Anthropic Accidentally Shipped Claude Code's Entire Source to npm — and the Internet Read Every Line

On March 31, 2026, Anthropic published version 2.1.88 of Claude Code to the npm registry. Bundled inside was a 59.8 MB JavaScript source map file — a debug artifact that reconstructs the complete original TypeScript source from the minified production bundle. By 4:23 AM ET, it was public. By breakfast, 512,000 lines of Anthropic's production AI agent codebase were on GitHub with 84,000 stars. A single missing line in a .npmignore file. That's it. That's the whole story.

Put the coffee on. There's a lot to cover.

First, the mechanics, because they matter and they're embarrassing in a very specific way.

Claude Code is built with Bun — Jarred Sumner's JavaScript runtime — instead of Node.js. Bun generates source maps by default as part of its build process. Source maps are debugging artifacts: they map compressed, minified production code back to the original human-readable source files. They're supposed to stay in your development environment. The thing that keeps them out of your npm package is a .npmignore file — a list of files and patterns that the npm CLI excludes when you run npm publish.

Anthropic's .npmignore didn't have an entry for cli.js.map.

That's the entire vulnerability. Not a sophisticated supply chain attack. Not a zero-day in npm's infrastructure. A missing line in a config file, on a product generating $2.5 billion in annualized recurring revenue.

Chaofan Shou, an intern at Solayer Labs, spotted the source map in the published package and posted on X:

"Claude code source code has been leaked via a map file in their npm registry!"

He included a direct download link. The post hit 28 million views. By the time Anthropic issued DMCA takedowns, mirrors had propagated across GitHub faster than any takedown process can move. The code is, as they say, out.

Anthropic's response to VentureBeat:

"Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We're rolling out measures to prevent this from happening again."

Technically accurate. No user data. No credentials. No model weights. But "packaging issue caused by human error" is doing a lot of work in that statement. What actually got out was 1,906 TypeScript files covering Claude Code's complete agentic harness — the orchestration layer, the memory architecture, the permission system, the multi-agent coordinator, the feature flag infrastructure for unreleased capabilities, and the internal model roadmap. Every competitor in the space now has a free engineering education, courtesy of a missing .npmignore entry.

And apparently this isn't even the first time. Earlier versions — v0.2.8 and v0.2.28 — also shipped with source maps that were quietly removed after being flagged. A bug in Bun's build tooling related to exactly this issue had been filed 20 days before the 2.1.88 release and was still open. Anthropic owns the Bun runtime. They acquired it. They had a bug report sitting open for three weeks describing the exact mechanism that caused this leak, and it wasn't marked critical.

The gap between the sophistication of Claude Code's engineering and the state of its release pipeline is genuinely uncomfortable to look at.

This Is the Part Worth Stealing

Let me be clear about what competitors actually care about here. They don't care about the TypeScript patterns or the specific function implementations — those can be refactored around a DMCA. They care about the design decisions. And the most important design decision in the entire codebase is how Anthropic solved "context entropy."

Context entropy is the thing that makes AI agents degrade over long sessions. You've felt it. You start a complex task with an LLM, it's sharp at the beginning, and then somewhere around the fortieth message it starts contradicting itself, forgetting decisions it made earlier, hallucinating API signatures that got refactored three prompts ago. That's context entropy. The model's context window fills up with accumulated session history, the signal-to-noise ratio drops, and coherence degrades.

The naive solution is to store everything. That doesn't work at scale — you hit the context window limit and then you have to start summarizing or truncating, both of which lose information.

Anthropic's solution is a three-layer pointer architecture built around a file called MEMORY.md. Here's what makes it different: MEMORY.md is not a knowledge store. It's an index. Each line is approximately 150 characters and stores a pointer — a location reference — not the actual data. Think of it as a table of contents where every entry says "the information about X is in this file at this location," not "here is the information about X."

The actual project knowledge lives in separate topic files, pulled in on demand. Raw session history is never reloaded wholesale — it's searched selectively using grep-style lookups for specific identifiers when the agent needs to cross-reference something from earlier. The architecture keeps the working context lean.

The TypeScript that enforces this is guided by what the codebase calls "Strict Write Discipline." In practice it looks like this pattern — and this mirrors what was found in the leaked source:

// Pattern from the Claude Code memory architecture (leaked source, v2.1.88)
// Illustrates the "write discipline" — memory index only updates after
// a confirmed successful file write, never before.
 
async function updateMemoryIndex(
  memoryPath: string,
  topicKey: string,
  fileLocation: string,
  operation: () => Promise<void>
): Promise<void> {
  // Execute the actual write operation first
  await operation();
 
  // Only update the index AFTER the write succeeds.
  // If operation() throws, the index stays consistent with
  // what's actually on disk. No phantom entries.
  const indexEntry = `${topicKey}: ${fileLocation}\n`;
  await appendToFile(memoryPath, indexEntry);
}

That's the discipline: the index pointer only gets written after the file write succeeds. If the write fails for any reason — disk error, crash, exception — the index stays consistent with what's actually on disk. No phantom entries pointing to files that don't exist. No index entries for writes that got rolled back.

There's a second rule that's equally important: the agent is explicitly instructed to treat its own memory as a hint, not ground truth. Before acting on anything from memory, it verifies against the actual codebase. The system doesn't trust itself. That is a deeply considered design decision, and it's the thing that separates a system that degrades gracefully from one that confidently acts on stale information.

This architecture is what every AI coding agent in the world should be studying right now. Not because it's magic, but because it's correct about a hard problem that most agent frameworks still handle badly.

KAIROS

This is where it gets really interesting.

KAIROS — from the Ancient Greek for "the right moment" — appears over 150 times in the leaked source and is gated behind an internal feature flag that doesn't exist in the public npm package. You can't enable it as a user today. But it's compiled. It's tested. It's waiting.

KAIROS is an autonomous background mode. Instead of Claude Code being purely reactive — you give it a task, it runs, it stops — KAIROS turns it into a persistent daemon. Always watching. Operating within a 15-second blocking budget (actions that would interrupt you for longer get deferred). Maintaining append-only daily log files of what it observes about your project.

The centerpiece of KAIROS is a process called autoDream — a nightly memory consolidation routine that runs while you're idle:

// Pattern from KAIROS/autoDream implementation (leaked source, v2.1.88)
// Background memory consolidation during idle periods
 
interface DreamSession {
  observations: Observation[];
  contradictions: Contradiction[];
  verifiedFacts: VerifiedFact[];
  consolidatedAt: Date;
}
 
async function runAutoDream(
  memoryStore: MemoryStore,
  projectContext: ProjectContext
): Promise<DreamSession> {
  // Run in a forked subagent — critically, NOT in the main agent's context.
  // This prevents the consolidation process from polluting the primary
  // "train of thought" with its own intermediate reasoning.
  const subagent = await forkSubagent(projectContext);
 
  const observations = await subagent.collectPendingObservations();
 
  // Merge disparate observations about the same topic
  const merged = await subagent.mergeObservations(observations);
 
  // Remove logical contradictions — if two observations conflict,
  // resolve them or flag for human review
  const contradictions = await subagent.findContradictions(merged);
  const resolved = await subagent.resolveContradictions(contradictions);
 
  // Convert vague "I think X might be true" notes into
  // verified facts by checking against the actual codebase
  const verified = await subagent.verifyAgainstCodebase(resolved);
 
  await memoryStore.consolidate(verified);
 
  return {
    observations: merged,
    contradictions,
    verifiedFacts: verified,
    consolidatedAt: new Date()
  };
}

The key architectural decision is that autoDream runs in a forked subagent, not in the main agent's context. This is not a small thing. If you run memory consolidation in the same context as the primary agent, you risk the consolidation process's intermediate reasoning polluting the primary agent's working model. The fork isolates the maintenance work from the productive work. When you come back in the morning, the main agent's context is clean and the consolidation has happened in a completely separate process.

Internal notes in the source suggested a teaser rollout window of April 1-7, with a full launch targeted for May 2026. The community already knows it's coming. Anthropic might as well ship it at this point.

ULTRAPLAN, COORDINATOR MODE, VOICE_MODE, and BUDDY

While KAIROS is the architectural headline, the leaked feature flag list is the competitive intelligence goldmine. There are 44 compile-time feature flags for unreleased capabilities.

ULTRAPLAN offloads complex planning tasks to a remote Cloud Container Runtime session running Opus. The remote session gets up to 30 minutes of thinking time. You approve the result from your phone or browser. When approved, a sentinel value — __ULTRAPLAN_TELEPORT_LOCAL__ — brings the plan back to your local terminal. Asynchronous agentic planning: fire off a hard problem, go do something else, approve the result when it's ready.

COORDINATOR MODE lets one Claude agent spawn and manage multiple worker agents in parallel, each running in its own isolated context. Multi-agent orchestration built directly into the CLI. This is what every serious enterprise use case needs and nobody has shipped cleanly yet.

VOICE_MODE is a fully implemented push-to-talk interface, sitting behind a feature flag.

BUDDY is a Tamagotchi-style terminal companion with 18 species and rarity tiers. It is compiled into the production binary. It is waiting. I have questions about the product meeting where this was approved, and also I kind of want it.

The Part You Actually Can't Take Back

Source code can be refactored. Architecture patterns can be re-implemented in ways that survive DMCA. A product roadmap that has been read by every serious engineering team in the industry is permanent.

The leaked source confirmed internal model codenames:

  • Capybara — a Claude 4.6 variant
  • Fennec — Opus 4.6
  • Numbat — an unreleased model still in pre-launch testing

The numbers attached to Capybara are the most damaging part of the leak. Internal benchmarks show the latest Capybara variant with a false claims rate of 29-30%, up from 16.7% in an earlier iteration. That's a regression. A significant one. In a model that's being used in a coding agent where hallucinating API signatures or function behavior causes actual broken code.

Anthropic hasn't commented on those numbers. They don't have to. They're already in every competitor briefing deck.

The Irony Is Too Good Not to Name

Claude Code has a built-in system called Undercover Mode. Its purpose is to allow the agent to make stealth contributions to public open-source repositories without leaving traces of Anthropic's involvement in commit messages or PR descriptions. The system prompt embedded in the source:

"You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover."

Anthropic spent real engineering cycles building a system to prevent their internal operations from becoming visible to the public. Then their human release pipeline shipped the entire source code — including that system prompt, the internal model codenames, the benchmarks, and the unreleased feature roadmap — to a public registry in a file that anyone with npm install could download.

The gap between the AI safety engineering and the human release engineering is either tragic or theatrical. I genuinely cannot tell.

If You're a Claude Code User, Here's What You Actually Need to Do

The leak itself doesn't expose you to direct risk. No credentials, no user data. But the timing overlapped with a real supply chain attack that you should check for.

Malicious versions of the axios npm library (1.14.1 and 0.30.4) were published in the same window, both containing an embedded Remote Access Trojan via a dependency called plain-crypto-js. If you ran npm install or updated anything between 00:21 and 03:29 UTC on March 31:

# Check your lockfiles immediately
grep -r "1.14.1\|0.30.4\|plain-crypto-js" package-lock.json
grep -r "1.14.1\|0.30.4\|plain-crypto-js" yarn.lock
grep -r "1.14.1\|0.30.4\|plain-crypto-js" bun.lockb

For Claude Code specifically — Anthropic has recommended moving off the npm version entirely and using their native installer:

curl -fsSL https://claude.ai/install.sh | bash

If you must stay on npm: pin to 2.1.86 or anything past 2.1.89. Rotate your Anthropic API key via the developer console. Inspect any .claude/config.json files and custom hooks before running the agent in unfamiliar repositories.

The Bottom Line

Claude Code's $2.5B ARR was doubling faster than almost any developer tool in history before this week. One bad .npmignore entry doesn't change that trajectory. The engineering inside those 512,000 lines is genuinely impressive — the memory architecture alone is worth studying regardless of how it became public.

But this is at least the third time Claude Code npm packages have shipped source maps. The first two were quietly fixed. This one wasn't caught in time. For a product positioned as the serious developer tool that enterprises should trust with their codebases, "we've had this packaging failure mode three times" is a harder story to tell than "human error."

The code is out. KAIROS, ULTRAPLAN, BUDDY, the Capybara regression data — all of it. Every competitor has already read it. Anthropic's move now is to ship everything that's already built. The community knows it's coming. Turn the leak into a launch.