Claude Code Source Map Leak: What Was Exposed, What It Means, and What Developers Should Do

On March 31, 2026, Anthropic accidentally shipped their entire Claude Code source code to the public npm registry. Not a snippet. Not a partial build. The full thing — ~1,900 TypeScript files, 512,000+ lines of code — exposed through a 59.8 MB source map file included in version 2.1.88 of the @anthropic-ai/claude-code package.

Security researcher Chaofan Shou spotted it first. Within hours, the codebase was mirrored on GitHub, analyzed by thousands of developers, and dissected across Hacker News, Reddit, and X.

This isn't just a build pipeline mistake. It's a window into how the most commercially successful AI coding tool actually works — and the findings are remarkable.

How the Leak Happened

Claude Code is bundled using Bun's bundler, which generates source maps by default unless explicitly disabled. A source map (.map file) maps minified/bundled JavaScript back to the original TypeScript source code. It's meant for internal debugging.

Someone at Anthropic forgot to exclude it from the npm publish configuration. One missing line in .npmignore or package.json — and the entire codebase shipped in readable form.

This is the second time it's happened. Earlier versions (v0.2.8 and v0.2.28 in 2025) also included full source maps. Anthropic removed those after they were flagged, but cached copies remained accessible through npm mirrors.

Anthropic confirmed the leak in a statement:

"Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach."

What Was Inside: The Architecture

Claude Code is not a chat wrapper. The leaked source reveals a production-grade, heavily engineered system.

The Numbers

~1,900 TypeScript files
512,000+ lines of code
~40 built-in tools (file read, bash execution, web fetch, LSP integration, etc.)
~50 slash commands (from /commit to /review-pr to memory management)
Runtime: Bun (not Node.js)
Terminal UI: React with Ink (component-based CLI rendering)
Validation: Zod v4 everywhere

Three-Layer Memory Architecture

One of the most significant revelations is how Anthropic solved context management for long-running agent sessions:

MEMORY.md — A lightweight index (~150 characters per line) always loaded in context. Stores pointers, not data.
Topic Files — Actual project knowledge distributed across files, fetched on-demand.
Transcripts — Raw session logs, never fully loaded — only searched via grep for specific identifiers.

The system uses "Strict Write Discipline" — the agent updates its memory index only after a successful file write, preventing context pollution from failed attempts. The agent is instructed to treat its own memory as a "hint" and verify facts against the actual codebase before acting.

Multi-Agent Orchestration

Claude Code can spawn sub-agents (internally called "swarms") for complex, parallelizable tasks. Each agent runs in its own context with specific tool permissions. A 29,000-line tool system handles permission gating for every capability.

IDE Bridge

A bidirectional JWT-authenticated communication layer connects IDE extensions (VS Code, JetBrains) to the CLI. This is how "Claude in your editor" actually works.

The Controversial Findings

"Undercover Mode" — AI That Hides Its Identity

Perhaps the most discussed discovery: Anthropic has a system called "Undercover Mode" designed to strip all traces of AI involvement when Claude Code contributes to public repositories.

The system prompt found in the code reads:

"You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover."

There is no way to force it off. The code explicitly states: "There is NO force-OFF. This guards against model codename leaks."

This means AI-authored commits from Anthropic employees in open-source projects are designed to be indistinguishable from human contributions.

Anti-Distillation: Poisoning Competitors' Training Data

The code includes a flag called ANTI_DISTILLATION_CC that, when enabled, injects fake tool definitions into API requests. If someone records Claude Code's API traffic to train a competing model, the decoy tools pollute their training data.

A second mechanism buffers the assistant's text between tool calls, summarizes it with a cryptographic signature, and returns only the summary. Recording the traffic only captures summaries, not full reasoning chains.

However, as researchers quickly pointed out, both mechanisms are trivially bypassable. A proxy stripping the anti_distillation field or setting CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS disables the protections entirely.

KAIROS: The Autonomous Daemon

The leak reveals "KAIROS" — a feature flag mentioned over 150 times. Named after the Greek concept of "the right time," KAIROS represents an autonomous background daemon mode.

It allows Claude Code to run as an always-on agent, performing "memory consolidation" while the user is idle through a process called autoDream. The agent merges observations, removes contradictions, and converts vague insights into structured facts — all in a forked sub-agent to avoid corrupting the main agent's reasoning.

Internal Model Codenames and Performance Struggles

The source confirms internal model codenames:

Capybara = Claude 4.6 variant
Fennec = Opus 4.6
Numbat = unreleased, still in testing

Internal comments reveal Anthropic is on Capybara v8 — but it still has a 29-30% false claims rate, actually a regression from the 16.7% rate in v4. An "assertiveness counterweight" was added to prevent overly aggressive refactors.

Frustration Detection via Regex

Claude Code uses regex patterns to detect user frustration in messages. When frustration is detected, the system adjusts its behavior — a practical but somewhat jarring approach to empathy.

"Buddy" System — A Tamagotchi in Your Terminal

A hidden feature called "Buddy" implements a Tamagotchi-style terminal pet with stats like CHAOS and SNARK, designed to increase user engagement and stickiness.

🚀 Building AI-powered tools or considering agentic architectures? Noqta designs and implements AI automation solutions for teams that want production-grade results, not prototypes.

What This Means for the Industry

1. The Agentic Architecture Blueprint Is Now Public

Claude Code generates an estimated $2.5 billion ARR for Anthropic. Competitors now have a literal blueprint for its architecture — permission systems, multi-agent orchestration, memory management, IDE integration. The R&D advantage Anthropic had is significantly diminished.

2. Security Implications Are Real

Bad actors now have a map for bypassing Claude Code's guardrails. The 2,500+ lines of bash validation logic, the permission gating system, the anti-distillation mechanisms — all are now open for exploitation research.

3. The AI Transparency Debate Intensifies

"Undercover Mode" will fuel ongoing debates about AI disclosure. If Anthropic — a company that positions itself as a safety-first AI lab — builds systems to hide AI involvement in open-source contributions, what does that signal to the industry?

4. Build Pipelines Are a Security Surface

This is the simplest lesson, and perhaps the most important. npm pack --dry-run before every publish. Check that .map files are excluded. A single misconfigured build step can expose everything.

What Developers Should Do Now

Audit your npm publishes. Run npm pack --dry-run and verify what's included before every release.
Disable source maps in production builds. If you use Bun, set sourcemap: "none" explicitly.
Review your .npmignore and package.json files field. Be explicit about what ships.
If you use Claude Code: No customer data or credentials were exposed. Your API keys are safe. But stay on the latest version.
Study the architecture patterns. The memory system, tool gating, and multi-agent orchestration patterns are valuable regardless of the circumstances.

FAQ

Was any customer data exposed?

No. Anthropic confirmed that no customer data or credentials were involved. The leak was limited to Claude Code's source code.

Is this the first time this has happened?

No. Earlier versions of Claude Code (v0.2.8 and v0.2.28 in 2025) also shipped with source maps. Anthropic removed them after being notified, but cached copies persisted on npm mirrors.

What is a source map and why is it dangerous?

A source map is a file that maps minified/bundled code back to the original source. It's used for debugging. When accidentally published, it exposes your entire unminified codebase in readable form.

Should I be concerned if I use Claude Code?

Your data and credentials are safe. The exposed code was the tool's own implementation, not user data. However, the exposure of security validation logic could theoretically be used to craft bypass attempts — keep your tool updated.

What does "Undercover Mode" mean for open-source?

It means some AI-authored commits in public repositories may be indistinguishable from human contributions. This raises ethical questions about AI disclosure that the open-source community will need to address.

Can competitors actually use this leaked code?

While the architecture is now public, directly copying proprietary code would violate Anthropic's intellectual property rights. The practical value is in understanding patterns and approaches, not in code reuse.

💡 Concerned about your own AI tool's security posture? Noqta's audit and QA services help teams identify vulnerabilities before they become headlines.

The Bigger Picture

This leak reveals that the gap between "AI chat wrapper" and "production AI agent" is enormous. Claude Code is essentially an operating system for software engineering — with memory management, process orchestration, security layers, and even personality systems.

For the AI development community, the architectural patterns now visible are genuinely valuable: how to manage agent memory without context explosion, how to gate tool permissions, how to orchestrate sub-agents, how to handle the messy reality of AI models that sometimes hallucinate at 30% rates.

The irony is thick: a tool designed to help developers write better code was undone by a build configuration oversight. But the knowledge is out there now, and it will accelerate the entire agentic AI ecosystem.

Related reading: