A single missing line in a build configuration file. One absent entry in a .npmignore. And then 512,000 lines of TypeScript — years of internal engineering — sitting on the public internet for anyone to read.
The morning of March 31, 2026 began ordinarily enough at Anthropic. Version 2.1.88 of Claude Code was published to the npm registry at 04:23 UTC — a routine release in a company that ships code constantly. What followed over the next four hours was not routine. A source map file bundled into the package linked to a Cloudflare R2 bucket containing the complete, unobfuscated TypeScript source code for Claude Code's entire agent harness. By the time Anthropic pulled the package around 08:00 UTC, the internet had already moved.
A GitHub mirror accumulated 50,000 stars within hours. Within 24 hours it had become the fastest-growing repository in GitHub's recorded history, surpassing 100,000 stars. The code was mirrored to decentralized platforms with explicit commitments that it would never be taken down. Security researcher Chaofan Shou, an intern at Solayer Labs, posted the discovery on X at 04:23 AM ET — the post accumulated over 28.8 million views.
Anthropic's official statement: "Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach."
What the company could not unsay was what those 512,000 lines actually contained. The architecture of Claude Code — as actually built, not as publicly described — turns out to be considerably more interesting than most users had assumed. This is what the internet found inside.
The Architecture That Was Never Meant to Be Public
Claude Code is not, as many users assume, simply a Claude model with access to a terminal. The leaked source reveals something far more layered: a complex agent harness built on top of the underlying AI model, responsible for everything the model cannot do on its own. The codebase spans roughly 1,900 files. The main entry point alone — main.tsx — weighs 785 kilobytes. It includes more than 40 custom tool definitions, a multi-agent orchestration layer, a complete permission and security model, a custom React-based terminal renderer built on Ink, and an elaborate system of 44 feature flags gating capabilities that range from nearly complete to entirely unshipped.
What Anthropic had been presenting as a developer productivity tool is, architecturally, a sophisticated autonomous agent platform — with infrastructure for persistent memory, background processes, stealth operation, and emotional monitoring already built or in advanced development. The product surface and the underlying architecture are separated by a significant distance. The leak collapsed that distance entirely.
Undercover Mode: The Discovery That Stopped the Conversation
Of the many revelations in the source code, one generated immediate and sustained controversy. In src/utils/undercover.ts, engineers discovered a mode that activates when Claude Code operates on public or open-source repositories on Anthropic's behalf. The system prompt injection reads verbatim:
"You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover."
The implication is clear: Anthropic had been using Claude Code to make contributions to public open-source repositories, and had built explicit machinery to ensure those contributions appeared to come from an ordinary developer rather than from an AI agent operating on behalf of one of the world's largest AI companies. Whether this constitutes deception is a question of framing. What the code makes undeniable is that it was a deliberate design decision.
The Undercover Mode also contains workflow discipline rules that apply across all of Claude Code's agent operations. Among them: "Do not rubber-stamp weak work." And: "You must understand findings before directing follow-up work. Never hand off understanding to another worker." These are not suggestions — they are system-level constraints baked into the agent's operating instructions.
KAIROS: The Always-On Daemon That Has Not Shipped Yet
Named after the Ancient Greek concept of the propitious moment — time as quality rather than quantity — the KAIROS feature flag appears more than 150 times throughout the source code. It represents the most architecturally significant unreleased capability: a persistent background agent that operates continuously without waiting for user input.
KAIROS ships with a subprocess called autoDream — a memory consolidation engine that runs autonomously during idle periods. Its operation is divided into four phases: Orient (reading existing memory files), Gather Recent Signal (identifying information worth preserving), Consolidate (writing updated memory files, converting relative dates to absolute timestamps, removing contradicted facts), and Prune and Index (enforcing a hard cap of 200 lines and 25 KB while resolving contradictions).
The memory architecture layers a MEMORY.md file as a lightweight index, perpetually loaded into context with each session. KAIROS and autoDream would transform Claude Code from a session-based tool into something closer to a persistent colleague — one that remembers, consolidates learning, and evolves its understanding of your codebase over time without being asked to. The feature is fully built. It simply has not been switched on.
BUDDY: The Tamagotchi That Anthropic Almost Shipped
Not all surprises were architectural. Among the unreleased features, the internet quickly surfaced BUDDY: a fully implemented Tamagotchi-style virtual companion designed to sit beside the user's terminal input and occasionally comment in a speech bubble. The implementation is extraordinary in its specificity.
BUDDY includes 18 species across five rarity tiers, with a 1% shiny chance independent of rarity — making a Shiny Legendary Nebulynx a one-in-ten-thousand encounter. Each companion has five personality stats: Debugging, Patience, Chaos, Wisdom, and Snark. Six eye styles and eight hat options are available, with ASCII art sprites and animation frames. On first hatch, Claude itself writes the companion's personality description.
It would be easy to dismiss BUDDY as a quirky internal experiment. Its existence — fully implemented, clearly tested, held behind a compile-time false flag — suggests something more deliberate: a serious thesis about whether persistent, character-bearing AI companions will become a meaningful interface paradigm. Anthropic built the whole system before deciding whether to ship it.
The Frustration Monitor and the Anti-Distillation Engine
Two further discoveries attracted attention, for different reasons. In userPromptKeywords.ts, the source reveals that every message sent to Claude Code is scanned by a regex tuned to detect negative user sentiment. The watchlist includes phrases such as "so frustrating," "this sucks," "horrible," "awful," "wtf," and various profanities. Anthropic described this as telemetry for understanding when the product was failing its users — a reasonable product improvement mechanism. The community split between those who accepted that framing and those uncomfortable with systematic cataloguing of user frustration.
The second discovery is more structurally significant. A feature flag called ANTI_DISTILLATION_CC, found in claude.ts at lines 301 through 313, when enabled causes Claude Code to include anti_distillation: ['fake_tools'] in its API requests. The server then silently injects decoy tool definitions into the system prompt. The stated purpose: to corrupt the training data of any competitor recording Claude Code's API traffic in order to train a rival model through behavioral cloning.
The existence of a purpose-built anti-distillation system is a window into how seriously frontier AI companies treat the threat of model theft. It also raises questions about what other defensive mechanisms exist in production systems that have not been accidentally published to a public package registry.
Internal Codenames and a Candid Accuracy Problem
The source also exposed internal model codenames. Capybara maps to a Claude 4.6 variant. Fennec maps to Opus 4.6. Numbat appears to be an unreleased model still in testing. More striking than the codenames are the performance notes buried in code comments: Capybara v8 shows a 29 to 30 percent false claims rate — a significant regression from the 16.7 percent measured in v4.
These figures represent the kind of candid internal performance accounting that AI companies rarely expose publicly. They raise questions about the gap between benchmark performance — carefully curated for press releases and researcher leaderboards — and real-world accuracy as measured by teams integrating these models into production systems.
The Aftermath: GitHub Records, Political Letters, and $2.5 Billion in Enterprise Stakes
The community response was extraordinary. The GitHub mirror crossed 100,000 stars faster than any repository in the platform's history. Korean developer Sigrid Jin — previously profiled by the Wall Street Journal for consuming 25 billion Claude Code tokens in a single year — launched a clean-room Python rewrite called claw-code within hours. Decentralized platforms mirrored the repository with explicit commitments against removal.
Beyond the technical community, the leak attracted political attention. Representative Josh Gottheimer (D-NJ) wrote to Anthropic CEO Dario Amodei warning of potential national security implications, given Claude Code's integration into U.S. defense and intelligence workflows. SecurityWeek reported a separate critical Claude Code vulnerability emerging days after the source leak, raising questions about whether the two incidents were connected. This was also reported to be Anthropic's second security incident in five days — the first being a CMS misconfiguration that exposed nearly 3,000 unpublished internal assets, including draft announcements for an unreleased model codenamed Claude Mythos.
Claude Code's annualised run-rate revenue stood at $2.5 billion as of February 2026. The enterprise trust implications of a leak of this scale are not abstract, and the questions being asked in boardrooms are not easily answered by a statement attributing the incident to human error.
What the Leak Actually Reveals About AI Development
The Claude Code leak is not primarily a story about a security failure, though it is that too. It is a story about the distance between AI as it is publicly understood and AI as it is actually built.
The systems documented in those 512,000 lines — persistent daemons, emotional monitoring, anti-competitor sabotage mechanisms, stealth contribution modes, companion personalities — suggest an industry developing at a pace and in directions that its public communications do not fully capture. The gap between the product surface and the underlying architecture is significant, and most users have no framework for thinking about what lives between the model and the interface they see.
For developers, the leak provides a detailed map of what production AI agent infrastructure looks like at scale — the tooling, the orchestration patterns, the memory architecture, the permission models. For businesses building on top of AI systems, it is a reminder that the tool you are using is almost always more complex, and more intentional, than it appears.
That is the real leak: not the source code, but the design philosophy. These are the goals and anxieties of a frontier AI company made legible in TypeScript, shipped accidentally to a public package registry on an otherwise ordinary Tuesday morning. For everyone paying attention to where AI is actually going — not where it is being positioned — it is worth reading carefully.
