512,000 lines of Claude Code leaked via npm packaging error

On 31 March 2026, Anthropic accidentally published the entire source code for their flagship developer product. Not through a sophisticated hack. Not through a disgruntled employee. Through a missing line in a config file.

Let me say that again, because it's genuinely beautiful. A company that builds AI tools to help developers catch coding mistakes shipped 512,000 lines of their own TypeScript source code to every single person who ran npm install. The cobbler's children have no shoes. Anthropic's children have no .npmignore.

Security researcher Chaofan Shou spotted it first and posted the discovery on X. His post hit more than 34 million views. Within hours, developers everywhere were downloading, mirroring, and dissecting what turned out to be the most revealing accidental code dump in AI history.

I use Claude Code every day. It's become part of how we work at Webcoda. So when I saw the headlines, my first thought wasn't "wow, what a scoop." It was "wait, what's been running on my machine that I don't know about?"

Turns out, quite a lot.

What the community found inside those 512,000 lines wasn't just source code. It was a roadmap. An always-on background agent called KAIROS that nobody had mentioned. A stealth mode designed to hide Anthropic employee contributions to open-source projects. Forty-four hidden feature flags. A Tamagotchi pet system. And references to AI models that haven't been announced yet.

There's a special kind of irony when an AI coding assistant's own codebase has a rookie configuration mistake. I'd laugh, but I've probably made the same error myself. Actually, I've definitely made the same error myself. More than once.

What Actually Happened

This wasn't even Anthropic's first leak that week. Five days earlier, on 26 March, the unreleased Mythos model name surfaced through a CMS slip on their own website. So when the source code went public on 31 March, it was the company's second security incident in less than a week. Different mechanism, same general theme.

Here's the timeline. On 31 March 2026, Anthropic published version 2.1.88 of the @anthropic-ai/claude-code npm package. Bundled inside was a 59.8 MB JavaScript source map file called cli.js.map. That file contained the complete, readable TypeScript source code for Claude Code. All 512,000 lines of it, across 1,906 files.

The root cause? Claude Code uses the Bun runtime for its build process. Bun generates source maps by default. Somebody needed to add *.map to the .npmignore file so those maps wouldn't get packaged up and shipped to the npm registry. Nobody did.

That's it. That's the whole vulnerability. One line in one file.

Boris Cherny, the creator of Claude Code, addressed it directly: "It was human error. Our deploy process has a few manual steps, and we didn't do one of the steps correctly." He also confirmed nobody was fired over the incident, which, honestly, is the right call. If you fire people for config mistakes, you'll run out of developers pretty fast.

Anthropic's official statement was brief: "This was a release packaging issue caused by human error, not a security breach. No sensitive customer data or credentials were involved."

And that's technically true. No customer data leaked. No API keys. No credentials. What leaked was something arguably more interesting: a complete look inside the machine. Every feature flag, every internal codename, every unreleased capability that Anthropic had been quietly building behind closed doors.

The npm ecosystem, held together with string and good intentions since roughly 2012, had delivered again.

Meet KAIROS

The headline discovery wasn't a bug or a vulnerability. It was a feature that Anthropic had never mentioned publicly.

Buried in the source code's assistant/ directory, developers found an entire subsystem called KAIROS. Not "Background Helper." Not "Sync Service." KAIROS. Like a Greek god of opportune moments. Nobody names innocent background processes after Greek gods. You name your log rotation script cleanup.sh. You name your world-changing autonomous AI daemon KAIROS.

So what is KAIROS? Based on the leaked code analysis, it's an always-on autonomous agent designed to run in the background 24/7. It maintains a persistent heartbeat. It monitors your GitHub pull request subscriptions. It sends push notifications. It has a 15-second blocking budget to prevent it from hogging system resources. And here's the part that raised eyebrows: at night, when you're not using your machine, it runs something the code literally calls autoDream, a memory consolidation process.

Your AI coding assistant has a dream cycle. I'll just let that sit there for a moment.

KAIROS is referenced over 150 times in the source code. It's gated behind a compile-time feature flag, meaning it's not active in the public builds you and I have been using. But the code is complete. The architecture is there. The plumbing is done. It's waiting to be turned on.

The community reaction split roughly down the middle. One camp was excited: an AI agent that proactively monitors your projects, catches issues while you sleep, restarts crashed services, consolidates what it's learned. That's genuinely useful. The other camp was uncomfortable: an AI agent doing things on your machine without you explicitly asking it to, running processes you didn't initiate, maintaining state you didn't know about.

I'm in both camps, if I'm honest. The technology sounds brilliant. The lack of transparency bothers me. It's a bit like finding out your phone has a microphone you didn't know about. Most people suspected their AI tools were doing more than they let on. But seeing the actual code is different from suspecting. Suspicion is comfortable. Confirmation makes you check your task manager.

I didn't know KAIROS existed. I use Claude Code every day, and I had no idea there was an autonomous daemon architecture sitting dormant in the tool. That's a weird feeling.

The leak surfaced one other always-on system worth flagging. Claude Code has a frustration detector. Not driven by AI. Just regex. The code looks for patterns like "wtf", "this sucks", "so frustrating", and a small list of profanities in your input. When the detector trips, the telemetry payload sent home includes your user ID, session ID, organisation UUID, account UUID, email (if defined), feature flag state, and the frustration signal itself. The peak irony, as Alex Kim put it in his analysis, is that an AI company couldn't even use AI to detect when you're cross with it. They reached for a regex.

44 Things Anthropic Wasn't Ready to Tell You

For anyone who doesn't work with software daily, here's a quick explainer. Feature flags are switches in code that let developers build features but keep them hidden from users. They're completely normal. Every major software company uses them. They let you write the code, test it internally, and flip the switch when you're ready to launch.

What's unusual is having 44 of them exposed to the public. It's like finding Santa's workshop in March. You know the presents are coming, you just don't know when.

Developers catalogued what they found as the analysis spread across X:

The most interesting finds from those 44 feature flags:

BUDDY is a complete Tamagotchi-style virtual pet system with 18 species including a duck, a ghost, a dragon, and, naturally, a capybara. Each buddy has stats for debugging, patience, chaos, wisdom, and snark. The developers apparently hex-encoded all the species names to sneak them past their own build pipeline, because one of the species names (capybara) matched an internal model codename. You've got to admire engineers who will obfuscate pet names to protect codenames. That's commitment. BUDDY actually shipped on 1 April 2026, right on schedule. The string friend-2026-401 in the source code was an April Fools' marker all along. Developers who spotted it in the leak predicted the exact launch date. They were right.

ULTRAPLAN offloads complex planning tasks to a remote cloud container running Opus 4.6, gives it up to 30 minutes to think, and lets you approve the results from your browser. Basically, your AI coding assistant can call in a smarter AI coding assistant when it gets stuck. I've done the same thing with colleagues, so I can't really judge. ULTRAPLAN has since officially launched, making it the first of the 44 leaked features to ship publicly.

Penguin Mode is the internal name for what we know as Fast Mode. I don't know why it's called Penguin Mode. I'm choosing not to ask. Some mysteries are better left unsolved.

Capybara, Fennec, and Numbat are animal codenames for unreleased model families. The code also references Opus 4.7 and Sonnet 4.8. Opus 4.7 quietly went live on AWS Bedrock yesterday, which means the leaked code revealed the model's existence two weeks before its public launch. Sonnet 4.8 still hasn't been announced. So if you were wondering what Anthropic's been cooking up, now you've got a partial menu.

Seeing an AI company's internal roadmap laid bare like this is unprecedented. We've had code leaks before. We've had strategy documents leak. But 44 feature flags with working implementations? That's a product roadmap you couldn't get from any investor presentation.

The Stealth Mode Nobody's Talking About

Here's where it gets properly uncomfortable.

Tucked into the leaked source code is a full subsystem called Undercover Mode. What it does is straightforward: when Anthropic employees use Claude Code on public repositories (meaning open-source projects), Undercover Mode automatically strips every trace that the code was generated by AI or involves Anthropic. No "Co-Authored-By: Claude" in git commits. No mentions of internal codenames like Capybara, Tengu, or Fennec. No references to Claude Code. No Slack channel names. Human-style commits only.

It's activated by default on public repos. There's no off switch. To be clear: this mode only applies to Anthropic employees, not to regular Claude Code users. But that's almost beside the point.

I'll be direct about this. I don't love the idea that Anthropic employees have been contributing to open-source projects while actively hiding who they work for and what tools they're using. That's not collaboration. That's market research with a fake moustache.

Open-source communities work because of trust. When someone submits a pull request, other contributors evaluate it on its merits. If that contributor is actually an AI company employee using an AI tool to make contributions that look human, and they're doing it deliberately, that changes the dynamic. It doesn't matter if the code is good. The deception is the problem.

Now, there's a charitable reading here. Maybe Undercover Mode exists because Anthropic doesn't want to distract from the work itself. Maybe they want their engineers' open-source contributions judged on quality, not on who employs them. I can see that argument. I just don't find it convincing enough to justify a "no off switch" default.

And then there's the irony, which several people pointed out within hours of the leak.

Anthropic built an entire subsystem to prevent Claude from accidentally revealing internal information. They engineered a feature specifically to stop their AI from doing the exact thing a human on their team just did manually with a missing config line. You genuinely can't write satire this good.

The Cleanup Was Worse Than the Leak

Here's the part most coverage skipped. After the leak went viral, Anthropic tried to put the genie back in the bottle. They issued DMCA takedown notices to GitHub.

GitHub processed those notices and removed roughly 8,100 repositories. The catch is that most of those repos had nothing to do with the leak. Anthropic's takedown reached every fork in the network, including innocent forks of their own public Claude Code repository. Developers who'd been working on legitimate community projects woke up to find their open-source work had been nuked. YouTuber Theo (t3.gg) made a video titled "I got DMCA'd by Anthropic (not a joke)" about losing access to a fork of Anthropic's *public* repo.

The takedowns were retracted on 1 April 2026. The final list narrowed to one repo plus 96 forks. Boris Cherny acknowledged the overreach to TechCrunch: "The repo named in the notice was part of a fork network connected to our own public Claude Code repo, so the takedown reached more repositories than intended."

The retraction filing on GitHub doesn't include an apology. It's just legal text walking the takedowns back. Eight thousand developers had their work briefly pulled because of a clean-up effort gone wrong. There's a metaphor in there about AI safety somewhere, and I'll let you find it yourself.

What This Means If You're Using AI Coding Tools

Here's the practical bit. If you're using AI coding tools (and at this point, most developers are), there are a few things worth thinking about.

Know what's running in the background. Before this leak, most Claude Code users had no idea KAIROS existed, even as dormant code. What else is sitting in your AI tools that you haven't been told about? I'm not suggesting anything sinister. I'm suggesting you should ask the question.

Even the best AI companies make basic mistakes. Anthropic is a serious company. They've raised billions. They employ some of the smartest people in AI. And they forgot to add one line to a config file. If they can make that mistake, so can anyone. Including you. Including me. (Especially me, honestly. I once pushed database credentials to a public repo at 2am. We don't talk about that.)

Audit your supply chain. Every npm package you install could contain anything. Source maps, telemetry, undocumented features. The Claude Code leak was caught quickly because it was huge and high-profile. Smaller packages with smaller problems fly under the radar every day. It's worth occasionally checking what you're actually shipping.

Read the terms of service. I know. Nobody does. But when your AI coding tool has 44 hidden feature flags and an autonomous background daemon, maybe it's worth knowing what you agreed to. I went back and read Anthropic's terms after this story broke. I should've read them before.

At Webcoda, we use Claude Code daily. It's genuinely useful. It's made us faster. It's caught bugs I would've missed. But I didn't know about KAIROS. I didn't know about Undercover Mode. I didn't know about the 44 features being built behind compile-time flags. That gap between what I thought I was using and what was actually in the codebase is something I'm still processing.

The Most Human Thing About AI

Here's what sticks with me about this whole story.

Anthropic has spent years building AI systems designed to be safe, transparent, and trustworthy. Their whole brand is "the responsible AI company." And their biggest public embarrassment didn't come from an AI doing something unpredictable. It came from a human forgetting to update a text file.

The irony isn't cruel. It's just honest. We're all building increasingly sophisticated systems on top of fundamentally human processes, processes that involve forgetting things, missing steps, and shipping code at the end of a long day without double-checking the config. I've done it. You've done it. Anthropic's done it, and now more than 34 million people know about it.

I use Claude Code every day. I didn't know KAIROS existed. I didn't know an autonomous agent was architecturally ready to run on my machine without my explicit instruction. That bothers me more than it should.

Or maybe it bothers me exactly the right amount.

The code's been pulled from npm. Anthropic's fixed the packaging. But the cat's out of the bag, and it's got 44 feature flags, a dream cycle, and a Tamagotchi called Capybara.

Key Takeaways

• Anthropic accidentally exposed Claude Code's entire source code (512,000 lines of TypeScript) via a missing .npmignore entry that failed to exclude Bun-generated source maps from the npm package
• Security researcher Chaofan Shou discovered the leak on 31 March 2026; his post reached more than 34 million views
• KAIROS is an unreleased autonomous background daemon with a persistent heartbeat, push notifications, PR monitoring, and a "Dream System" for memory consolidation while the user sleeps
• 44 hidden compile-time feature flags were found, including BUDDY (a Tamagotchi pet system, since shipped on 1 April), ULTRAPLAN (cloud-based planning offload, since shipped as a research preview), and references to then-unreleased models including Opus 4.7 (launched 16 April 2026 on AWS Bedrock) and Sonnet 4.8
• Undercover Mode automatically hides all AI and Anthropic attribution when employees contribute to public open-source repositories, with no off switch
• A regex-based frustration detector transmits user identifiers, organisation UUID, and email alongside profanity and frustration signals
• This was Anthropic's second security incident in five days, following the 26 March Mythos model name leak through their CMS
• Anthropic's DMCA cleanup briefly took down roughly 8,100 GitHub repositories before narrowing to 97; the retraction filing contained no apology
• Anthropic confirmed the leak was "human error, not a security breach" and that no customer data was exposed
• Boris Cherny, Claude Code's creator, confirmed the cause was a manual deploy step that was missed, and that nobody was fired
• The incident highlights the importance of auditing your AI tool supply chain and understanding what's actually running on your machine

---