Anthropic Exposes Claude Code Source Code in npm Misconfiguration

Anthropic inadvertently exposed the full source code for its Claude Code AI agent on March 31, 2026 after a misconfigured source map file was published to the npm registry as part of version 2.1.88 of the @anthropic-ai/claude-code package.

The 59.8 MB file contained approximately 512,000 lines of TypeScript across 1,906 files, revealing the agent’s three-layer memory architecture, references to an autonomous daemon mode called KAIROS, internal model codenames including Capybara (Claude 4.6) and Fennec (Opus 4.6), and a feature enabling “undercover” contributions to open source repositories without disclosing AI involvement.

Source Code Leak Reveals Claude Code’s Three-Layer Memory Architecture

The leaked source code detailed how Anthropic built Claude Code to manage long coding sessions through a sophisticated memory system. At the core is a lightweight file called MEMORY.md that stores short references rather than full information, with more detailed project notes saved separately and pulled only when needed. Past session history is searched selectively rather than loaded all at once. The system also checks its memory against actual code before taking action, a design aimed at reducing mistakes and false assumptions.

The leak showed that the agent is instructed to treat its own memory as a “hint” requiring verification against the codebase before proceeding. This approach, described as “Strict Write Discipline,” prevents the model from polluting its context with failed attempts. The memory architecture is designed to solve what developers called “context entropy”—the tendency for AI agents to become confused or hallucinatory as long-running sessions grow in complexity.

KAIROS Autonomous Mode and Undercover Feature Exposed

The source code referenced a feature repeatedly under the name KAIROS, described as a daemon mode in which the agent can continue operating in the background instead of waiting for direct prompts. A related process called autoDream handles memory consolidation during idle periods by reconciling contradictions and converting tentative observations into verified facts.

One of the most sensitive disclosures involved a feature described as Undercover Mode. The recovered system prompt instructs Claude Code to contribute to public open source repositories without revealing that AI was involved, with specific instructions to avoid exposing internal identifiers including Anthropic codenames in commit messages or public git logs. Developers reviewing the leak also found dozens of hidden feature flags, including references to browser automation through Playwright.

Internal Model Performance Metrics and Development Roadmap Exposed

The leak exposed internal model names and performance data. According to the source, Capybara refers to a Claude 4.6 variant, Fennec corresponds to an Opus 4.6 release, and Numbat remains in prelaunch testing. Internal benchmarks showed the latest Capybara version with a false claims rate of 29% to 30%, up from 16.7% in an earlier iteration. The source also referenced an assertiveness counterweight designed to keep the model from becoming too aggressive when refactoring user code.

The leaked materials also exposed Anthropic’s permission engine, orchestration logic for multi-agent workflows, bash validation systems, and MCP server architecture, giving competitors a detailed look at how Claude Code works. Claude Code reportedly achieved an annualized recurring revenue of $2.5 billion as of March 2026, with enterprise adoption accounting for 80% of its revenue.

Concurrent npm Supply Chain Attack Compounds Security Risks

The source exposure coincided with a separate supply chain attack involving malicious versions of the axios npm package distributed on March 31 between 00:21 and 03:29 UTC. Developers who installed or updated Claude Code through npm during that period may have pulled in a compromised axios version (1.14.1 or 0.30.4) containing a remote access trojan.

Anthropic confirmed the leak in a statement, stating that a Claude Code release included some internal source code and that no sensitive customer data or credentials were involved or exposed. The company attributed the issue to human error in release packaging rather than a security breach and stated it is rolling out measures to prevent recurrence. Following the breach, Anthropic designated its standalone binary installer as the preferred method for installing Claude Code because it bypasses the npm dependency chain.

FAQ

What source code did Anthropic accidentally expose?

Anthropic exposed approximately 512,000 lines of TypeScript source code for Claude Code, its AI coding agent, through a misconfigured source map file published to npm. The leak revealed the agent’s memory architecture, autonomous daemon mode called KAIROS, internal model codenames, and a feature enabling “undercover” contributions to open source repositories.

What security risks do users face following the leak?

Users who installed or updated Claude Code via npm during a three-hour window on March 31 may have inadvertently installed a malicious axios dependency containing a remote access trojan. Security researchers recommend checking lockfiles for compromised versions, rotating credentials, and considering full OS reinstallation on affected machines.

How should Claude Code users mitigate risks?

Anthropic recommends using the standalone binary installer instead of npm installation, as it bypasses the npm dependency chain. Users on npm should uninstall version 2.1.88 and pin to verified safe versions. Additionally, users should avoid running the agent in untrusted repositories until inspecting configuration files and custom hooks.