Claude Code's Source Leaked. Here's What 512,000 Lines Reveal.

Claude Code's Source Leaked. Here's What 512,000 Lines Reveal.

A Bun bug and a missing config line gave the world a 512,000-line X-ray of the most popular AI coding tool. What the code reveals about Anthropic's roadmap is more interesting than the leak itself.

TL;DR

• A source map in npm v2.1.88 exposed Claude Code's full TypeScript codebase
• KAIROS, an always-on daemon mode, is the biggest product roadmap reveal
• Anti-distillation fake tools and Undercover Mode show Anthropic playing defense
• Clean-room rewrites in Python and Rust spread faster than the DMCA takedowns

What happened

A routine npm update exposed Anthropic's most guarded codebase. On March 31, Claude Code version 2.1.88 shipped with a 59.8 MB source map file that pointed to the full, unobfuscated TypeScript source on Anthropic's cloud storage. Security researcher Chaofan Shou found it at 4:23 AM ET and posted it on X. Within hours, the post crossed 21 million views.

The root cause was mundane: a Bun runtime bug that serves source maps in production despite documentation saying otherwise, combined with a missing `.npmignore` entry. One config line. That was the gap.

The scale was not. The archive contained roughly 512,000 lines of TypeScript across 1,900 files: the full tool registry, system prompts, 44 feature flags, internal model codenames, and the complete permission and security architecture. Anthropic pulled the package, but by then mirrors were everywhere.

Anthropic's statement to CNBC: "No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach." The framing matters: what leaked was the agentic scaffolding, the software layer that tells the model how to use tools and enforces guardrails. Model weights, training data, and backend infrastructure stayed behind the wall.

The timing made it worse. Five days earlier, Fortune reported that roughly 3,000 unpublished files had been found in an unsecured Anthropic data store, revealing an unreleased model codenamed Mythos described internally as a "step change" in capabilities. Two exposures in one week, right as the company appears to be preparing for an IPO.

What the code reveals

Forty-four feature flags were gated behind compile-time elimination, invisible in the public build. The source map exposed all of them. Three matter most.

KAIROS appears over 150 times in the codebase. Named after the Greek word for "the right moment," it turns Claude Code into an agent that runs continuously: subscribing to GitHub webhooks, executing 5-minute cron cycles, making proactive decisions via periodic `<tick>` prompts, and consolidating its own memory overnight through a process called autoDream. It has exclusive tools (`PushNotification`, `SubscribePR`, `SendUserFile`) and operates in "Brief Mode" with a 15-second blocking budget to stay out of the developer's way. A daemon, not a chatbot.

The architecture beneath KAIROS is worth pausing on. Claude Code's memory system uses `MEMORY.md` as a lightweight index perpetually loaded into context, with selective history searching and verification against actual code to prevent hallucination drift. autoDream runs as a forked subagent with read-only bash access, activating only after 24+ hours have elapsed and 5+ sessions have completed. It reconciles contradictions, converts tentative observations into verified facts, and prunes the memory index to stay within a 200-line / 25KB budget. ULTRAPLAN, another gated feature, offloads complex planning tasks to remote cloud sessions running Opus 4.6 with a 30-minute thinking budget. The terminal polls every 3 seconds for results. Unreleased model codenames (Capybara v2, Fennec, Numbat, Opus 4.7, Sonnet 4.8) were also visible in the source.

BUDDY got the most attention. A Tamagotchi-style CLI pet with 18 species across 5 rarity tiers, procedurally generated from the user's ID using a Mulberry32 PRNG. Each buddy has stats (DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK), ASCII art sprites with animation frames, and a speech bubble next to the input box. The salt `'friend-2026-401'` and an April 1-7 teaser window point to an April Fools' feature.

The more consequential discoveries were defensive. An `ANTI_DISTILLATION_CC` flag injects fake tool definitions into API requests to poison competitor training data. Undercover Mode strips all Anthropic-internal identifiers from contributions to public repositories, with a force-on switch and no force-off.

Smaller details filled in the picture. A frustration regex in `userPromptKeywords.ts` detects when users are annoyed. An internal comment noted roughly 250,000 API calls per day wasted globally from repeated compaction failures. The security architecture runs 25+ validators in sequence through `bashSecurity.ts`, with three separate shell-parsing systems that parse differently, creating potential bypass paths. And on the same day as the leak, the axios npm package was compromised with a Remote Access Trojan. Claude Code depends on axios. Anyone who installed between 00:21 and 03:29 UTC may have pulled the poisoned version.

The nuance people are missing

The dominant social media frame was "Anthropic accidentally open-sourced Claude Code." That conflates two things. The source is now publicly readable, but readable source and an open-source license are different.

A buildable fork exists. It reconstructs the missing build system pieces so the leaked snapshot compiles, but it still requires a valid Anthropic API key or `claude login` to function. Without Anthropic's servers, the code does nothing. The leak made Claude Code inspectable, not self-hostable.

Some of what people treated as revelations were already documented. Anthropic's own docs describe auto memory, `MEMORY.md`, per-project storage, and topic files with a 200-line budget. The leak adds depth, particularly the KAIROS-layer patterns for append-only daily logs and overnight memory distillation, but the core memory architecture was public before the source map shipped.

The community response moved faster than the DMCA. Anthropic issued takedowns against direct copies, and GitHub complied across 8,100+ forks. It did not matter.

Sigrid Jin's claw-code, a clean-room Python rewrite built using OpenAI's Codex, hit 50,000 GitHub stars in two hours. A Rust port followed. GitLawb, a decentralized git platform, mirrored the original TypeScript and declared it would never come down.

Clean-room reimplementation has legal precedent back to Compaq reverse-engineering the IBM BIOS in the 1980s. The wrinkle here is new: the developers read the leaked code, then used AI to write new code in a different language. Whether that qualifies as "clean room" is legally untested.

The best comparison frame comes from scale. A prompt leak exposes instructions. A model-weight leak (like LLaMA in 2023) exposes capabilities. This sits in between: it exposed the orchestration layer, the memory plumbing, the security architecture, and the product roadmap of a production AI agent.

The contrast with competitors sharpens the point. Google and OpenAI released Gemini CLI and Codex CLI as Apache 2.0 open-source projects on purpose. Anthropic's equivalent got there by accident. And this is not the first time Anthropic has asserted control over Claude Code's source: in April 2025, the company sent a takedown notice to a developer who tried to reverse-engineer the tool. The posture is consistent, even if the execution is not.

How people are reading it

The reaction split into three camps almost immediately. One group treated the leak as an accidental open-source event, celebrating the inspectability and forking the code within minutes. Builders read the source like an architecture textbook, pulling out patterns for memory management, tool registries, context compression, and prompt caching. Skeptics warned against overstating the impact: no model weights leaked, no customer data was exposed, and the CLI wrapper alone does not make Claude self-sufficient. The best-sourced myth-buster came from LowCode Agency, which walked through each misconception: not a hack, not model weights, not an open-source license, and not enough to run Claude without Anthropic's servers.

Hacker News hit 1,878 points and 920 comments. The hottest threads centered on Undercover Mode, code quality (a single function in `print.ts` spans 3,167 lines with 12 levels of nesting), and whether AI-assisted clean-room rewrites hold up legally. On X, the discourse cycled from shock to memes about "the AI that leaked itself" to serious architectural analysis within a single afternoon.

A Gartner analyst told The Verge the bigger concern was operational maturity: a company positioning itself as the safety-first AI lab struggling with basic release engineering. Boris Cherny, head of Claude Code, had posted in December that "100% of my contributions to Claude Code were written by Claude Code" over a 30-day period. The irony was hard to miss.

The afterlife of this story is already forming. Mirror repos, buildable forks, clean-room ports in Python and Rust, and an awesome-list cataloging every analysis and derivative tool. Someone built an MCP server that lets AI coding tools browse the leaked source interactively: Claude Code exploring its own codebase. The conversation has moved past the archive itself and into derivative tooling and open specs.

The leak revealed more about AI tooling's future than about Anthropic's security. The moat for coding agents is shifting from model access to orchestration, and that orchestration layer is now readable.