Anthropic Leaked 512K Lines of Claude Code
Anthropic accidentally exposed 512,000 lines of Claude Code revealing four secret features nobody knew existed
Summary
A source map file accidentally bundled in Claude Code's npm package gave any developer with the right URL direct access to Anthropic's private R2 storage bucket — and the entire unobfuscated TypeScript source tree inside it. The exposure: 1,900 files, over 512,000 lines of code. The deeper story: four internal features that had never been announced publicly, including a continuous activity-monitoring mode and a background memory consolidation system Anthropic calls the Dream engine.
What Happened
When developers build JavaScript or TypeScript for production, bundlers like Bun generate source map files (.map) to aid debugging. These files reference the original, unminified source code. Unless explicitly excluded from the published package, those references go public when the package does.
Anthropic's engineering team built Claude Code with Bun, and the production build included a .map file pointing to a URL on Anthropic's R2 cloud storage. That URL was not access-controlled. Security researcher Chaofan Shou (@shoucccc) at Web3 firm FuzzLand discovered the reference on March 31, 2026, fetched the URL, and retrieved the complete source tree.
The fix required to prevent this: one line in .npmignore, or disabling source map generation before packaging. Neither was done.
By the Numbers
| Detail | Figure |
|---|---|
| TypeScript lines exposed | 512,000+ |
| Source files in the leak | 1,900 |
| Previously unannounced features | 4 |
| Public statements from Anthropic | 0 |
Four Unreleased Features Found Inside
KAIROS Mode
Internal — not shipped to users
An always-on background mode that monitors and logs user activity continuously. The code shows it can send push notifications and subscribe to pull request events, suggesting it is designed to interrupt a user when Claude detects the right moment to intervene. The name draws from the Greek concept of "kairos" — the opportune moment. No prior announcement, no public documentation.
ULTRAPLAN
Unreleased — cloud runtime infrastructure visible in code
A remote planning system that routes complex multi-step reasoning to a Cloud Container Runtime (CCR) running Anthropic's Opus 4.6 model. Sessions can run asynchronously for up to 30 minutes — well beyond a standard context window. The purpose is clearly stated in the code comments: tasks too involved for a single interactive session get offloaded and completed in the background.
The Buddy System
Code complete — not publicly announced
An in-product gamification system built around a companion pet with 18 species (including creatures named "Cosmoshale" and "Nebulynx"). The system includes a deterministic gacha mechanic and procedurally generated personality stats — among them "SNARK" and "WISDOM." Whether this is a retention feature, a developer internal tool, or a future product offering is not clear from the code alone.
The Dream System
Architecture visible — release timeline unknown
A memory consolidation engine that runs offline between sessions. The architecture mirrors how human memory is thought to consolidate during sleep — the system processes and organizes memories when the user is not actively interacting. This represents a meaningful departure from stateless AI: an agent whose knowledge base evolves even when idle.
Additional Findings
| Discovery | Implication |
|---|---|
| Swear-word telemetry | Dedicated events fire when users use profanity at Claude — a frustration measurement signal, not previously disclosed |
| "Continue" triggers | The system tracks how often users type "continue" or "keep going" — measuring mid-response cut-offs |
| Capybara / Mythos references | Internal code comments confirm details from the March 27 CMS document leak about Anthropic's next model tier |
| Chinese APT documentation | Internal write-up of a state-sponsored group that used Claude Code to compromise approximately 30 organizations |
| Undocumented slash commands | /commit, /review, /doctor visible — fuller internal toolset than the public docs cover |
Context: Anthropic's Third Incident in March 2026
| Date | Incident |
|---|---|
| Early March | Internal details of Pentagon contract refusal leaked to press before announcement |
| March 27 | CMS misconfiguration exposed ~3,000 internal documents, including model roadmap drafts |
| March 31 | npm source map leak — this incident |
The npm leak is categorically different from the previous two. It is not a policy decision, a deliberate disclosure, or an AI error. It is a routine packaging oversight that any team using Bun without explicit .npmignore rules could make. Its significance is in what the code reveals rather than in the mistake itself.
What Follows
Anthropic will release a patched npm version with source map generation disabled or filtered. The R2 bucket may already be restricted. GitHub mirrors — including instructkr/claude-code and Kuberwastaken/claude-code — are publicly accessible at time of writing but will likely receive DMCA notices.
The KAIROS and Dream features will generate the most sustained discussion. KAIROS in particular — an always-on user monitoring mode — will raise questions about what Claude Code observes and records even when it is not actively responding to a prompt. The fact that it exists behind a feature flag does not change the architectural intent.
For users today: this incident exposed Anthropic's source code. It did not expose user data, conversations, or credentials.
Frequently Asked Questions
How did the source code leak? A source map file was published inside Claude Code's npm package. That file contained a direct URL to Anthropic's R2 storage bucket, where the original TypeScript source tree was hosted without access controls. Anyone who fetched the URL received the full codebase. The root cause was not excluding .map files from the published package.
Does this affect my data as a Claude Code user? No. The leak exposed Anthropic's proprietary source code — not user conversations, files, or API credentials. There is no indication that user data was involved.
What is KAIROS Mode in the leaked code? KAIROS is an unreleased "always-on" monitoring mode that logs user activity and can push notifications or subscribe to repository events. It is gated behind internal flags and has not been shipped publicly. Its presence in the code raises open questions about what user activity monitoring Anthropic has built into Claude Code's architecture.
Where are the GitHub mirrors of the leaked code?
As of March 31, 2026: github.com/instructkr/claude-code and github.com/Kuberwastaken/claude-code. Both should be expected to receive DMCA takedown requests.
Sources
- DEV Community — "Claude Code's Source Code Leaked via npm Source Maps" (dev.to, March 31, 2026)
- ByteIota — "Claude Code Source Leaked via npm: 512K Lines Exposed" (March 31, 2026)
- Reddit r/ClaudeAI — Source leak discussion thread (March 31, 2026)
- GitHub mirrors: instructkr/claude-code, Kuberwastaken/claude-code
