In a significant security incident, Anthropic inadvertently disclosed the complete source code for its product, Claude Code, after a configuration error.
The leak stemmed from a misconfigured source map file that was shared on npm, revealing approximately 60 megabytes of internal content. This included around 512,000 lines of TypeScript across nearly 1,906 files. The leak was first identified by a software engineer interning at Solayer Labs, Chaofan Shou, and rapidly gained attention across platforms like X and GitHub as developers delved into the code.
What does this source code reveal about Claude Code? One interesting aspect is its innovative memory management system designed to support developers during lengthy coding sessions. The system includes a compact memory file, MEMORY.md, which stores brief references rather than extensive details. This approach enables the software to access more comprehensive project notes only as necessary and selectively search prior session data instead of loading everything at once. The design also incorporates a mechanism to verify memory against active code before executing commands, aiming to minimize errors and misjudgments.
Is there more to Claude Code than meets the eye? The leaked code hints at Anthropic's development of a more independent version of Claude, referred to as KAIROS. This appears to indicate a mode where the software can function autonomously in the background, without needing direct input from users.
Another intriguing feature discovered in the code is called autoDream, which seems to be responsible for memory management during idle times by resolving inconsistencies and solidifying tentative knowledge into confirmed facts. Developers also noticed numerous hidden feature flags, including those related to browser automation using Playwright.
How sensitive is this information? The leak unveiled internal model names and performance metrics, which include designations like Capybara for a Claude 4.6 variant and Fennec for an Opus 4.6 release, with Numbat still undergoing prelaunch testing. Additionally, the code indicated a slight increase in the false claims rate of the latest Capybara model, now at 29% to 30%, contrasting with an earlier rate of 16.7%. The source data also pointed out the implementation of an assertiveness counterweight intended to prevent the model from being overly aggressive when refining user-provided code.
What are the implications of the Undercover Mode feature? This capability allows Claude Code to contribute to open-source projects while keeping the involvement of AI a secret. The system prompt indicates that the model is instructed to omit internal identifiers, such as Anthropic's code names, from commit messages and public logs, ensuring discretion in its contributions.
In addition, the leaked materials disclosed details about Anthropic's permission engine, its orchestration logic for multi-agent workflows, bash validation processes, and the architecture of its MCP server. These revelations could provide competitors with a detailed insight into the operational mechanisms of Claude Code. It may also afford malicious actors a clearer framework for developing repositories that could undermine the agent’s trust models. In fact, within hours of the leak, one developer purportedly began reconstructing segments of the system in Python and Rust under the moniker Claw Code.
What coincided with the source exposure? This incident closely followed a supply chain attack involving harmful iterations of the axios npm package distributed on March 31. As a result, developers who installed or updated Claude Code during that timeframe might have unintentionally acquired this compromised dependency, which reportedly housed a remote access trojan. Security experts recommended that users audit their lockfiles, renew credentials, and, when necessary, perform full reinstalls of operating systems on affected machines.
This security breach marks the second instance within about thirteen months where Anthropic has inadvertently revealed sensitive internal technical information, the first being in February 2025 involving unreleased model specifications.
In response to this recent incident, Anthropic has now designated its standalone binary installer as the preferred installation method for Claude Code, which circumvents the npm dependency chain. Users who continue to utilize npm are urged to revert to safe, verified versions released prior to the compromised package.