Claude Code’s Source Code Leaked Through npm. Here’s What Actually Happened.

At 4 AM on March 31, 2026, an Anthropic engineer pushed version 2.1.88 of the @anthropic-ai/claude-code npm package to the public registry. Bundled inside was a 59.8 MB source map file that pointed directly to a zip archive on Anthropic’s Cloudflare R2 storage bucket. That archive contained the full, unobfuscated TypeScript source code for Claude Code: 1,900 files, 512,000 lines, every system prompt, every tool definition, every unreleased feature.

Twenty-three minutes later, security researcher Chaofan Shou downloaded it all and posted the link on X. His post hit 16 million views. By the time Anthropic’s team got to work that morning, the code had been forked over 41,000 times on GitHub. The internet had already won.

This is Anthropic’s third leak in a week. And it’s the second time Claude Code specifically has been exposed by the same type of file.

How a .map File Exposed Everything

Source maps are debugging tools. When you bundle TypeScript into minified JavaScript for production, the output is unreadable to humans. A .map file acts as a decoder ring, mapping the compressed output back to the original source so developers can trace errors to the right line of code.

The problem: Claude Code uses Bun’s bundler, and Bun generates source maps by default. Unless you explicitly turn them off or add *.map to your .npmignore file, those maps ship with your package. Somebody at Anthropic missed that step. The .map file went out, and it didn’t just contain line mappings. It referenced a full zip archive of the original TypeScript source hosted on Anthropic’s own cloud storage. Anyone who found the map file could download and decompress the entire codebase.

There’s an interesting wrinkle here. Alex Kim, a developer who wrote one of the better technical breakdowns of the leak, pointed out that there’s an open Bun bug (oven-sh/bun#28001), filed March 11) where source maps get served in production mode even when Bun’s own documentation says they should be disabled. Anthropic acquired Bun at the end of last year. If that bug is the root cause, then Anthropic’s own toolchain shipped the defect that exposed their own product. That’s a painful kind of irony.

This exact problem happened before. In February 2025, an early version of Claude Code was exposed through the same source map issue. Anthropic removed the package and deleted the map. The fix clearly didn’t stick.

Three Leaks in Five Days

The source code leak didn’t happen in a vacuum. Five days earlier, Fortune reported that Anthropic had left nearly 3,000 unpublished assets in a publicly accessible data store, including a draft blog post about a powerful new model called Claude Mythos (internal codename: Capybara). The CMS that hosts Anthropic’s blog apparently sets published assets to “public” by default, and someone didn’t change that setting. Security researchers Roy Paz and Alexandre Pauwels found the exposed cache independently.

That CMS leak revealed that Capybara is a new model tier above Opus, that Anthropic considers it a “step change” in capabilities, and that the company is worried enough about its cybersecurity potential to restrict early access to cyber defense organizations.

Then five days later, the Claude Code source code confirmed and expanded those details. Internal comments reference Capybara v8 with a 29-30% false claims rate, a regression from the 16.7% rate in v4. The code maps Fennec to Opus 4.6 and references an unreleased model called Numbat. For competitors, those internal metrics are worth more than the source code itself.

Anthropic’s official response to The Register: “This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”

What the Source Code Actually Revealed

Claude Code looks simple from the outside. A CLI that lets you talk to Claude in your terminal. From the inside, it’s a 785KB main.tsx entry point, a custom React terminal renderer, 43+ tools, a multi-agent orchestration system, and a background memory engine.

Community analysis identified 44 feature flags: 32 compile-time build flags and 10+ GrowthBook gradual-rollout gates. At least 20 capabilities are fully built but stripped from the public release. Here’s what stood out.

KAIROS: An Always-On Background Agent

Referenced over 150 times in the source, KAIROS (named after the Greek concept of “the right time”) is a persistent daemon mode. It doesn’t wait for you to type. It watches, logs, and proactively acts on things it notices. It keeps daily log files, can send push notifications to your device, and can subscribe to pull request activity.

KAIROS gets its own exclusive tool set that regular Claude Code doesn’t have. It has a 15-second blocking budget before it auto-backgrounds itself so it doesn’t interrupt your workflow. This is a fundamentally different product from the reactive CLI that exists today.

The Dream System

Claude Code has a background memory consolidation engine called autoDream. It runs as a forked subagent with read-only access to your project. While you’re idle, it performs a four-step process: Orient, Gather, Consolidate, Prune. It merges scattered observations, removes contradictions, and converts vague notes into structured facts. When you come back, the agent’s context is clean.

The naming is deliberate. Claude dreams while you sleep.

ULTRAPLAN

For complex tasks, Claude Code can offload a planning session to a remote Cloud Container Runtime running Opus 4.6, giving it up to 30 minutes to think. When you approve the result from your browser, a sentinel value called __ULTRAPLAN_TELEPORT_LOCAL__ sends it back to your local terminal.

Buddy: A Tamagotchi for Your Terminal

This one got the most attention on Hacker News. Claude Code contains a complete virtual pet system with 18 species, five rarity tiers (Common through Legendary), a 1% independent shiny chance, procedurally generated stats (DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK), and a soul description written by Claude on first hatch. Your pet’s species is deterministic, seeded from your user ID. The code references April 1-7, 2026, as a teaser window and May 2026 for the full launch.

Someone at Anthropic is having a good time.

Undercover Mode

This is the detail that made everyone on Hacker News laugh, because the irony is almost too perfect.

Anthropic employees use Claude Code on public open-source repositories. When they do, a system called Undercover Mode activates and injects instructions into the system prompt telling Claude to hide its identity. The prompt reads: “You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.”

The rules prohibit Claude from mentioning internal model codenames, unreleased version numbers, the phrase “Claude Code,” or any indication that it’s an AI. No Co-Authored-By lines. No attribution.

Anthropic built an entire subsystem to prevent their AI from accidentally leaking internal secrets. Then they leaked the entire source code, including the anti-leak system, through a misconfigured build file. The code even reveals the exact codenames Undercover Mode was designed to hide: Capybara, Tengu, Fennec, Numbat.

The Fastest Fork in GitHub History

Within hours of Chaofan Shou’s post, a Korean developer named Sigrid Jin (GitHub: instructkr) uploaded the full source to Github. Jin isn’t a random developer. The Wall Street Journal profiled him earlier in March as one of Claude Code’s most prolific power users, having consumed 25 billion tokens in a single year.

His repo hit 50,000 stars in two hours, making it the fastest-starred repository in GitHub history. It was forked over 60,000 times overnight.

Anthropic responded with DMCA takedown notices. GitHub complied and took down 438+ repositories containing the original TypeScript source. Jin, worried about legal exposure, did something clever. He sat down at 4 AM, used OpenAI’s Codex to rewrite the entire codebase from scratch in Python, and pushed it as “claw-code” before sunrise. Since the Python version contains none of the original TypeScript, the DMCA argument gets a lot harder to make.

Then he started a Rust port.

A separate developer named Kuberwastaken created an independent Rust reimplementation using a clean-room process, citing the precedent from Phoenix Technologies v. IBM (1984), where clean-room reverse engineering of a BIOS was held legal. The specification was written from a behavioral analysis; the implementation was built from the spec without referencing the original TypeScript.

Meanwhile, someone mirrored the original code to Gitlawb, a decentralized git platform, with a single message: “Will never be taken down.”

DMCA works against centralized platforms. GitHub has to comply. Decentralized infrastructure doesn’t have that single point of failure. The code is permanent. Anthropic cannot get it back.

The Derivative Projects

Jin’s claw-code and Kuberwastaken’s Rust rewrite were the highest-profile forks, but the leaked source spawned an entire ecosystem of derivative projects within 24 hours. Several of them take the original TypeScript in different directions:

• claude-code-best/claude-code — The leaked TypeScript source with all type errors fixed so it actually compiles and runs via bun run dev. Actively maintained with continuous optimization.
• paoloanzn/free-code — A buildable fork that strips all telemetry (OpenTelemetry, GrowthBook, Sentry, custom event logging), removes the injected security-prompt guardrails, and unlocks all 45+ experimental feature flags that are disabled in the public npm release.
• NanmiCoder/claude-code-haha — A locally runnable version that supports swapping in any Anthropic-compatible API endpoint, including MiniMax and OpenRouter. Useful for developers who want to run the Claude Code harness against different models.
• oboard/claude-code-rev — A restored source tree reconstructed from the source maps with compatibility shims for modules that couldn’t be fully recovered. Intended as a reference implementation rather than a production build.

Anthropic has DMCA’d over 8,100 repositories as of April 1, but direct mirrors are only part of the picture. Clean-room rewrites, behavioral ports, and repos hosted on decentralized platforms remain untouched. The original TypeScript is the only thing Anthropic can legally target. Everything built from scratch using the leaked architecture as a reference sits in a gray zone that copyright law wasn’t designed to handle.

The Misinformation Layer

A tech YouTuber named Kevin Naughton Jr. posted on X claiming he’d been “fired from Anthropic today” for shipping the source maps. The post went viral. It described a plausible scenario where an engineer deliberately included source maps to improve debugging and accidentally exposed everything.

It was completely fabricated. X’s community notes flagged the post: Naughton was never an Anthropic employee. His LinkedIn shows he’s been running his own startup, DevLaunch, for the past year. He used the leak for engagement farming and promoted his company in the replies.

The post is worth mentioning because it became part of the story before anyone checked it. Several people (myself included, initially) treated the details as real context for how the leak happened. The actual mechanism remains simpler and less dramatic: a build configuration oversight, possibly caused by a known Bun bug, that Anthropic had already failed to permanently fix once before.

What This Means for the AI Coding Tool Market

Claude Code has a reported annualized recurring revenue of $2.5 billion, and enterprise adoption accounts for roughly 80% of Anthropic’s revenue. The leaked source code is effectively a blueprint for building a production-grade AI coding agent.

The tool architecture, permission system, multi-agent orchestration patterns, and memory design are now public knowledge. Competitors like Cursor, Codex, and anyone building AI developer tools can study how Anthropic solved specific problems: context entropy in long sessions, tool permission gating, multi-agent coordination, and memory consolidation. The R&D advantage that came from being first to build these systems just evaporated.

The feature flags are arguably more damaging than the architecture. KAIROS, ULTRAPLAN, and the Dream System represent Anthropic’s unreleased product roadmap. Competitors now know what’s coming and can race to ship similar features first.

What to Do If You Use Claude Code

If you installed or updated Claude Code via npm on March 31 between 00:21 and 03:29 UTC, you have a separate problem. A supply chain attack on the axios npm package (a Claude Code dependency) occurred hours before the leak. Malicious versions 1.14.1 and 0.30.4 contained a Remote Access Trojan. Check your lockfiles for these versions or the dependency plain-crypto-js. If found, treat the machine as compromised.

For the source code leak itself, Anthropic recommends migrating to their native installer (curl -fsSL https://claude.ai/install.sh | bash) instead of npm. The native binary doesn’t rely on the npm dependency chain. If you’re staying on npm, make sure you’re not on version 2.1.88.

The exposed source doesn’t compromise your API keys or stored data. But the internal architecture of the permission system and security guardrails is now public, which means attackers can study exactly how to craft inputs that bypass Claude Code’s trust prompts. Be cautious running Claude Code in unfamiliar or recently cloned repositories until Anthropic ships hardened updates.

The Uncomfortable Pattern

Three leaks in five days from a company that has built its entire brand around safety and careful deployment. A CMS misconfiguration that exposed a draft blog post and 3,000 unpublished assets. A source map that shipped the full codebase to a public registry. The same type of source map leak that already happened once in February 2025.

None of these were sophisticated attacks. They were configuration errors. The kind of thing a CI/CD check catches if you build one. The kind of thing that .npmignore prevents if someone maintains it. The kind of thing that doesn’t happen twice at the same company on the same product if the first incident produced a durable fix.

Anthropic’s AI safety research is world-class. Their operational security, at least in March 2026, has not kept pace. The company that worries publicly about the existential risks of artificial intelligence keeps getting tripped up by .map files and CMS defaults.

You can strap your baby into the tightest harness money can buy. Something always leaks through.