Anthropic Leaked Claude Code's Source. Here's What Was Inside.
A missing .npmignore entry exposed 512,000 lines of Claude Code's source. The code reveals autonomous agents, anti-distillation tricks, and a company struggling to match its safety brand with operational reality.
A Bad Week Gets Worse
Anthropic had already fumbled once. Days earlier, nearly 3,000 internal files hit the open web, including details about an unreleased model codenamed "Mythos." Then on March 31, security researcher Chaofan Shou found something far more damaging: Claude Code's entire source code, sitting in plain sight on npm.
Version 2.1.88 shipped with an unobfuscated source map file. That file pointed to a zip archive on a publicly accessible Cloudflare R2 bucket. Inside: roughly 512,000 lines of TypeScript across 1,900 files. The complete agentic harness, unminified and readable.
The root cause was almost comically simple. A missing `.npmignore` entry, an open storage bucket, and an unfixed Bun runtime bug. Three small oversights chained together into a full exposure. As software engineer Gabriel Anhaia put it: "A single misconfigured .npmignore or files field in package.json can expose everything."
What the Code Actually Shows
Forget the breach narrative for a moment. The real story is what Anthropic has been building behind closed doors.
KAIROS: The Agent That Never Sleeps
Referenced over 150 times in the source, KAIROS is an autonomous daemon mode. It runs in the background. It subscribes to GitHub webhooks. It has a `/dream` skill that consolidates memory while the user is idle, plus 5-minute cron cycles and autonomous sleep/resume patterns.
This is not a coding assistant. This is a digital colleague that watches your repo overnight.
44 Features Already Built
The code contains 44 feature flags across categories labeled MAJOR, IN-FLIGHT, INFRASTRUCTURE, and DEV TOOLING. These are not prototypes. They are complete features gated behind compile-to-false flags:
- Background agents running 24/7 with push notifications
- Multi-agent orchestration (one Claude directing multiple worker Claudes)
- Full voice command mode with its own CLI entrypoint
- Browser control via Playwright
- Persistent cross-session memory
- Cron scheduling with external webhook support
Anthropic has a two-week feature release cadence. These were ready and waiting.
The Anti-Distillation Playbook
Here is where things get uncomfortable. Claude Code sends `anti_distillation: ['fake_tools']` in API requests. This injects decoy tool definitions designed to poison training data if competitors try to distill Claude's behavior. It is gated by a GrowthBook flag called `tengu_anti_distill_fake_tool_injection`.
There is also "connector-text summarization" that adds cryptographic signatures between tool calls. Both defenses are easy to bypass with a proxy or environment variable. But the intent is clear: Anthropic actively tries to sabotage competitors who scrape their model's outputs.
Undercover Mode
A file called `undercover.ts` strips all traces of AI authorship in non-internal repositories. It tells the model to never mention internal codenames like "Capybara" or "Tengu," and never acknowledge it is an AI. There is no force-OFF mechanism. AI-authored open-source commits can show zero indication of automation.
For a company that talks constantly about AI transparency, this is a tough look.
The Numbers Behind the Curtain
The leak also exposed some unflattering internal metrics. Their Capybara v8 model (an internal Claude 4.6 variant) carries a 29-30% false claims rate. That is a regression from v4's 16.7%. Progress on capabilities does not always mean progress on reliability.
On the engineering side, `print.ts` spans 5,594 lines with a single 3,167-line function nested 12 levels deep. A bug causing 250,000 wasted API calls per day was fixed by adding a single constant: `MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES = 3`. Every codebase has skeletons. These are Anthropic's.
Containment Was Never an Option
Chaofan Shou's discovery post hit 28.8 million views on X. The GitHub mirror racked up 84,000 stars and 41,500 forks. By the time Anthropic responded, the code had been torrented, mirrored to decentralized platforms, and rewritten in Python by a developer using a rival AI to dodge copyright claims.
DMCA takedowns were futile. This code is permanently public now.
The Safety Paradox
Anthropic has built its brand on being the "safety-first" AI lab. Two security lapses in one week undercuts that message with exactly the audience it matters most to: enterprise customers, regulators, and investors.
Enterprise adoption accounts for 80% of Claude Code's revenue. Security researcher Roy Paz did not hold back: "Large companies have strict processes and multiple checks before code reaches production. At Anthropic, it seems that the process wasn't in place."
Some in the developer community called the whole thing clickbait. "Claude Code CLI has always been readable in the npm package," developer Skanda noted. Others floated the theory that it was a deliberate PR stunt, timed one day before a planned feature rollout and ten days after backlash over cease-and-desist letters to OpenCode.
The PR stunt theory is tempting but unlikely. Exposing a strategic roadmap and 44 unreleased features to competitors does real competitive damage. And for a company eyeing an IPO, "we shipped our source code to npm" is not the kind of headline you manufacture on purpose.
What This Means
The leak gives competitors a literal blueprint for building an agentic coding assistant: the harness architecture, multi-agent coordination patterns, memory systems, and feature roadmap. That advantage is gone now.
But the more interesting takeaway is what KAIROS and those 44 feature flags reveal about where AI development tools are heading. Always-on background agents. Autonomous error-fixing. AI that consolidates what it learned while you sleep. The future of coding assistants is not "a better autocomplete." It is a persistent digital teammate.
Anthropic was building that future. Now everyone knows exactly how.
Sources
- VentureBeat: Claude Code's source code appears to have leaked - Comprehensive overview of the leak, what was found, and implications
- Alex Kim: The Claude Code Source Leak - Deep technical analysis of anti-distillation, undercover mode, KAIROS, and architecture
- The AI Corner: Claude Code Source Code Leaked - Feature flags, unshipped features, and strategic implications
- The Hacker News: Claude Code Source Leaked via npm Packaging Error - Technical details of npm error, axios supply chain attack, and dissemination
- Fortune: Anthropic leaks Claude Code in second major breach - Connection to Mythos leak, expert analysis, competitive and trust implications
- The Register: Anthropic accidentally exposes Claude Code source code - Root cause analysis and context of prior reverse-engineering efforts
- DEV Community: The Great Claude Code Leak of 2026 - Analysis of accident vs PR stunt theories and containment failure
- Axios: Anthropic leaked its own Claude source code - Concise overview and Anthropic's official response
