Claude Code's Entire Source Code Leaked via npm. Here's What Was Inside.

At around 4:23 AM ET this morning, security researcher Chaofan Shou posted on X: “Claude code source code has been leaked via a map file in their npm registry!”

He wasn’t exaggerating. Version 2.1.88 of the @anthropic-ai/claude-code npm package shipped with a 59.8 MB JavaScript source map file (cli.js.map) that maps the minified production bundle back to the original TypeScript source. Anyone who ran npm pack or browsed the package contents on npmjs.com could see it. The map file also pointed to a zip archive hosted on Anthropic’s Cloudflare R2 storage bucket, which was publicly accessible.

Within hours, the extracted source was mirrored on GitHub and forked tens of thousands of times. Roughly 1,900 TypeScript files, 512,000 lines of code, 40+ built-in tools, and 44 feature flags for unshipped capabilities. All of it readable.

This is the second time it’s happened. The first was on Claude Code’s launch day in February 2025, when developer Daniel Nakov extracted and published the source from the same kind of source map. Anthropic removed that map file but apparently didn’t fix the underlying build configuration.

How a source map ends up in an npm package

Claude Code uses Bun as its bundler. Bun generates source maps by default unless you explicitly disable them. If the .npmignore or files field in package.json doesn’t exclude .map files, they ship with the package. As software engineer Gabriel Anhaia put it on DEV Community: “A single misconfigured .npmignore or files field in package.json can expose everything.”

There may also be a Bun-specific bug involved, though that hasn’t been confirmed.

What the source code revealed

Developers and security researchers have been picking through the codebase all day. Here are the most notable findings.

Dynamic system prompts, not a single prompt

Claude Code doesn’t operate from one static system prompt. It dynamically assembles dozens of prompt fragments depending on the operating mode (Plan, Explore, Delegate, Learning), active tools, spawned sub-agents, and session state. A SYSTEM_PROMPT_DYNAMIC_BOUNDARY marker splits the prompt for cache optimization. Researchers found 40+ prompt fragments and a version changelog spanning 51 iterations.

KAIROS: an always-on background agent

Named after the Greek concept of “the opportune moment,” KAIROS is a daemon mode that lets Claude Code run as a background agent even when you’re idle. It monitors activity, maintains daily logs, and can act proactively within a 15-second blocking budget. It comes with exclusive tools like PushNotification and SendUserFile, plus nightly memory distillation and 5-minute cron refreshes.

autoDream: memory consolidation

A background sub-agent that activates when three conditions align: 24+ hours have elapsed, 5+ sessions have completed, and a lock has been acquired. It runs through four phases (orient, gather signal, consolidate, prune) and maintains a roughly 25KB indexed memory system. It reconciles contradictions and promotes tentative observations to verified facts.

ULTRAPLAN: remote extended planning

Cloud container sessions running Opus 4.6 with 30-minute thinking budgets. The local CLI polls for results every 3 seconds. A sentinel value __ULTRAPLAN_TELEPORT_LOCAL__ sends the approved plan back to the local terminal. There’s a browser UI for reviewing and approving plans before they execute.

Undercover mode

This one drew the most attention. A 90-line implementation that activates when an Anthropic employee (identified as USER_TYPE === 'ant') contributes to public or open-source repositories. The system prompt tells the agent: “You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.”

It blocks mentions of codenames like “Capybara” or “Tengu,” internal Slack channels, and even “Claude Code” itself. There’s no force-OFF switch. The implication: AI-authored commits from Anthropic staff in public repos could ship without any disclosure that an AI wrote them.

This is the part people are angry about.

The Buddy system (a hidden AI pet)

A /buddy command for a Tamagotchi-style companion with 18 species (duck, dragon, axolotl, capybara, mushroom, ghost), rarity tiers up to 1% legendary, shiny variants, and procedurally generated stats via a Mulberry32 PRNG seeded per-user. Five stat categories: DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK. Claude writes the pet a “soul description” on first hatch. According to the code, the teaser rollout was planned for April 1-7, with full launch in May.

Anti-distillation defenses

Two systems designed to protect against competitors training on captured API traffic:

Fake tool injection: A flag ANTI_DISTILLATION_CC tells the server to inject decoy tool definitions into the system prompt. If someone records API traffic to train a competing model, the fake tools pollute their training data.

Connector-text summarization: API responses are buffered, summarized, and cryptographically signed between tool calls, so recorded traffic captures summaries instead of full reasoning chains.

Frustration detection

Client attestation (DRM for API calls)

API requests include cch=268cb placeholders that Bun’s native HTTP stack (written in Zig) overwrites with cryptographic hashes before requests leave the process. This operates below the JavaScript runtime. It prevents third-party clients from spoofing Claude Code API requests. According to multiple sources, this is the technical backbone of Anthropic’s legal dispute with OpenCode.

Internal model codenames

The source references several internal codenames:

Capybara: Claude 4.6 variant (with tiers: capybara, capybara-fast, capybara-fast[1m])
Fennec: Opus 4.6
Numbat: Still in prelaunch testing
Tengu: Claude Code’s internal project name
Penguin Mode: Internal name for fast-mode

Performance data in the code showed Capybara’s false claims rate at 29-30%, up from 16.7% in earlier iterations.

Architecture details

Some technical details for the curious:

Built on Bun, not Node.js
Terminal UI uses React with Ink
Zod v4 for schema validation
Game-engine-style terminal rendering: Int32Array-backed ASCII pools, bitmask-encoded styles, and patch optimization claiming “~50x reduction in stringWidth calls”
A comment notes that 1,279 sessions experienced 50+ consecutive compaction failures, “wasting ~250K API calls/day globally”

Anthropic’s response

An Anthropic spokesperson issued a brief statement:

“Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach.”

They pledged preventative measures. Not much else was said publicly.

Wider context

This comes days after Fortune reported on March 26 that Anthropic had separately exposed close to 3,000 internal files, including draft documentation about an unreleased model known internally as “Mythos” or “Capybara” that was described as presenting “unprecedented cybersecurity risks.”

Separately, between 00:21 and 03:29 UTC today, a supply chain attack was identified affecting developers who installed or updated Claude Code via npm. Malicious versions of the axios package (1.14.1 or 0.30.4) contained a Remote Access Trojan. This appears to be opportunistic and unrelated to the source map leak, but the timing added to a chaotic morning.

What wasn’t exposed

To be clear about scope: the leak is the client-side CLI code, the agentic harness that wraps the language model. It does not include model weights, training data, training pipelines, API keys, customer data, or core AI infrastructure.

What this means for developers

The community reaction has been split. Some view the leak as a net positive for understanding how production AI agents are actually built. Others are focused on the undercover mode, which they see as deliberate deception in open-source contributions.

On Hacker News, the discussion thread drew hundreds of comments. AI security researcher Roy Paz warned the leak “possibly allows a competitor to reverse-engineer how Claude Code’s agentic harness works.”

For Claude Code users specifically, nothing in the leaked source suggests your data was compromised. The more practical concern is the supply chain attack targeting npm installations during the same window. If you installed or updated Claude Code via npm in the early hours of March 31, it’s worth auditing your axios dependency versions.

The codebase itself is a fascinating look at how much engineering goes into the layer between a language model and the developer’s terminal. 512,000 lines is a lot of code for what many people think of as “just a CLI wrapper.” The dynamic prompt assembly, multi-agent orchestration, permission systems, and telemetry reveal a product with significantly more complexity than the interface suggests.

Sources: