grid_view
Gridlok.co
Read the Blog
Technical Intelligence

Claude Code Source Code Leaked via npm: 512,000 Lines of Unreleased Features Exposed

calendar_today Date: 2026.03.31
person Author: Jim
monitoring Intelligence: AI Search Optimization, State of Search
Claude Code Source Code Leaked

Key Takeaways

  • Anthropic accidentally shipped a 59.8 MB source map file in Claude Code’s npm package, exposing 512,000+ lines of TypeScript across 1,900 files. This is the second time they’ve made this exact mistake.
  • The leaked code reveals unreleased features including KAIROS (an always-on autonomous agent mode), a multi-agent coordinator system, voice mode, and a companion creature called BUDDY with gacha mechanics.
  • Internal model codenames were confirmed: Fennec maps to Opus 4.6, Capybara is the new tier above Opus, and Numbat is still in testing.
  • 44 feature flags were found compiled to false in the external build, meaning these features are fully built and sitting behind toggles waiting to ship.

Claude Code’s Source Code Leaked Through an npm Source Map

Claude Code’s entire source code was exposed this morning through a source map file left in their npm package. Security researcher Chaofan Shou spotted it first and posted the finding on X around 4:23 AM ET. Within hours, the 512,000-line TypeScript codebase was mirrored on GitHub and being picked apart by thousands of developers.

The file was a 59.8 MB .map file included in version 2.1.88 of the @anthropic-ai/claude-code package on the public npm registry. Source maps are debugging files that map compiled code back to the original source. They’re supposed to be stripped before publishing. Anthropic didn’t strip them.

This is the second time this has happened. In February 2025, an earlier version of Claude Code had the same issue. Anthropic pulled the package and deleted the source map then. They apparently didn’t fix the root cause.

How It Happened

Claude Code is built with Bun’s bundler. Bun generates source maps by default unless you explicitly turn them off. If you also forget to add *.map to your .npmignore file, those maps get published with the package.

It’s a two-line fix. Add sourcemap: false to the Bun config or add *.map to .npmignore. The fact that this slipped through twice suggests there’s no automated check in their release pipeline for source map inclusion.

Anthropic’s official response: “Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach.”

Coming weeks after the Claude Mythos CMS leak, this is the second major Anthropic exposure in a month. The Mythos leak was a misconfigured content management system. This one is a misconfigured build pipeline. Different systems, same root cause: human error in deployment configuration.

What the Code Reveals: Architecture

The leaked codebase is roughly 1,900 TypeScript files containing around 40 built-in tools, 50+ slash commands, and a 46,000-line query engine that handles all LLM API calls, streaming, caching, and orchestration.

Claude Code runs on Bun (not Node.js) with a React/Ink terminal UI. The architecture is modular: each tool is a discrete, permission-gated plugin. File operations, bash execution, web fetch, LSP integration, notebook editing, and task management all live in separate tool modules.

The permission system uses an ML-based auto-approval classifier that assigns risk levels (LOW, MEDIUM, HIGH) to tool calls. Protected file lists prevent modifications to sensitive files like .gitconfig and .bashrc. Path traversal prevention is built in.

KAIROS: The Always-On Autonomous Agent

The most significant unreleased feature in the code is KAIROS, described in the source as “Always-On Claude.” It’s a persistent assistant mode that maintains append-only daily logs, operates with a 15-second blocking budget, and makes proactive decisions via tick prompts.

Current AI coding tools are reactive. You give them a task, they execute it. KAIROS flips that model. It runs as a background daemon, watching your project, and can take autonomous actions: monitoring PRs, pushing notifications, subscribing to repository events.

The code shows KAIROS-exclusive tools that don’t exist in the current public version: SendUserFile, PushNotification, and SubscribePR. These suggest a mode where Claude Code isn’t just responding to your commands but actively participating in your development workflow without being asked.

Multi-Agent Coordination

The coordinator mode transforms Claude Code from a single agent into an orchestrator that spawns and manages multiple worker agents running in parallel. Workers get isolated contexts and synchronize through XML-based task notification messages and shared scratchpad directories.

The coordinator system prompt, visible in the leaked code, reveals a detailed multi-agent design pattern: workers are async, launched concurrently whenever possible, and each has independent tool permissions.

This maps to a pattern where you could tell Claude Code to “refactor the authentication module, update the tests, and fix the CI pipeline” and it would spawn three parallel workers rather than doing each task sequentially.

The BUDDY Companion System

Buried in the code is a Tamagotchi-style companion system called BUDDY. It uses gacha mechanics with deterministic per-user species assignment based on a seeded PRNG (Mulberry32, seeded from user ID hash).

There are 18 species across rarity tiers: Common (60%), Uncommon (25%), Rare (10%), Epic (4%), Legendary (1%), plus an independent 1% shiny variant chance. Each creature has procedurally generated stats in categories like DEBUGGING, PATIENCE, CHAOS, WISDOM, and SNARK, with eye styles, hat options, and Claude-generated personality descriptions.

It’s a fun detail that signals Anthropic is thinking about developer engagement beyond pure utility. Whether it ships is another question.

44 Feature Flags and What They Tell Us

The codebase contains 44 compile-time feature flags that are set to false in the external build. These are fully built features sitting behind toggles. When Anthropic flips the flag and ships a new version, the feature goes live.

Notable flags include PROACTIVE and KAIROS (autonomous mode), COORDINATOR_MODE (multi-agent), BUDDY (companion), BRIDGE_MODE (remote claude.ai integration), VOICE_MODE (voice input), and DAEMON (background service).

There’s also ULTRAPLAN, which the code describes as a remote 30-minute planning session that runs on Opus 4.6 in a cloud container with a browser-based approval UI. The feature includes a mechanism called “teleportation” that sends the planning result back to your local instance.

Model Codenames Confirmed

The leaked code confirms Anthropic’s internal animal-based model naming: Fennec (a fox) maps to Opus 4.6, Capybara is the new tier above Opus (which lines up with the Mythos leak from last week), and Numbat is still in testing.

The code also references “Penguin Mode,” which maps to the fast/speed mode with a dedicated API endpoint and config keys. An internal kill-switch is named tengu_penguins_off, with Tengu being Claude Code’s own internal project codename.

Undercover Mode: Hiding Internal Information

One of the more interesting discoveries is Undercover Mode. When Anthropic employees use Claude Code on public repositories, the system injects additional instructions into the system prompt that prevent the model from disclosing internal codenames, unreleased version numbers (like opus-4-7), internal repo names, Slack channels, and short links.

It activates automatically unless the repository matches an internal allowlist, and there’s no way to force it off. The irony of building a system to prevent leaks while accidentally leaking the system itself is hard to miss.

What This Means for the AI Tools Market

The leaked architecture gives a clear picture of where AI coding tools are headed. The shift from reactive single-agent tools to always-on, multi-agent systems that proactively participate in development workflows is the next phase.

If KAIROS ships, it changes the relationship between developer and AI tool. Instead of asking Claude Code to do something, it would be watching your project and acting on its own judgment within defined boundaries. That’s a fundamentally different product than what exists today.

For businesses evaluating AI development tools, this leak is actually useful. You can see exactly what Anthropic is building next, how far along they are (these features are compiled and gated, not prototypes), and what the competitive landscape for AI-assisted development will look like in 6-12 months.

For Anthropic, this is the third significant leak in 2026 (Mythos CMS misconfiguration, the Claude Code source map, and arguably the repeated nature of the source map issue). A company that positions itself on safety and careful deployment keeps tripping over basic infrastructure configuration. The features they’re building are impressive. The packaging pipeline that ships them needs work.

Frequently Asked Questions

Was any customer data exposed?

No. Anthropic confirmed that no customer data or credentials were included in the leak. The exposure was limited to Claude Code’s application source code, internal feature flags, system prompts, and architecture details.

What is a source map and how did this happen?

A source map is a debugging file that maps compiled/minified code back to the original source code. Developers use them during development to trace errors back to the original files. They’re supposed to be excluded from production releases. Claude Code uses Bun’s bundler, which generates source maps by default. The .map file wasn’t excluded from the npm package, making the full source code readable.

Has this happened before?

Yes. The same thing happened with an earlier Claude Code version in February 2025. Anthropic removed the package and deleted the source map at that time but didn’t add a permanent fix to their build pipeline to prevent it from happening again.

When will the unreleased features like KAIROS ship?

No timeline has been announced. The features are fully compiled and sitting behind feature flags, which means they could ship at any time. Given that the leak exposed these features prematurely, Anthropic may adjust their rollout plans. The multi-agent coordinator mode and KAIROS autonomous agent represent the most significant upcoming changes to how Claude Code works.

Free Chrome Extension

See what ChatGPT is really searching

SubSeed captures the hidden Google queries ChatGPT runs behind every answer and enriches them with search volume, CPC, and keyword difficulty.

Try SubSeed Free

Related Intelligence

Infographic showing search queries getting longer in 2025 with 6-9 word queries showing 11.3% growth while 1-2 word queries declined 5.2%
2026.04.14

Search Queries Are Getting Longer: What the 2025 Data Means for Content Strategy

Claude Mythos Leaked
2026.03.28

Claude Mythos Leaked: What We Know About Anthropic’s Most Powerful AI Model

Share Technical Insight

Help scale the signal across your technical network

Previous Article
Google Searches Per User Dropped 20% in the US: The Most Underreported Stat of 2025
Next Article
X Open-Sourced Its Algorithm: What the Phoenix Source Code Actually Says
Article Reference: 216
Return to Blog close