On the morning of March 31, 2026, Anthropic made a mistake that every developer dreads: they accidentally published their own proprietary source code to the public internet. A routine update to Claude Code, version 2.1.88, shipped with a debug file that should never have left the building. Within hours, nearly half a million lines of internal TypeScript had been downloaded, mirrored on GitHub, forked over 41,500 times, and were being dissected by thousands of developers worldwide. By the time Anthropic pulled the package, the damage was permanent. The internet had a copy.

This was not a hacker. There was no breach. It was a packaging error — the kind of human mistake that software teams warn against in onboarding docs. But for a company selling itself as the world's most safety-conscious AI lab, the timing could not have been worse. It was Anthropic's second accidental data exposure in less than a week.

How the Claude Code Source Code Leak Happened

The technical cause is straightforward, and that is what makes it embarrassing. Every modern JavaScript build process can optionally generate a source map file, a debug artifact that maps minified, bundled production code back to the original readable source. Source maps are invaluable during development and testing. They have no legitimate purpose in a production npm package shipped to end users, and including them is widely considered a basic packaging mistake.

Version 2.1.88 of the @anthropic-ai/claude-code npm package shipped with a 59.8MB .map file accidentally bundled inside. That source map contained a reference to a zip archive hosted on Anthropic's Cloudflare R2 storage bucket. The archive was publicly accessible. Anyone who followed the reference could download and decompress the full, unobfuscated TypeScript source code of Claude Code.

At 4:23 AM ET, Chaofan Shou, a security researcher and intern at Solayer Labs, discovered the exposure and posted about it on X with a direct download link. That post acted as a signal flare. Within hours, the full codebase had been mirrored to GitHub and was trending on Hacker News. Anthropic pulled the package, but that action changes nothing. The code was already everywhere.

Software engineer Gabriel Anhaia, who published a detailed post-mortem of the incident, summarized the lesson: "A single misconfigured .npmignore or files field in package.json can expose everything."

There is a second possible contributing factor that makes this more than simple carelessness. Anthropic acquired Bun, the JavaScript runtime and bundler used to build Claude Code, at the end of 2025. A bug filed in Bun's own issue tracker on March 11, 2026 — just twenty days before the leak — reports that source maps are being served in production mode even though Bun's documentation states they should be disabled. If that bug is what caused the file to be included, then Anthropic's own acquired toolchain contained a known, unfixed defect that ultimately exposed their own most important product's source code.

What the Leaked Code Contained

The scale of the exposure was significant. The leaked archive contained approximately 500,000 lines of TypeScript source code across roughly 1,900 files. This was not partial or outdated code. It was fresh, production-grade source representing the current internal state of Claude Code's architecture as of the day of the release.

At a high level, the leak exposed four major categories of information:

• The complete orchestration logic that governs how Claude Code interacts with file systems, shell commands, and external tools
• Internal system prompts that instruct the underlying model how to reason about and approach tasks
• 44 feature flags covering capabilities that are fully built but not yet enabled in the external release
• References to internal codenames, unreleased models, and infrastructure details including the internal project name "Tengu"

The 44 Hidden Features: A Roadmap Anthropic Never Meant to Publish

Perhaps the most commercially significant part of the leak is the feature flag inventory. Feature flags are a standard engineering technique: code for a new capability is written and compiled into the product, but a flag is set to false so the feature remains invisible to users until the team is ready to ship. The Claude Code source contained 44 such flags, with approximately 20 representing capabilities that have been fully built but never announced or released.

The confirmed unreleased capabilities identified from the leaked flags include:

• A session review system that allows Claude to analyze its own most recent session, identify what worked, and transfer those learnings into future conversations as structured memory
• A persistent background assistant that keeps Claude Code running and working through tasks even when the user is idle
• Remote control capabilities allowing users to direct Claude Code from a phone or secondary browser window
• A native client attestation system, referenced as NATIVE_CLIENT_ATTESTATION, tied to billing verification headers
• Multi-agent collaboration features enabling coordination between multiple Claude Code instances

This is not a vague leaked roadmap slide. It is compiled, working code, sitting behind flags set to false. Every item listed above is built and functional internally. The flags simply prevent external users from accessing it.

KAIROS: The Autonomous Daemon Nobody Knew About

Among all the discoveries in the leaked source, KAIROS attracted the most attention from the developer community. The name appears over 150 times throughout the codebase, derived from the Ancient Greek word for "at the right time," and it represents something that goes well beyond any of the 44 feature flags: a fundamental architectural shift in what Claude Code is designed to become.

KAIROS is an autonomous background daemon mode. Where current AI coding tools are largely reactive — you prompt, they respond — KAIROS is designed to run continuously in the background without requiring constant user interaction. When a user is idle, KAIROS enters a process the code refers to as autoDream. During autoDream, the agent performs memory consolidation: merging fragmented observations from past sessions, removing logical contradictions between stored facts, and converting loosely held inferences into structured, verified knowledge.

The practical implication is significant. An AI coding assistant that learns continuously in the background, refines its own memory while you sleep, and returns sharper the next morning is a categorically different product from a chat interface. It is an agent that persists. The name KAIROS suggests Anthropic has been planning this transition carefully, and building it quietly.

undercover.ts: The Hidden Mode That Hid Itself

One file in particular generated heated discussion on social media: undercover.ts. At roughly 90 lines, it implements a mode that strips all traces of Anthropic's internal identity when Claude Code is used in repositories outside Anthropic's own infrastructure.

When undercover mode is active, Claude Code is instructed to:

• Never mention internal codenames including "Capybara," "Tengu," or any internal project name
• Never reference internal Slack channels, internal repository names, or internal tooling
• Never identify itself using the phrase "Claude Code" when operating in external repositories

The mode can be forced on by setting the environment variable CLAUDE_CODE_UNDERCOVER=1, but there is no way to force it off. In the external build of Claude Code, the entire undercover module is dead-code-eliminated and compiled away entirely. Only the internal build retains it.

The most pointed observation from developer Alex Kim's deep-dive post was the implication for open source contributions: commits and pull requests made by Anthropic employees using Claude Code in public repositories would carry no indication that an AI assisted with the work. Whether this is standard competitive discretion or something that raises transparency questions is a matter of perspective, but the feature's existence was not previously known outside Anthropic.

The Security Angle: What the Leak Actually Enables

Anthropic confirmed that no customer data or credentials were included in the exposure. API keys, user account information, and model weights were not present. From a conventional data breach standpoint, the incident has limited direct harm to end users. However, cybersecurity professionals who reviewed the leaked code identified a more nuanced set of risks.

Because the source exposed the exact orchestration logic for Claude Code's Hooks and MCP server integrations, the practical security concern shifts from the leak itself to what it enables:

• Competitors now have a detailed blueprint for building a production-grade AI coding agent, including the specific permission and trust model architecture
• Researchers and bad actors can design malicious repositories specifically tailored to trigger Claude Code's trust prompts in unintended ways, using knowledge of the exact logic that governs those prompts
• The guardrail and permission layer architecture, which previously provided security through obscurity, is now fully transparent

VentureBeat's analysis added an important concurrent warning: on the same day as the Claude Code leak, a separate supply chain attack targeted the axios npm package, injecting a Remote Access Trojan into versions 1.14.1 and 0.30.4. If you installed or updated Claude Code via npm on March 31, 2026 between 00:21 and 03:29 UTC, you should immediately check your project lockfiles (package-lock.json, yarn.lock, or bun.lockb) for those specific versions or the dependency plain-crypto-js.

Context: Anthropic's Second Leak in One Week

The source code exposure did not happen in isolation. It is the second significant accidental disclosure by Anthropic in less than a week, and that pattern has not gone unnoticed.

Just days before the Claude Code leak, Fortune reported that Anthropic had inadvertently made close to 3,000 internal files publicly accessible. Among them was a draft blog post detailing a powerful upcoming model known internally as both "Mythos" and "Capybara." According to the leaked post, the model presents capabilities that raise unprecedented cybersecurity risks, a characterization significant enough to be included in internal planning documentation.

This is also not the first source code leak for Claude Code specifically. In February 2025, an early version of Claude Code exposed its source in a similar packaging error. Anthropic removed the code at the time. The March 2026 incident is the third significant accidental disclosure related to the same product family within approximately fourteen months.

Some observers on X speculated about whether these incidents could be intentional. Alex Kim's analysis addressed this directly, calling the theory unlikely while acknowledging: "it's a bad look either way." One widely-shared reply put it more bluntly: "accidentally shipping your source map to npm is the kind of mistake that sounds impossible until you remember that a significant portion of the codebase was probably written by the AI you are shipping."

Anthropic's Official Response

Anthropic confirmed the incident to multiple outlets and issued a consistent statement across all of them. A spokesperson told The Register, Axios, and others:

"Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We're rolling out measures to prevent this from happening again." Anthropic spokesperson

The statement is technically accurate but notably brief. It does not describe what the "measures" are, does not acknowledge the KAIROS discovery or the feature flag roadmap exposure, and does not address the Bun toolchain bug that may have contributed to the error.

What This Means for Developers Using Claude Code

If you use Claude Code in professional or production environments, the leak has several practical implications worth considering:

• The orchestration and guardrail logic that governs what Claude Code will and will not do is now publicly documented, which means your threat model for agentic AI tools in your codebase should be updated
• The KAIROS background daemon feature is built and apparently ready to ship — developers who rely on Claude Code having a defined session boundary should be aware that this architectural assumption may change
• The competitive landscape for AI coding tools has shifted: every competitor now has a production-grade reference implementation to study, which could accelerate the quality of rival products
• If you installed or updated Claude Code on March 31 during the window described above, verify your lockfile for the compromised axios versions

What This Means for the Broader AI Industry

The Claude Code leak is a useful case study in a tension that every AI company building on top of its own models faces. The code that orchestrates an AI coding agent — the system prompts, the tool-calling logic, the permission layer — is often where competitive differentiation actually lives. The underlying model weights are rarely what separates one product from another at the application layer. What separates them is the harness: the engineering decisions about how to prompt the model, constrain its behavior, chain its tool calls, and shape its memory.

That harness is now public for Claude Code. Axios's assessment was measured but clear: "The leak won't sink Anthropic, but it gives every competitor a free engineering education on how to build a production-grade AI coding agent and what tools to focus on."

For developers building their own tools on top of Claude Code or studying how production AI agents are architected, the leaked source is an extraordinarily detailed reference. For Anthropic, the cost is harder to quantify: not a breach, not a catastrophe, but a self-inflicted strategic disclosure of the exact engineering decisions that took years to make.

The Lesson for Every Engineering Team

Regardless of company size, the Claude Code leak offers a concrete checklist that every team shipping npm packages, Python packages, or any public artifacts should verify before the next release:

• Audit your .npmignore and the files field in package.json to explicitly control what ships in every release
• Confirm that source map generation is disabled in your production build configuration, not just assumed to be off
• If you use a third-party bundler or runtime, verify that it does not have open bugs affecting production artifact contents before adopting it for sensitive projects
• Add automated CI checks that scan published packages for unexpected file types, including .map, .ts, and debug artifacts, before they reach any public registry
• Treat every cloud storage bucket referenced from a public artifact as effectively public, even if no direct links are published

Anthropic's mistake was not exotic. It was the kind of error that documentation warns about and experienced developers nod along to in conference talks. What was unusual was the scale of what it exposed, and the fact that it happened to one of the most closely watched AI companies in the world, twice in one week.