X (formerly Twitter). https://x.com/shoucccc
  2. Kuberwastaken. (2026, March 31). Claude Code’s Source Code & Breakdown from a leaked map file in their NPM registry. GitHub. https://github.com/Kuberwastaken/claude-code
  3. Anhaia, G. (2026, March 31). Claude Code’s Entire Source Code Was Just Leaked via npm Source Maps — Here’s What’s Inside. DEV Community. https://dev.to/gabrielanhaia
  4. PiunikaWeb. (2026, March 31). Anthropic’s Claude Code source appears to have been leaked via npm registry map file. https://piunikaweb.com
  5. CyberSecurity News. (2026, March 31). Anthropic’s Claude Code Source Code Reportedly Leaked Via Their npm Registry. https://cybersecuritynews.com
  6. npm. (n.d.). @anthropic-ai/claude-code. npm Registry. https://www.npmjs.com/package/@anthropic-ai/claude-code
  7. Anthropic. (2026). Claude Code documentation. https://docs.anthropic.com
RELATED ARTICLES

3 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Recent Comments