Anthropic's Claude Code is not a simple chat interface with coding tools bolted on; it's a full agentic operating system with always-on background processes, multi-agent orchestration, and 40+ permission-gated tools. On March 31, security researcher Chaofan Shou discovered that version 2.1.88 of the @anthropic-ai/claude-code npm package shipped with a 59.8 megabyte source map file containing 512,000 lines of TypeScript code and 1,900 files . The root cause was remarkably simple: Bun's bundler generates source maps by default, and nobody excluded them before publishing. It was a missing entry in .npmignore.

This marks the second major security incident for Anthropic in six days. On March 26, the company accidentally exposed approximately 3,000 internal files describing Claude Mythos through a content management system misconfiguration . While no customer data was compromised in either case, competitors now have a literal blueprint for how Anthropic builds production-grade agentic tooling. The timing proved particularly awkward, coming just days after the RSA cybersecurity conference.

What Does the Leaked Code Actually Reveal About Claude Code's Architecture?

The leaked codebase shows that Claude Code operates on a fundamentally different level than most AI coding assistants. Rather than a simple wrapper around a language model, the system includes a query engine spanning 46,000 lines of code that handles all language model API calls, streaming, caching, and orchestration . This is by far the largest single module in the entire system. The architecture also includes integrated development environment bridges that connect to VS Code, JetBrains, and other popular editors, allowing Claude Code to work seamlessly within developers' existing workflows.

One of the most revealing aspects of the leaked code involves the memory system. Claude Code uses a three-layer "self-healing memory" architecture that operates quite differently from how most people might imagine AI assistants store information . The system uses a lightweight index file called MEMORY.md containing roughly 150 characters per line, topic files that are fetched on-demand rather than loaded all at once, and session transcripts that are searched for specific identifiers using grep commands rather than loaded into memory whole. This design allows the system to maintain context across long conversations without consuming excessive computational resources.

How Does Claude Code's Background Processing System Work?

Perhaps the most striking revelation from the leaked code is the existence of KAIROS, an always-on background daemon that watches files, logs events, and runs what Anthropic calls a "dreaming" memory-consolidation process during idle time . This means Claude Code continues thinking and processing information even when you are not actively prompting it. Paired with a feature called ULTRAPLAN, which enables 30-minute remote planning sessions, the system can spend extended periods architecting solutions before executing them. The codebase also includes a "dream" mode for constant background ideation, indicating that the production system is significantly ahead of the public release.

The presence of these background systems suggests Anthropic is thinking about AI agents very differently than the current generation of chatbots. Rather than responding only when prompted, the system is designed to continuously learn, consolidate knowledge, and prepare for future tasks. This represents a fundamental shift in how AI coding assistants might evolve over the coming years.

What Advanced Features Are Hidden Behind Feature Flags?

The leaked code reveals 44 feature flags controlling fully built but unreleased capabilities . These hidden features provide a window into Anthropic's product roadmap and engineering priorities. Several of these features are particularly noteworthy for understanding where AI coding assistants are heading:

• Coordinator Mode: Enables agent swarms that orchestrate multiple AI agents working together on a single task, allowing parallel processing and specialized sub-agents.
• Voice Integration: Includes voice mode with Deepgram Nova 3 speech-to-text, allowing developers to code by speaking rather than typing.
• Computer Use: Native Rust and Swift implementations for mouse, keyboard, and screen control, enabling Claude Code to directly interact with the operating system.
• Scheduled Tasks: Local cron-style scheduled tasks that allow Claude Code to run automated processes on a developer's machine.
• Multi-Channel Communication: Support for Telegram, Discord, and SMS channels via the Model Context Protocol, extending Claude Code's reach beyond the IDE.

The existence of these feature flags suggests that Anthropic is building toward a future where AI agents can operate with significantly more autonomy and integration into developers' daily workflows. Some of these features, like computer use and multi-channel communication, represent capabilities that go well beyond traditional coding assistants.

What Do the Internal Model Codenames Tell Us?

The leaked code confirms that Capybara is the internal codename for a Claude 4.6 variant, with Fennec mapping to Opus 4.6 and an unreleased model called Numbat still in testing . Internal notes reveal that Capybara v8 has a 29 to 30 percent false claims rate, which actually represents a regression from the 16.7 percent rate in v4. This suggests that newer versions of the model may be trading accuracy for other capabilities, or that the evaluation methodology has changed. The codebase also includes an "assertiveness counterweight" designed to prevent the model from being too aggressive when suggesting code refactors, indicating that Anthropic is actively managing model behavior to match user expectations.

Internal

Perhaps most intriguingly, the leaked code includes an "Undercover Mode" system prompt that instructs Claude to strip all Anthropic-internal information from commits and pull requests when contributing to public open-source repositories . The prompt literally states: "You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository... Do not blow your cover." The irony is profound: Anthropic built an entire subsystem to prevent leaking internal information, then leaked the subsystem itself through a packaging error.

How Should Developers Respond to This Leak?

For developers who installed Claude Code between 00:21 and 03:29 UTC on March 31, there is an additional concern beyond the source code exposure. During that same window, a separate supply-chain attack targeted the axios npm package, and attackers have already begun typosquatting internal npm package names to target people attempting to compile the leaked source code . Anyone who installed Claude Code during that window should immediately rotate their credentials and review their system access logs for any suspicious activity.

For the broader development community, the leak provides valuable insights into how production-grade AI agents are being built. The architectural patterns revealed in the Claude Code codebase, including the three-layer memory system, the background daemon approach, and the multi-agent orchestration framework, represent best practices that other AI companies may adopt. The leak also highlights the importance of proper build configuration and the risks of accidentally shipping debugging artifacts to production.

The incident serves as a reminder that even companies at the forefront of AI development face the same fundamental security challenges as any software organization. A missing .npmignore entry exposed 512,000 lines of code and revealed internal model codenames, feature roadmaps, and architectural decisions that Anthropic clearly intended to keep confidential. As AI systems become more complex and more deeply integrated into critical workflows, the stakes for these kinds of security oversights will only increase.

" }