Claude Source Code Leak: What Really Happened

Claude Source Code Leak: What Really Happened and What Was Found Inside

On March 31, 2026, Anthropic accidentally made the entire source code of Claude Code — its AI-powered coding assistant — public due to a simple packaging error. No hack. No breach. Just a missing line in a configuration file that exposed 512,000 lines of internal TypeScript code to the entire internet.

Within hours, the code was mirrored across GitHub, studied by tens of thousands of developers, and rewritten into other languages. A community rewrite became what is likely the fastest-growing repository in GitHub's history. This is the full breakdown of what happened, what was found inside, and what it means.

What Is Claude Code?

Claude Code is Anthropic's official AI coding tool that runs directly in your terminal. It understands your codebase, edits files, runs commands, manages Git workflows, and handles complex software engineering tasks — all through natural language. It is one of Anthropic's most important commercial products, and paid subscriptions had reportedly more than doubled earlier in 2026.

How Did the Claude Source Code Leak Happen?

The leak was not sophisticated at all. Claude Code is built on Bun, a JavaScript runtime that Anthropic acquired in late 2025. Bun generates source map files by default during the build process. Source maps are debugging files that map compiled code back to the original source code.

When Anthropic's release team published the Claude Code npm package, someone forgot to add *.map to the .npmignore file — a simple configuration file that tells npm which files to exclude from a published package. As a result, a 59.8 MB source map file was shipped inside the public npm package, and that file contained a reference to the full, unobfuscated TypeScript source code stored in Anthropic's R2 storage bucket.

Developer Chaofan Shou (@Fried_rice) discovered the leak and posted publicly: "Claude's source code has been leaked via a map file in their npm registry!" That post went on to receive more than 29 million views within hours.

The source code — nearly 1,900 TypeScript files — was downloadable as a zip archive directly from Anthropic's own storage. By the time Anthropic began issuing copyright takedown requests, the code had already been mirrored across dozens of GitHub repositories.

What Was Found in the Claude Code Source Code?

Developers who studied the leaked code found far more than just basic tool architecture. Here is what was inside.

KAIROS — An Unreleased Autonomous Agent Mode

Referenced over 150 times throughout the source code, KAIROS is an unreleased feature where Claude operates as a persistent, always-on background agent. Named after the Greek concept of "the right moment," it receives periodic tick prompts to decide whether to take action independently, maintains append-only daily log files, and subscribes to GitHub webhooks. KAIROS was sitting behind feature flags with no announced launch date.

autoDream — Background Memory Consolidation

A companion feature to KAIROS called autoDream runs as a forked subagent while the user is idle. It merges observations from previous sessions, removes contradictions in memory, converts vague insights into definitive facts, and has read-only bash access. Essentially, a background process that consolidates what Claude has learned about your codebase while you are not using it.

ULTRAPLAN — Remote Cloud Planning Sessions

Another unreleased feature called ULTRAPLAN offloads complex planning tasks to a remote cloud session running Opus 4.6 with up to 30 minutes of dedicated thinking time. It is designed for tasks too complex to plan locally within a single session.

A Tamagotchi-Style Companion System

The source code includes a Tamagotchi-style companion feature — a coding assistant with personality, frustration detection, and state management. It tracks the user's emotional state during sessions and adapts its behavior accordingly.

Anti-Distillation Features

The code reportedly includes anti-distillation mechanisms designed to pollute any training data that competitors might attempt to extract from Claude's outputs. This suggests Anthropic was actively building defenses against model distillation attacks directly into the product architecture.

Internal Codenames

The leak revealed several internal Anthropic project codenames that had never been made public:

• Tengu — the internal project codename for Claude Code itself
• Capybara — a new model family, possibly related to the separately leaked "Mythos" model spec
• Fennec — the internal codename for Opus 4.6
• Numbat — an unreleased model with no public announcement

Unreleased Model References

References to Opus 4.7 and Sonnet 4.8 were found in the source code's Undercover Mode configuration — a list of forbidden strings the model is not supposed to reveal. Their presence in that list confirms these models exist in development and are further along than any public announcement has indicated.

The Scale of the Architecture

The codebase revealed the complexity behind Claude Code's context management system. The query engine alone spans 46,000 lines. The base tool definition is 29,000 lines. The terminal UI uses a custom React renderer built on Ink with game-engine-style optimization. There are five distinct compaction strategies for managing context windows — something users had experienced the effects of without knowing it existed.

What Is "Claw Code"?

Within hours of the leak, the developer community launched a community rewrite of the Claude Code source. This project became known as claw-code — a portmanteau of Claude and claw — and quickly became what is considered the fastest-growing repository in GitHub's history, reaching 50,000 stars in roughly two hours. It represents independent developers building on the architectural patterns revealed in the leak to create open alternatives.

Was Any User Data Exposed?

According to Anthropic, no sensitive customer data or credentials were involved or exposed in the leak. An Anthropic spokesperson stated: "This was a release packaging issue caused by human error, not a security breach."

The exposed code was related to internal tool architecture — not to the underlying Claude AI model itself, and not to any user accounts, API keys, or personal information.

What Are the Security Risks?

Even without user data being exposed, security researchers flagged serious risks from the leak. With full source code visibility, threat actors can now more precisely target known vulnerabilities. Pre-existing flaws related to arbitrary shell execution and API key exfiltration via malicious repository configurations became significantly easier to weaponize once attackers could study the exact hook and permission logic in the source.

The timing made things worse. The Claude Code source leak occurred on the same day as a separate malicious Axios npm supply chain attack, where remote access trojans were published to npm between 00:21 and 03:29 UTC on March 31. Anyone updating Claude Code via npm that day was exposed to both incidents simultaneously.

Was This the First Time?

No. A similar source code exposure occurred in February 2025, making this at minimum the second such incident in 13 months. The March 31 leak also came just five days after a separate "Mythos" model spec leak, where a CMS misconfiguration exposed roughly 3,000 internal Anthropic files, including draft blog posts about unreleased models. Two leaks in one week from a company that positions itself as the safety-first AI laboratory.

Anthropic's Response

Anthropic confirmed the incident was caused by human error in the release packaging process. The company issued copyright takedown requests to GitHub and other platforms to limit the spread of the code. However, given how quickly the code was mirrored — and how many developers had already downloaded, studied, and rewritten significant portions of it — containment was largely symbolic by the time takedowns were issued.

What Does This Mean for Developers Using Claude Code?

For everyday Claude Code users, the practical impact is limited. No account data was exposed, the tool continues to work normally, and Anthropic has since pushed a corrected package that excludes the source map files.

For the developer community more broadly, the leak provided an unprecedented look at how one of the most advanced AI coding agents is actually built — the architectural decisions, the unreleased features in development, the internal roadmap signaled by model codenames, and the scale of engineering behind what appears to be a simple terminal tool.

Frequently Asked Questions-Claude Source Code Leak

No. It was an accidental packaging error. Anthropic confirmed it was caused by human error — specifically a missing exclusion in the .npmignore configuration file — and not a security breach or external attack.

No. The leaked code remains Anthropic's proprietary intellectual property. Anthropic has issued copyright takedown notices against repositories hosting the code. The existence of community rewrites like claw-code on GitHub does not change the legal status of the original source.

Anthropic has been actively issuing DMCA takedown requests against repositories hosting the leaked code. Most of the original mirrors have been taken down. Hosting or distributing the code carries legal risk as it remains proprietary property of Anthropic.

Claw-code is a community-built rewrite of Claude Code created by independent developers who studied the leaked architecture. It became one of the fastest-growing GitHub repositories ever recorded. It is built independently of the original source code and is not affiliated with Anthropic.

No. The leaked code is the source code for the Claude Code CLI tool — the interface and agent logic that wraps around the Claude model. The underlying Claude AI model, its weights, and its training data were not part of the leak.

Final Thoughts

The Claude source code leak is one of the most significant accidental disclosures in AI industry history — not because of what was compromised in terms of user data (nothing was), but because of what it revealed about the internal direction of one of the leading AI companies in the world. Unreleased autonomous agent modes, background memory systems, new model families, and anti-distillation features — all hidden behind a missing line in a configuration file.

For a company whose entire brand is built around safety, caution, and careful AI development, two leaks in one week is a significant credibility moment. The technical community will be studying what was found inside that 59.8 MB source map for a long time.