Anthropic exposed the full source code for Claude Code after a misconfigured source map file was published to npm, offering a rare look inside one of the company’s most important commercial products.
The file, bundled with version 2.1.88, contained nearly 60 megabytes of internal material, including about 512,000 lines of TypeScript across 1,906 files. Chaofan Shou, a software engineer interning at Solayer Labs, first flagged the leak, which quickly spread across X and GitHub as developers began examining the codebase.
The disclosure showed how Anthropic built Claude Code to stay on track during long coding sessions. One of the clearest findings was a three-layer memory system centered on a lightweight file called MEMORY.md, which stores short references instead of full information. More detailed project notes are saved separately and pulled in only when needed, while past session history is searched selectively rather than loaded all at once. The code also tells the system to check its memory against the actual code before taking action, a design meant to reduce mistakes and false assumptions.
The source also suggests Anthropic has been developing a more autonomous version of Claude Code than what users currently see. A feature referenced repeatedly under the name KAIROS appears to describe a daemon mode in which the agent can continue operating in the background instead of waiting for direct prompts.
Another process, called autoDream, appears to handle memory consolidation during idle periods by reconciling contradictions and converting tentative observations into verified facts. Developers reviewing the code also found dozens of hidden feature flags, including references to browser automation through Playwright.
The leak also exposed internal model names and performance data. According to the source, Capybara refers to a Claude 4.6 variant, Fennec corresponds to an Opus 4.6 release, and Numbat remains in prelaunch testing.
Internal benchmarks cited in the code showed the latest Capybara version with a false claims rate of 29% to 30%, up from 16.7% in an earlier iteration. The source also referenced an assertiveness counterweight designed to keep the model from becoming too aggressive when refactoring user code.
One of the most sensitive disclosures involved a feature described as Undercover Mode. The recovered system prompt suggests Claude Code could be used to contribute to public open source repositories without revealing that AI was involved. The instructions specifically tell the model to avoid exposing internal identifiers, including Anthropic codenames, in commit messages or public git logs.
The leaked materials also exposed Anthropic’s permission engine, orchestration logic for multi-agent workflows, bash validation systems, and MCP server architecture, giving competitors a detailed look at how Claude Code works. The disclosure may also give attackers a clearer roadmap for crafting repositories designed to exploit the agent’s trust model. The pasted text says one developer had already begun rewriting parts of the system in Python and Rust under the name Claw Code within hours of the leak.
The source exposure coincided with a separate supply chain attack involving malicious versions of the axios npm package distributed on March 31. Developers who installed or updated Claude Code through npm during that period may also have pulled in the compromised dependency, which reportedly contained a remote access trojan. Security researchers urged users to check their lockfiles, rotate credentials, and in some cases consider full operating system reinstalls on affected machines.
The incident marks the second known case in roughly thirteen months in which Anthropic exposed sensitive internal technical details, following an earlier episode in February 2025 involving unreleased model information.
After the latest breach, Anthropic designated its standalone binary installer as the preferred method for installing Claude Code because it bypasses the npm dependency chain. Users who remain on npm were advised to pin to verified safe versions released before the compromised package.
Source: https://cryptobriefing.com/claude-code-leak-vulnerabilities/
