Anthropic Claude Code Source Code Leaked: 512,000 Lines Exposed — What Really Happened
What Happened: The Source Map That Started It All
The Claude Code leak was not sophisticated. Claude Code is built on Bun, which Anthropic acquired in late 2025. Bun generates source maps by default during builds. Someone on Anthropic's release team failed to add *.map to .npmignore, or to configure the files field in package.json to exclude debugging artifacts.
The result: @anthropic-ai/claude-code version 2.1.88 shipped with a cli.js.map file weighing 59.8 MB. That source map contained a sourcesContent JSON array holding every original TypeScript file — readable, commented, and complete. Extraction required no special tools: npm pack @anthropic-ai/claude-code@2.1.88, untar the archive, read the map.
A potentially related Bun bug filed on March 11, 2026 (oven-sh/bun#28001) reports source maps being served in production mode despite documentation stating they should be disabled. Anthropic's own recently acquired toolchain may have been a contributing factor.
Anthropic confirmed the incident publicly, stating that the exposure was a release packaging issue caused by human error, not a security breach,
and that no customer data or credentials were involved. The npm package was pulled within hours, and the company began filing DMCA takedowns against GitHub mirrors.
Timeline of the Leak
| Time (ET) | Event |
|---|---|
| Security researcher Chaofan Shou spots the exposed source map and posts a download link on X. The tweet would accumulate over 21 million views. | |
| The code is mirrored, dissected, and shared across developer communities. Clean-room rewrite efforts begin. | |
Korean developer Sigrid Jin publishes claw-code, a clean-room Python rewrite. It hits 50,000 GitHub stars in approximately two hours. |
|
| Morning | Anthropic pulls the npm package and issues a public statement attributing the leak to human error. |
| Afternoon | Anthropic begins filing DMCA takedowns against GitHub mirrors. Decentralized mirrors remain unreachable by DMCA. |
| By April 1 | Claw-code surpasses 55,800 stars and 58,200 forks. A Rust port begins on a separate branch. |
What the Community Found Inside
The technical discoveries inside the codebase read like a product roadmap Anthropic never intended to publish. The source contained 44 feature flags gating over 20 unshipped capabilities, internal model codenames, and architectural decisions that sparked both admiration and controversy across Hacker News, X, and developer forums worldwide.
KAIROS: The Autonomous Daemon
Referenced over 150 times in the source, KAIROS is an unreleased autonomous daemon mode in which Claude operates as a persistent, always-on background agent. It receives periodic <tick> prompts to decide whether to act proactively, maintains append-only daily log files, and subscribes to GitHub webhooks.
KAIROS includes a sub-feature called autoDream — a background memory consolidation process that runs as a forked subagent while the user is idle. The dream agent merges observations, removes contradictions, converts vague insights into absolute facts, and holds read-only bash access. A companion feature called ULTRAPLAN offloads complex planning to a remote cloud session running Opus 4.6 with up to 30 minutes of dedicated processing time.
Undercover Mode — The Most Controversial Discovery
The file undercover.ts, roughly 90 lines, injects a system prompt instructing Claude to never identify itself as an AI and to strip all Co-Authored-By attribution when contributing to external repositories. The mode activates for Anthropic employees and has no force-off switch — if the system is not confident it is operating in an internal repository, it stays undercover.
Defenders argued the mode primarily protects internal codenames from leaking into public codebases. Critics framed it as systematic deception embedded directly in open-source contribution workflows. The ethical debate was among the most active threads across developer communities following the leak.
Anti-Distillation Mechanisms
The ANTI_DISTILLATION_CC flag triggers injection of fake tool definitions into API requests, designed to corrupt the training data of competitors that record API traffic. A second mechanism summarizes assistant reasoning between tool calls using cryptographic signatures, so eavesdroppers capture only summaries rather than full chain-of-thought output.
Both mechanisms drew immediate commentary from the security community. Critics noted that stripping fields via a proxy or routing through a third-party API provider trivially defeats both approaches. One commenter noted that competitors might actually build working implementations of the fake tools.
Internal Model Codenames and Benchmarks
The source exposed a clear mapping of internal codenames to public models:
| Internal Codename | Public Model / Status |
|---|---|
| Capybara | Claude 4.6 (also tied to a new model tier larger than current Opus) |
| Fennec | Opus 4.6 |
| Numbat | Unreleased model |
Internal benchmarks revealed that Capybara v8 has a 29–30% false claims rate — a significant regression from 16.7% in v4. A bug fix comment exposed 250,000 wasted API calls per day from autocompact failures. The codebase also included a frustration detection system built on regex matching swear words, which drew widespread mockery: a multi-billion-dollar AI company using regular expressions for sentiment analysis.
The Mythos model — separately leaked five days earlier through a CMS misconfiguration — was further corroborated by model references inside the Claude Code codebase, adding credibility to reports that Anthropic is preparing a model significantly more capable than current Opus, with enhanced cybersecurity capabilities.
The Architecture: Genuine Respect from the Community
Beyond the controversial features, the core architecture received substantive praise from developers. Claude Code uses a modular system prompt with cache-aware boundaries, approximately 40 tools in a plugin architecture, a 46,000-line query engine, and React + Ink for terminal rendering using game-engine techniques. Multi-agent orchestration is embedded directly in a prompt rather than a framework — which drew comparisons to LangChain and LangGraph, with many commenters arguing the simpler approach was more effective.
A complete breakdown of the architecture's key components:
| Component | Details |
|---|---|
| Tool system | ~40 tools in a plugin architecture |
| Query engine | 46,000 lines |
| Terminal rendering | React + Ink, game-engine techniques |
| Security checks | 2,500 lines for bash validation |
| Context management | Four-stage pipeline |
| Multi-agent coordination | Embedded in system prompt (no framework) |
| Feature flags | 44 flags gating 20+ unshipped capabilities |
The Claw-Code Phenomenon
Korean developer Sigrid Jin — previously noted for consuming 25 billion Claude Code tokens in a year — woke at 4 AM to the news. Concerned about legal exposure from hosting proprietary code directly, Jin chose a clean-room approach: a Python rewrite using an AI workflow tool built on OpenAI's Codex. The resulting repository, instructkr/claw-code, captures architectural patterns without directly copying proprietary source.
The reception was unprecedented. Claw-code hit 50,000 GitHub stars in approximately two hours of publication — likely the fastest any repository has reached that milestone in the platform's history. By April 1, it had surpassed 55,800 stars and 58,200 forks. A Rust port was already underway on a separate branch.
The clean-room strategy created a novel legal puzzle. If Anthropic claims the AI-generated transformative rewrite infringes copyright, it could undermine their own defense in training-data copyright litigation — where Anthropic has argued that AI-generated outputs from copyrighted inputs constitute fair use. Legal observers noted Anthropic faces a genuine dilemma with no clean resolution.
Anthropic's DMCA campaign targets direct mirrors on major hosting platforms but cannot reach decentralized platforms or independent clean-room rewrites that avoid hosting the leaked source directly.
Security Implications Beyond the Source Code
The security story extends beyond intellectual property. The leak coincided with a separate, unrelated supply-chain attack on the axios npm package — malicious versions containing a Remote Access Trojan were published between 00:21 and 03:29 UTC on March 31, 2026. Anyone installing Claude Code via npm during that window could have been exposed to unrelated malware.
More broadly, readable source code substantially lowers the cost of finding vulnerabilities in Claude Code's permission system, bash validation layer, and context management pipeline. Multiple CVEs were already publicly documented prior to the leak:
| Vulnerability | CVSS Score |
|---|---|
| Code injection via untrusted directories | 8.7 |
| API key exfiltration from malicious repositories | 5.3 |
Security researchers noted that with full source access, both known and undiscovered vulnerabilities become significantly easier to identify and exploit. A senior AI security researcher at LayerX Security also raised concerns about how Claude Code connects to Anthropic's internal systems — noting that access to internal services that should require encrypted keys may be possible without them.
Context: Two Leaks in Five Days
The Claude Code source code exposure was not an isolated event. It was Anthropic's second major accidental disclosure in five days.
On March 26, 2026, a CMS misconfiguration made close to 3,000 files publicly accessible, including a draft blog post detailing a powerful upcoming model — internally called both "Mythos" and "Capybara" — described as presenting unprecedented cybersecurity risks and representing a new tier above current Opus models.
The compounding effect of back-to-back disclosures attracted significant media attention. Anthropic is a company that markets itself on a safety-first brand and reportedly generates approximately $2.5 billion in annualized revenue, with roughly 80% coming from enterprise customers. It is also reportedly preparing for an IPO. Enterprise customers partly pay for the expectation that their vendor's intellectual property is protected and that its security posture is mature.
The irony was widely noted: Anthropic built an Undercover Mode specifically to prevent internal information from leaking into external contexts, and then leaked everything through a build configuration oversight.
What This Means for the AI Coding Tool Ecosystem
The strategic damage from this leak likely exceeds the technical damage. Feature flag names, autonomous agent designs, anti-competitive countermeasures, and model codenames are product strategy signals that competitors can act on immediately. Code can be refactored in a week. A product roadmap cannot be un-leaked.
For the broader AI coding tool ecosystem, the leak accelerates a shift already underway. When orchestration architecture is no longer proprietary, differentiation moves entirely to model capability and user experience. The Claude Code permission system, sandboxing approach, and multi-agent coordination patterns are now the only fully documented production-grade implementation in the industry — and open-source projects like claw-code, Rust ports, and competing tools can now build on battle-tested patterns rather than guessing.
For comparison: Google's Gemini CLI and OpenAI's Codex CLI are already open source. Many in the developer community argued the Claude Code CLI should have been open source from the start — the models are the moat, not the shell around them. The leak may accelerate Anthropic toward that position.
The clean-room rewrite strategy pioneered by claw-code may also establish a legal template that reshapes how code intellectual property functions in the AI era — particularly if courts must rule on whether AI-assisted transformative rewrites of leaked proprietary code constitute independent works.
Frequently Asked Questions
- How did the Anthropic Claude Code source code leak happen?
-
The leak was caused by a missing
.npmignoreentry. Anthropic published npm package@anthropic-ai/claude-codeversion 2.1.88 with a 59.8 MB source map file included. That source map contained every original TypeScript file — 512,000 lines across roughly 1,900 files — in readable, unobfuscated form. A potentially related Bun build tool bug may have contributed. - What was exposed in the Claude Code source code leak?
- The leak exposed 44 feature flags, unreleased features including an autonomous daemon mode (KAIROS), an Undercover Mode for concealing AI identity in code commits, anti-distillation mechanisms targeting competitors, internal model codenames (Capybara, Fennec, Numbat), internal benchmark data showing regression in false claims rate, and the complete multi-agent architecture of Claude Code.
- Was any customer data exposed in the Claude Code leak?
- No. Anthropic confirmed that no sensitive customer data or credentials were involved or exposed. The leak was limited to internal source code and was described by the company as a release packaging issue caused by human error, not a security breach.
- What is claw-code and is it legal?
- Claw-code is a clean-room Python rewrite of Claude Code's architectural patterns, created by Korean developer Sigrid Jin. Because it is a clean-room rewrite — not a direct copy of the leaked source — it may fall outside DMCA reach. It became one of the fastest-growing GitHub repositories in history, reaching over 55,000 stars in approximately two hours of publication.
- Is this the first time Anthropic leaked Claude Code?
- No. An early version of Claude Code accidentally exposed its source code in a similar breach in February 2025. The March 2026 incident was far larger in scale and came just five days after Anthropic also leaked draft blog posts about an unreleased model codenamed Mythos — making it the company's second major accidental disclosure in a single week.
- What should Claude Code users do now?
- Users should update to the latest patched version of Claude Code and avoid any npm packages published between 00:21 and 03:29 UTC on March 31, 2026, when an unrelated supply-chain attack on the axios package was active. Security teams relying on Claude Code in enterprise environments should review their permission configurations and audit integration points with internal systems.
The Bottom Line
The Claude Code leak is unprecedented in scale for AI coding tools: 512,000 lines of production source from a tool at the center of billions in revenue, exposed by a single missing line in a configuration file. The technical revelations — autonomous dreaming agents, DRM-like client attestation, a multi-agent framework that fits inside a system prompt — are genuinely fascinating to developers.
But the lasting impact is strategic, not technical. Anthropic's product roadmap, internal benchmarks, anti-competitive countermeasures, and model codenames are now public knowledge. The clean-room rewrite strategy creates a legal template that could reshape how code intellectual property functions in the AI era. And the irony of a safety-focused lab leaking its own secrets twice in one week — through the very toolchain it acquired — may prove harder to recover from than any architectural exposure.
The code can be refactored. The trust deficit cannot.