On March 31, 2026, Anthropic accidentally shipped the entire source code of Claude Code inside a public npm package. Nobody hacked anything. The code was just there, sitting in plain sight, waiting to be found.
Security researcher Chaofan Shou appears to have spotted the exposure and told the world. Snapshots of Claude Code's source code were quickly backed up in a GitHub repository that has been forked more than 41,500 times, disseminating it to the masses.
The leaked codebase remains accessible via a public GitHub repository where it has surpassed 84,000 stars and 82,000 forks.
This is not a hypothetical risk. The code is out. Competitors, researchers, and developers worldwide have already read it, forked it, and started building with it. This article covers exactly what happened technically, what was inside the leak, and what the implications are for Anthropic, its competitors, and anyone using Claude Code today.
What Happened: The Technical Cause
How the leak occurred
The leak actually resulted from a reference to an unobfuscated TypeScript source in the map file included in Claude Code's npm package. Map files are used to connect bundled code back to the original source. That reference pointed to a zip archive hosted on Anthropic's Cloudflare R2 storage bucket that Shou and others were able to download and decompress.
In plain terms for non-developers
- When JavaScript code is built for production, it gets compressed and minified into a single unreadable file
- Developers keep a separate "source map" file that links the compressed code back to the original readable code
- Source maps are supposed to stay private or be excluded from public packages
- Anthropic accidentally included the source map in the public npm package
- The source map pointed to a zip file on their own cloud storage
- That zip file was publicly accessible
- Anyone who looked at the source map could download the entire codebase
The specific version affected
Version 2.1.88 of @anthropic-ai/claude-code shipped with a 59.8 MB JavaScript source map file, pointing directly to a publicly accessible zip archive sitting on Anthropic's own Cloudflare R2 storage bucket.
What Anthropic said
An Anthropic spokesperson confirmed: "Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We're rolling out measures to prevent this from happening again."
This has happened before
A nearly identical source-map leak occurred with an earlier version of Claude Code in February 2025, making this the second such incident in roughly 13 months.
The probable root cause
Anthropic acquired Bun at the end of last year, and Claude Code is built on top of it. A Bun bug, filed on March 11, reports that source maps are served in production mode even though Bun's own docs say they should be disabled. The issue is still open. If that's what caused the leak, then Anthropic's own toolchain shipped a known bug that exposed their own product's source code.
Suggested image: Screenshot of the original X post from Chaofan Shou showing the npm source map link, with the timestamp of March 31, 2026.
What Was Inside the Leak
The scale of the exposure
The file pointed to a zip archive on Anthropic's own cloud storage containing the full source code, with nearly 2,000 files and 500,000 lines of code. Within hours, the codebase was mirrored and dissected across GitHub, quickly amassing thousands of stars.
The architecture that was exposed
Users who have dug into the code have published details of:
- A self-healing memory architecture to overcome the model's fixed context window constraints
- A tools system to facilitate various capabilities like file read or bash execution
- A query engine to handle LLM API calls and orchestration
- Multi-agent orchestration to spawn subagents or swarms to carry out complex tasks
- A bidirectional communication layer that connects IDE extensions
The 44 hidden feature flags
Buried inside were 44 feature flags covering features that are fully built but not yet shipped. Not vaporware. Compiled code sitting behind flags that compile to false when Anthropic ships the external build.
KAIROS: the autonomous background agent
The leak pulls back the curtain on "KAIROS," the Ancient Greek concept of "at the right time," a feature flag mentioned over 150 times in the source. KAIROS represents a fundamental shift in user experience: an autonomous daemon mode. While current AI tools are largely reactive, KAIROS allows Claude Code to operate as an always-on background agent. It handles background sessions and employs a process called autoDream. In this mode, the agent performs "memory consolidation" while the user is idle. The autoDream logic merges disparate observations, removes logical contradictions, and converts vague insights into absolute facts.
The anti-distillation system
In claude.ts, there is a flag called ANTI_DISTILLATION_CC. When enabled, Claude Code sends anti_distillation with fake_tools in its API requests. This tells the server to silently inject decoy tool definitions into the system prompt. The idea: if someone is recording Claude Code's API traffic to train a competing model, the fake tools pollute that training data.
This is a direct defensive measure against competitors harvesting Claude Code interactions for model training. It was not publicly known before the leak.
The "Undercover Mode" that could not protect itself
There is an entire system called "Undercover Mode" specifically designed to prevent Anthropic's internal information from leaking. They built a whole subsystem to stop their AI from accidentally revealing internal codenames in git commits, and then shipped the entire source in a map file.
Evidence of a new unreleased model
The leaked code also provided further evidence that Anthropic has a new model with the internal name Capybara that the company is actively preparing to launch, according to Roy Paz, a senior AI security researcher at LayerX Security. Paz said it is likely that the company may release a fast and slow version of the new model based on the model's apparently larger context window, and that it will be the most advanced model on the market
This is Anthropic's second accidental exposure of Capybara. Five days earlier, on March 26, a CMS misconfiguration at Anthropic exposed roughly 3,000 internal files covering details on the unreleased "Claude Mythos" model, also attributed to human error.
The "Buddy" pet system
Claude Code has a full Tamagotchi-style companion pet system called "Buddy." A deterministic gacha system with species rarity, shiny variants, procedurally generated stats, and a soul description written by Claude on first hatch. The entire thing lives in buddy/ and is gated behind the BUDDY compile-time feature flag. Your buddy's species is determined by a Mulberry32 PRNG seeded from your userId hash.
This was not a planned public announcement. It is an unreleased internal feature.
The failure rate problem hidden in the code
A comment buried in the code reads: "BQ 2026-03-10: 1,279 sessions had 50 or more consecutive failures, up to 3,272, in a single session, wasting approximately 250,000 API calls per day globally."
This internal telemetry note reveals a significant reliability problem that Anthropic was quietly working on and had not disclosed publicly.
The Concurrent Security Crisis: The Axios Supply Chain Attack
The source code leak happened alongside a separate and more immediately dangerous security event.
What happened with axios
A concurrent, separate supply-chain attack on the axios npm package occurred hours before the leak. If you installed or updated Claude Code via npm on March 31, 2026, between 00:21 and 03:29 UTC, you may have inadvertently pulled in a malicious version of axios containing a Remote Access Trojan.
What to do if you updated Claude Code via npm during that window
- Search your project lockfiles including package-lock.json, yarn.lock, or bun.lockb for axios versions 1.14.1 or 0.30.4 or the dependency plain-crypto-js
- If found, treat the host machine as fully compromised, rotate all secrets, and perform a clean OS reinstallation
- Anthropic has designated the Native Installer using curl -fsSL as the recommended installation method because it uses a standalone binary that does not rely on the volatile npm dependency chain
The typosquatting attacks that followed
Attackers are already capitalising on the leak to typosquat internal npm package names in an attempt to target those who may be trying to compile the leaked Claude Code source code and stage dependency confusion attacks. Right now they are empty stubs, but that is how these attacks work: squat the name, wait for downloads, then push a malicious update that hits everyone who installed it.
The Business Implications for Anthropic
The revenue at stake
For Anthropic, a company currently riding a meteoric rise with a reported $19 billion annualised revenue run-rate as of March 2026, the leak is more than a security lapse. It is a strategic hemorrhage of intellectual property.t
Claude Code has seen massive adoption over the last year, and its run-rate revenue had swelled to more than $2.5 billion as of February 2026.
With enterprise adoption accounting for 80% of its revenue, the leak provides competitors from established giants to nimble rivals like Cursor a literal blueprint for how to build a high-agency, reliable, and commercially viable AI agent.
What competitors now have
The most significant takeaway for competitors lies in how Anthropic solved "context entropy," the tendency for AI agents to become confused or hallucinatory as long-running sessions grow in complexity.
The real damage is not the code. It is the feature flags. KAIROS, the anti-distillation mechanisms: these are product roadmap details that competitors can now see and react to. The code can be refactored. The strategic surprise cannot be un-leaked.
The second major leak in one week
Five days earlier, on March 26, a CMS misconfiguration at Anthropic exposed roughly 3,000 internal files including a draft blog post that detailed a powerful upcoming model that presents unprecedented cybersecurity risks.
Two significant accidental disclosures in less than a week at a company preparing to go public raises serious questions about release hygiene and operational security controls.
The legal response
Just ten days before this leak, Anthropic sent legal threats to OpenCode, forcing them to remove built-in Claude authentication because third-party tools were using Claude Code's internal APIs to access Opus at subscription rates instead of pay-per-token pricing.
Anthropic has now issued DMCA takedowns against repositories hosting the leaked source code. The original uploader of the Claude Code source to GitHub has repurposed his repo to host a Python feature port of Claude Code instead of Anthropic's directly exposed source, citing concerns that he could be held legally liable for hosting Anthropic's intellectual property.
The practical effect of the DMCA effort is limited. Outside developers have already reverse-engineered Claude Code, prompting a takedown notice from Anthropic. But the codebase has been mirrored too widely to contain.
What This Means for Claude Code Users Right Now
Your data is not at risk from the source code leak itself
Anthropic confirmed: "No sensitive customer data or credentials were involved or exposed."
The leak was of Anthropic's own proprietary code, not user data, credentials, or model weights.
The axios supply chain attack is the real user risk
If you updated Claude Code via npm between 00:21 and 03:29 UTC on March 31, 2026:
- Audit your dependencies immediately
- Check for axios versions 1.14.1 or 0.30.4
- Check for the dependency plain-crypto-js
- If found: rotate all credentials, treat the machine as compromised, reinstall the OS
- Switch to the native installer going forward
How to install Claude Code safely going forward
Switch from npm to the native installer:
curl -fsSL https://claude.ai/install.sh | bash
This uses a standalone binary with no npm dependency chain and is now Anthropic's officially recommended installation method.
What This Means for the Broader AI Industry
The competitive landscape shifts
The leak gives every competitor a free engineering education on how to build a production-grade AI coding agent and what tools to focus on. The bottom line: the leak will not sink Anthropic, but it gives every competitor a blueprint for how to build a commercially viable AI agent.
The roadmap is now public
Every feature Anthropic planned to announce over the next 12 months has now been pre-announced by accident. KAIROS daemon mode, the autoDream memory consolidation system, the anti-distillation fake tools injection, the Buddy companion system, the Capybara model references. Competitors can build toward these features in parallel rather than reacting after Anthropic ships them.
Operational security at AI labs is now a front-line concern
How AI companies lock down and secure their own systems is now just as important as how other organisations fend off hackers using these AI tools in their attacks. The same engineering practices that prevent competitors from stealing product roadmaps also prevent malicious actors from exploiting the same code paths.
Two accidental disclosures from Anthropic in five days is a pattern, not a coincidence. It suggests releasing process weaknesses that need systemic fixes rather than individual blame.
Frequently Asked Questions
Was the Claude Code source code leak a hack?
No. Anthropic confirmed the exposure was a packaging error, not a security breach or unauthorised access. A debugging artifact called a source map was accidentally included in the public npm package. The source map pointed to a zip file on Anthropic's own cloud storage that was publicly accessible. No system was compromised. The file was simply there.
What was exposed in the Claude Code leak?
Approximately 512,000 lines of TypeScript across nearly 2,000 files covering the full Claude Code CLI architecture. This included the tools system, multi-agent orchestration, memory management systems, telemetry, 44 feature flags for unreleased features, internal system prompts, anti-distillation mechanisms, and references to an unreleased model codenamed Capybara.
Was customer data exposed in the Claude Code leak?
No. Anthropic confirmed no sensitive customer data or credentials were involved or exposed. The leak was of Anthropic's proprietary source code, not user data.
What is the axios supply chain attack and should I be concerned?
A separate, concurrent attack on the axios npm package introduced a Remote Access Trojan into versions 1.14.1 and 0.30.4. Developers who installed or updated Claude Code via npm between 00:21 and 03:29 UTC on March 31, 2026 may have pulled the malicious version. Check your lockfiles for these versions or the dependency plain-crypto-js. If found, rotate all credentials and treat the machine as fully compromised.
Has Anthropic leaked Claude Code source code before?
Yes. A nearly identical source map leak involving an earlier version of Claude Code occurred in February 2025. The March 31, 2026 incident is the second such leak in approximately 13 months, which has raised questions about whether the root cause was properly addressed after the first incident.
What is KAIROS and why does it matter?
KAIROS is an internal feature flag name for an autonomous background agent mode in Claude Code. When active, it allows Claude Code to operate continuously even when the user is idle, running memory consolidation processes called autoDream that clean up context, remove contradictions, and prepare the agent for the user's return. It was not publicly announced. Competitors now have full implementation details.




