The Claude Code Source Map Leak

Problem: On March 31, 2026, version 2.1.88 of the @anthropic-ai/claude-code npm package went out with a 59.8 MB file called cli.js.map. Bun had generated it during the build. Nobody had told .npmignore to skip *.map, so the map traveled with the tarball. That one omission shipped the whole Claude Code codebase to anyone who ran npm install: roughly 1,900 TypeScript files, 512,000+ lines, 44 feature flags hidden behind GrowthBook, a background daemon called KAIROS, and a stealth mode for Anthropic employees working on public repos. Accidental disclosures in AI tooling do not get bigger than this.

What it means for you: Two audiences care. If Claude Code is your daily driver, the leak is a preview of what Anthropic has built but not shipped yet, and a look at the guts of the thing you already use. If you build with AI tools more broadly, the dump is a rare peek at a product doing $2.5 billion ARR: how it is wired, how it defends itself, and how the same team that ships that architecture still forgets a one-line ignore rule.

The discovery goes to Chaofan Shou (@shoucccc on X), a Solayer Labs intern working in security research. He noticed the 59.8 MB cli.js.map riding inside version 2.1.88, grabbed it, and posted the download link around 4:23 AM ET. From there the post did numbers. Views landed somewhere between 16 and 21 million.

The cause is boring. Claude Code's build process runs on Bun. Bun emits source maps by default. All it takes to stop that from reaching npm is a *.map entry in .npmignore. That line was never there.

Boris Cherny, who leads Claude Code at Anthropic, called it a "plain developer error." He also dropped a line that says plenty about how the team operates: "100% of my contributions to Claude Code were written by Claude Code."

And this was not the first rodeo. A similar leak hit in February 2025, which makes March 2026 at least the second time in thirteen months. It also landed only five days after the "Mythos" model spec leak, where a CMS misconfig exposed about 3,000 internal files, including draft blog posts about models Anthropic had not yet announced.

Two leaks, one week. For a lab that sells itself on safety first, the optics were bad. And anyone still asking whether Claude Code is open source now has a messier answer than before.

What Was Actually Inside the Map File

Decompressed, the source map reconstructs roughly 1,900 TypeScript files. The scale shakes out like this:

Under the hood sits a custom terminal renderer built on React and Ink, tuned with the kind of frame-budget tricks you would expect from a game engine. The query engine alone is 46,000 lines. The base tool definition is 29,000 lines. Anybody who has felt Claude Code juggle a long session has been feeling those five context compaction strategies at work without knowing they existed.

Three subagent execution models turn up in the code: Fork, Teammate, and Worktree. For anyone who has been reading our sub-agent notes, that confirms the pattern from the outside. The new detail is that Claude Code reaches for three different delegation strategies depending on how hard the task is.

Prompt caching ships with 14 cache-break vectors. That means the system is watching 14 separate conditions that could knock the cache invalid. On the shell side, bashSecurity.ts runs 23 numbered checks every time Claude wants to execute a command. Our permission management guide covers how those gates feel in practice.

Undercover Mode

The finding that sparked the loudest argument lives in undercover.ts, roughly 90 lines. Undercover Mode switches on when an Anthropic employee (USER_TYPE === 'ant') uses Claude Code on a repo that is not internal.

When it fires, it injects this system prompt:

You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository.
Your commit messages, PR titles, and PR bodies MUST NOT contain
ANY Anthropic-internal information. Do not blow your cover.

While it is running, the mode does this:

• Strips all Co-Authored-By attribution from commits, erasing the fingerprint that Claude Code touched the code
• Forbids mentioning internal codenames, Slack channels, internal repo names, or the phrase "Claude Code" itself
• Blocks references to unreleased models such as Opus 4.7 and Sonnet 4.8 (codenames below)
• Ships with no force-OFF switch for external users

For regular builds, none of that matters. The entire undercover function gets dead-code-eliminated before it reaches npm. External users will never see it run. What it raises is a real question about AI companies contributing to open-source projects without saying so.

A Hacker News commenter summed up the vibe: the Buddy system is "adorable" and Undercover Mode is "unethical." Whether you read it as corporate stealth or as basic information security depends on your angle. The technical story is simple. Anthropic employees use Claude Code on public repos, and this mode keeps internal details from slipping into commit metadata. The ethical story is messier: AI-generated code lands in open-source projects with no attribution to the model or the lab.

The irony was not lost on anyone. Undercover Mode exists to stop internal secrets from slipping out through code contributions. Then the entire codebase slipped out through a single forgotten line in a packaging config.

KAIROS, the Background Daemon in Waiting

KAIROS shows up in the source over 150 times. The name comes from Ancient Greek for "the right moment," meaning the opportune time to act. In the code, it maps to a fully built but unshipped autonomous daemon mode for Claude Code.

Here is what the files describe:

• Autonomous operation: KAIROS takes periodic <tick> prompts and decides on its own whether to do anything
• Persistence: Keeps running after your laptop closes and carries session state across restarts
• 15-second blocking budget: Stops any one decision cycle from hogging the machine
• Append-only logging: Daily log files the agent cannot erase, which gives you a clean audit trail of everything it did
• Three exclusive tools: Push notifications, file delivery, and PR subscriptions. None of them are reachable from a standard Claude Code session
• GitHub webhook subscriptions: Watches your repos for events without waiting on you to poke it

KAIROS is the step after what we currently call autonomous agent loops. A normal Claude Code session needs you sitting there approving things. KAIROS would sit in the background forever, watching your repositories, and acting when it decides the moment is right.

The name choice was intentional. In Greek rhetoric, kairos is about recognizing the right moment, as opposed to chronos, which is clock time. KAIROS is not cron. It decides for itself when to engage based on what it sees.

The feature is still gated behind flags, and no launch date has been hinted at. But 150+ references is not a sketch. It is a finished piece of software sitting behind a switch.

AutoDream: Claude Literally Sleeps On It

Inside services/autoDream/ sits a memory consolidation routine that runs while Claude is idle. During that idle window, Claude "dreams" in a fairly literal sense. Accumulated session knowledge gets reorganized and compressed.

Three gates have to line up before the dream cycle runs:

1. At least 24 hours since the last dream cycle
2. At least 5 sessions completed since the last consolidation
3. A consolidation lock (which blocks two dream processes from running at once)

Once all three are true, the cycle runs in four phases:

1. Orient: Look at the current memory state and figure out what needs work
2. Gather Recent Signal: Pull insights out of recent sessions
3. Consolidate: Fold new knowledge into existing memory
4. Prune and Index: Cut duplicates and keep MEMORY.md under 200 lines / roughly 25KB

If you have been using Claude Code's auto-memory system, you have been watching the output of this loop without seeing the inputs. We already covered the user-facing side of auto-dream. The leaked source confirms the four-phase shape and pins down the specific thresholds that fire it.

Two Layers of Anti-Distillation

The source also reveals a two-layer defense against distillation. Competitors training on Claude Code outputs is the threat model.

Layer 1: Fake Tools

One feature flag, anti_distillation: ['fake_tools'], tells the server to slip decoy tool definitions into responses. GrowthBook gates this behind a flag called tengu_anti_distill_fake_tool_injection. Any competitor trying to distill Claude Code's tool-calling style would end up learning from tool schemas that are wrong on purpose.

Layer 2: CONNECTOR_TEXT

Instead of streaming full reasoning chains back, the server returns cryptographically signed summaries. That holds back the detailed chain-of-thought, which is exactly the data a rival trainer would want most. CONNECTOR_TEXT is scoped to USER_TYPE === 'ant' only, so it applies to Anthropic staff, not outside users.

Taken together, the layers show that Anthropic has been thinking hard about distillation attacks on its agentic coding tool, and building actual defenses.

ULTRAPLAN: Planning on Borrowed Hardware

ULTRAPLAN pushes heavy planning tasks out to a remote Cloud Container Runtime. That runtime runs Opus 4.6 with a planning window stretching up to 30 minutes. Your local terminal polls every 3 seconds for updates, and a browser UI lets you watch the plan come together live and approve or reject it in flight.

For anyone who has used the planning modes in Claude Code, ULTRAPLAN is the maxed-out version. A remote machine. A 30-minute thinking budget. Hardware bigger than whatever your laptop is.

Codenames, Tengu, and Model Names

"Penguin Mode" is the internal name for what users call Fast Mode. Its API endpoint is /api/claude_code_penguin_mode, and its kill switch is the flag tengu_penguins_off. Codename patterns like that run through the whole codebase.

Model Codenames Revealed

Capybara is the fun one. It also shows up as a Claude Buddy species name, hex-encoded so it slips past Anthropic's own excluded-strings.txt build scanner. Every one of the 18 pet species names got the same hex treatment, which stops any single hidden codename from looking suspicious on its own.

Code Quality Roasts

The dump set off a second, separate conversation. People started reading the code. At $2.5 billion ARR, some of what they found raised eyebrows.

The print.ts file: 5,594 lines of code. Inside that file, one function is 3,167 lines long. By itself, that function is longer than plenty of full applications.

Frustration detection: A regex-based system scans user input for profanity and signs of emotional distress. The community reaction was instant: "An LLM company using regexes for sentiment analysis? That's like a truck company using horses to transport parts."

187 spinner verbs: The loading spinner cycles through 187 action verbs. Commenters went through every one of them looking for "reticulating," the SimCity 2000 loading screen reference. It is in there.

Nested callbacks: A Hacker News commenter described the stacked .then() chains as "a defining work of the 'just vibes' era." Given that the head of Claude Code has said the tool wrote its own codebase, the AI's coding style is now public evidence.

Native client attestation: Client verification has been pushed below JavaScript, straight down into Bun's Zig-level HTTP stack. That is more aggressive than what most developer tools bother with, and it suggests API security is taken seriously even when npm packaging clearly is not.

Community Fallout

Reactions moved fast.

Mirrors and forks: One mirror repo racked up over 41,500 forks. Someone also mirrored the code to a decentralized platform under the tagline "Will never be taken down."

Clean-room rewrites: Korean developer Sigrid Jin put up "claw-code" (instructkr/claw-code), a clean-room Python rewrite. It hit 75,000 GitHub stars in roughly 2 hours, quite possibly the fastest growth GitHub has ever seen.

DMCA takedowns: Anthropic filed DMCA notices against mirrors. Standard move. It still drew flak because the code was published through the lab's own packaging mistake.

Memecoins: Someone launched $Nebulynx on Solana, pegged to the rarest Claude Buddy variant (Shiny Legendary). Of course they did.

Concurrent chaos: By coincidence, the same day brought a supply-chain attack on an unrelated npm package via Axios. The result was a very weird 24 hours where the npm ecosystem was dealing with an accidental corporate leak and a deliberate security attack at the same time.

Coverage: CNBC, Fortune, Gizmodo, VentureBeat, Axios, The Register, Decrypt, Cybernews, and The Hacker News all picked it up.

What This Means

For Anthropic

Anthropic sits at $19 billion annualized revenue. Claude Code alone does $2.5 billion ARR. The company is reportedly lining up an October IPO at roughly $380 billion. Two leaks in one week (the source map plus Mythos) chip at the safety-first story that sits under the brand and the valuation.

AI security firm Straiker flagged a fresh problem. With the code in the open, attackers can now trace how data flows through Claude Code's four-stage context management pipeline and look for attack vectors nobody could see before. Feature flags and the roadmap are also now visible to GitHub Copilot, Cursor, and everyone else working on AI coding tools.

For Developers Using Claude Code

The leak makes one thing clear. Claude Code's architecture is genuinely well engineered. Five context compaction strategies. 14 cache-break vectors. 23 security checks on bash commands. Three subagent execution models. None of that is a wrapper around an API. It is a deep system.

What is coming next (KAIROS, ULTRAPLAN, AutoDream refinements) points at always-on, autonomous operation rather than the session-based model most users live in today. If your workflows are built around Claude Code, designing with eventual autonomous operation in mind is worth doing now.

For the Open-Source Debate

One of the first questions people typed into Google after the dump: is Claude Code open source? Technically, the source has been visible on GitHub ever since Anthropic chose to publish the repo. But "source available" is not the same thing as "open source." The license does not allow redistribution or modification, which is why Anthropic could send DMCAs against the mirrors. The npm leak put the full codebase in more hands, source maps and all, reverse-engineered back to readable TypeScript. None of that changed the license.

Anthropic's statement was short: "No sensitive customer data or credentials were involved. Release packaging issue caused by human error, not a security breach." At first they used the npm deprecated flag instead of actually unpublishing the package, which drew more criticism for a slow response. No formal post-mortem has gone out.

FAQ

What was the Claude Code source code leak?

On March 31, 2026, version 2.1.88 of the @anthropic-ai/claude-code npm package went out with a 59.8 MB source map file (cli.js.map) that exposed the full TypeScript source. The file reconstructed roughly 1,900 source files and 512,000+ lines of code, revealing hidden features, internal codenames, and unshipped capabilities such as the KAIROS background agent and Undercover Mode.

Is Claude Code open source?

Claude Code's source is visible on GitHub, but it is not open source in the licensing sense. The license does not allow redistribution or modification. The npm leak made the full source more reachable through source maps. Anthropic still holds the copyright and filed DMCA notices against unauthorized mirrors.

What is Claude Code Undercover Mode?

Undercover Mode is a feature that switches on for Anthropic employees when they use Claude Code on non-internal repositories. It strips Co-Authored-By attribution, bans mentioning internal details in commits, and blocks references to unreleased models. Regular users are never affected because the code gets dead-code-eliminated out of public builds.

What is KAIROS in Claude Code?

KAIROS is an unshipped autonomous daemon mode referenced over 150 times in the Claude Code source. Named after the Greek concept of "the right moment," it is a background agent that persists across sessions, takes periodic tick prompts, and can decide on its own to do things like send notifications or watch GitHub webhooks. It sits behind feature flags with no announced launch date.

What model codenames were found in the leak?

The leak turned up several internal codenames: Tengu (Claude Code's project codename), Capybara (a new model family, possibly the leaked Mythos model), Fennec (Opus 4.6), and Numbat (an unreleased model). References to Opus 4.7 and Sonnet 4.8 were found in Undercover Mode's forbidden strings list, which confirms both models are in development.

How did the Claude Code leak happen?

The Bun runtime generates source maps by default during the build. Nobody at Anthropic added *.map to .npmignore, so the source map rode along inside the published npm package. Boris Cherny, head of Claude Code, called it a "plain developer error." This was at least the second such incident, after a similar leak in February 2025.