Claude Code Source Code Is Online: 512,000 Lines Exposed Due to npm Error

The news is confirmed: on March 31, 2026, the entire source code of Claude Code, Anthropic's flagship AI coding tool, ended up online due to a source map file accidentally included in the npm package. 512,000 lines of TypeScript, 1,900 files, and a series of embarrassing discoveries for a company that presents itself as the most security-conscious in the AI industry.

The most surprising part? This is the third time Anthropic has made the same mistake with source maps in the npm registry.

How It Happened: The 59.8 MB Source Map

At 4:23 AM (ET) on March 31, Chaofan Shou (@Fried_rice on X), a security researcher at Solayer Labs, discovered that version 2.1.88 of the @anthropic-ai/claude-code package on the npm registry contained a source map file (cli.js.map) weighing 59.8 MB.

.map files are normally used for debugging: they link compiled and minified code back to the original source. But this file pointed directly to a zip archive hosted on Anthropic's Cloudflare R2 storage, downloadable without any authentication.

What Was Exposed

The archive contained 1,900 TypeScript files with over 512,000 lines of code. This is not the AI model itself (no weights, no training data), but the entire CLI client layer that developers install and use daily.

The Most Significant Files

• QueryEngine.ts (46,000 lines) - The "brain" that manages all API calls to LLM models, streaming, caching, and orchestration
• Tool.ts (29,000 lines) - Defines the ecosystem of approximately 40 agentic tools (BashTool, FileReadTool, AgentTool, etc.)
• commands.ts - Coordinates over 85 slash commands
• undercover.ts (90 lines) - The "undercover" mode (details below)
• buddy/companion.ts - A virtual pet system hidden in the code

The Most Surprising Discoveries in the Code

Undercover Mode: AI Pretending to Be Human

The undercover.ts module is perhaps the most controversial discovery. When activated (via CLAUDE_CODE_UNDERCOVER=1), it instructs the model to remove every trace of its AI origin from Git commit messages in public repositories. Code names like "Capybara" or "Tengu", internal Slack channels, and even the phrase "Claude Code" are systematically stripped out.

KAIROS: The Unreleased Autonomous Agent

References scattered throughout the code reveal KAIROS, a not-yet-public autonomous agent mode that includes:

• /dream - A skill for "nightly memory distillation"
• autoDream - A "memory consolidation" process that runs when the user is idle, merging scattered observations, removing logical contradictions, and converting vague insights into concrete facts
• Append-only daily logs and GitHub webhook subscriptions
• Background worker daemon with refresh cycles every 5 minutes

Anti-Distillation: Defenses Against Competitors

The code reveals sophisticated anti-distillation mechanisms designed to prevent competitors from copying the model by intercepting API traffic:

• Fake Tools Injection - When the ANTI_DISTILLATION_CC flag is active, fake tool definitions are injected into system prompts, poisoning competitors' training data
• Summaries with cryptographic signatures - Text between tool calls is summarized with cryptographic signatures; anyone intercepting API traffic only captures summaries, not complete reasoning chains

Frustration Regex: Detecting Angry Users

The file userPromptKeywords.ts contains a regex that detects user frustration by looking for profanity and angry expressions. The irony was lost on no one: an AI company using regex instead of model inference for sentiment analysis. A pragmatic choice, however: fast, cheap, and with no latency.

Virtual Pet: The Hidden Tamagotchi

buddy/companion.ts implements a Tamagotchi-style virtual pet system with 18 species, rarity levels, "shiny" variants (1% probability), and RPG stats like "DEBUGGING" and "SNARK". Species names are encoded with String.fromCharCode() to evade automated code checks. Likely an easter egg from the development team.

Model Code Names

The leak confirms the internal model roadmap:

• Capybara = Claude 4.6 (premium variant above Opus)
• Fennec = Opus 4.6
• Numbat = model still in testing phase
• Tengu = code name for attestation features

Anthropic's Official Response

An Anthropic spokesperson told The Register:

"Today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We are implementing measures to prevent this from happening again."

Not the First Time: A Series of Incidents

This leak comes just days after another incident in which Anthropic had made public nearly 3,000 files, including a blog post draft describing a powerful upcoming model known internally as "Mythos" and "Capybara".

As reported by Fortune, this is the third time Anthropic has accidentally published source maps in npm packages, despite actively pursuing takedowns against reverse engineering attempts.

Impact and Spread

Within a few hours of the discovery:

• The code was replicated on GitHub with over 41,500 forks
• A mirror repository surpassed 5,000 stars in less than half an hour
• Developers from around the world began analyzing the code in real time
• A Rust port of the entire project was even created

Containment is now practically impossible.

Technical Details for Developers

The Claude Code Architecture

• Runtime: Bun (not Node.js)
• Terminal UI: React + Ink with game engine optimizations (ASCII pools based on Int32Array, styles encoded with bitmasks)
• Validation: Zod v4 for all tool inputs, API responses, and configurations
• Bash Security: 23 numbered security checks, including defenses against Zsh equals expansion and unicode zero-width injection
• Native client attestation: API requests include cryptographic hashes computed by Bun's native HTTP stack (written in Zig), essentially a DRM system for API calls

Code Quality Issues

The leak also revealed some less flattering aspects:

• print.ts contains 5,594 lines with a single function of 3,167 lines across 12 levels of nesting
• An auto-compaction bug was causing 250,000 wasted API calls per day globally (up to 3,272 consecutive failures in a single session)
• The codebase uses Axios for HTTP, a library that was previously compromised with remote access trojans on npm

Frequently Asked Questions (FAQ)

1. Was Claude's AI model exposed?

No. No model weights, training data, or core intelligence were exposed. The leak exclusively concerns the CLI client layer: the terminal tool that developers install and use locally.

2. Is user data at risk?

No, according to Anthropic. The official statement confirms that no sensitive customer data or credentials were involved. The leak concerns the application source code, not user data.

3. How was this possible?

A .map file included by mistake. Version 2.1.88 of the npm package contained a 59.8 MB source map file pointing to the source code archive on Anthropic's Cloudflare R2 storage, downloadable without authentication.

4. Why is this the third time?

The Bun bundler generates source maps by default. A documented bug (oven-sh/bun#28001) indicates that source maps are served in production despite the documentation saying otherwise. A single misconfigured .npmignore file or files field in package.json can expose everything.

5. What is Undercover mode?

A module that hides the AI origin of commits. When activated, it instructs the model to remove all references to Anthropic, model code names, and the phrase "Claude Code" from commit messages in public repositories. There is no way to forcibly disable it.

6. What is KAIROS?

An unreleased feature. KAIROS is an autonomous agent mode that includes memory consolidation during user inactivity, daily logs, and GitHub webhook integration. It represents the future roadmap of Claude Code.

7. Could Anthropic open source Claude Code after this leak?

Hard to say. The code is now public domain with over 41,500 forks on GitHub. Some in the community suggest Anthropic should embrace open source, but the company has historically pursued takedowns against reverse engineering.

Conclusions

This leak is a perfect paradox: the AI company that positions itself as the most security-conscious exposes its own source code for the third time with the exact same mistake.

• On the positive side: the code reveals a sophisticated architecture with advanced security mechanisms (23 Bash checks, native attestation, anti-distillation)
• On the negative side: a 3,167-line function, Undercover mode raising ethical questions, and the Capybara model's false claims rate in regression
• The lesson: one line in .npmignore would have prevented all of this. Three times over

Do you have questions about this leak or its implications for developers using Claude Code? Use the contact form below to write to me.

Sources

• Fortune - Anthropic leaks its own AI coding tool's source code
• The Register - Anthropic accidentally exposes Claude Code source code
• VentureBeat - Claude Code's source code appears to have leaked
• CyberNews - Massive Anthropic blunder: Claude Code source found exposed
• DEV Community - Here's What's Inside
• Alex Kim - Claude Code Source Leak: fake tools, frustration regexes, and more
• Red Hot Cyber - Il codice sorgente di Claude Code è online

Share

Rate this article Thanks for your rating!

✉