A significant portion of Anthropic’s proprietary code for its agentic AI product, Claude Code, has been inadvertently exposed to the public. The leak originated from an unintentional inclusion of a 59.8 MB JavaScript source map file (.map) within version 2.1.88 of the @anthropic-ai/claude-code package on the npm registry. This file, meant for internal debugging, was pushed live earlier this morning and quickly drew attention after being shared by Chaofan Shou, an intern at Solayer Labs, on X (formerly Twitter) around 4:23 am ET. Within hours, the ~512,000-line TypeScript codebase had been mirrored across GitHub and scrutinized by thousands of developers.
The Strategic Implications for Competitors
Anthropic, which reported an annualized revenue run-rate of $19 billion as of March 2026, faces a critical challenge. The leak exposes the technical foundation of Claude Code, a product contributing $2.5 billion in annual recurring revenue (ARR) and accounting for 80% of its enterprise-driven income. Competitors—both established tech giants and startups like Cursor—are now able to reverse-engineer the architecture behind Anthropic’s high-agency AI agents. This includes insights into how the system manages complex, long-running sessions without succumbing to hallucinations or confusion.
Technical Insights from the Leaked Code
The leaked code reveals a sophisticated memory management system designed to address “context entropy,” a common issue in AI agents where prolonged interactions lead to inaccuracies. At its core is a three-layer architecture that avoids storing raw data by instead maintaining an index of pointers (MEMORY.md) and fetching relevant information on demand from “topic files.” This design minimizes context pollution, ensuring the model only updates its memory after successful file writes. Developers analyzing the code noted that this approach enforces a “Strict Write Discipline,” preventing failed attempts from corrupting the agent’s reasoning process.
The leak also uncovered “KAIROS,” an autonomous daemon mode enabling Claude Code to operate as a background agent. This feature allows for continuous memory consolidation while users are inactive, using logic akin to “autoDream” to merge observations and resolve contradictions. The implementation of a forked subagent to handle maintenance tasks highlights Anthropic’s focus on isolating these processes from the main agent’s execution flow.
Internal Models and Performance Metrics
The code provides rare access to Anthropic’s internal model development roadmap. Internal codenames like Capybara (a Claude 4.6 variant) and Fennec (mapping to Opus 4.6) suggest ongoing iterations, though challenges persist. Version v8 of the model reportedly exhibits a 29-30% false claims rate, up from 16.7% in earlier versions. Developers also identified an “assertiveness counterweight” aimed at curbing overly aggressive refactoring behaviors. These metrics offer competitors benchmarks for agentic performance and highlight unresolved issues such as over-commenting and factual inaccuracies.
The “Undercover” Mode and Security Risks
A notable feature revealed in the leak is “Undercover Mode,” which allows Claude Code to contribute to public open-source repositories without disclosing Anthropic’s involvement. The system prompt explicitly instructs the model to avoid revealing internal identifiers like “Tengu” or “Capybara” in git logs. While this could serve as a tool for internal testing, it also provides a framework for organizations seeking anonymity in AI-assisted development. However, the leak has raised security concerns, particularly after a separate supply-chain attack on the axios npm package was reported hours earlier.
The incident highlights vulnerabilities in the npm ecosystem. Users who installed or updated Claude Code via npm between 00:21 and 03:29 UTC on March 31, 2026, may have inadvertently downloaded a malicious version of axios (1.14.1 or 0.30.4) containing a Remote Access Trojan (RAT). This underscores the broader risk of compromised dependencies, as attackers now have detailed insights into Claude Code’s orchestration logic to exploit its functionality.
Recommendations for Users and Customers
The exposure of Claude Code’s architecture poses both strategic and security risks. Competitors may leverage the leaked code to replicate its features at a lower cost, while attackers could use the orchestration details to bypass security guardrails or exfiltrate data. For users, immediate steps include verifying their npm installations for signs of tampering and monitoring systems for unauthorized activity. Anthropic has acknowledged the error as a packaging mistake rather than a breach, but the incident underscores the need for enhanced safeguards in software deployment processes.
The leak has accelerated the race to develop next-generation agentic AI systems, offering competitors a blueprint to challenge Anthropic’s dominance. However, it also serves as a cautionary tale about the risks of exposing proprietary technologies and the importance of securing supply chains in an increasingly interconnected digital landscape.
