Claude Code Source Code Leaked via npm: 512,000 Lines, Capybara Confirmed, and a Hidden Undercover Mode
On March 31, 2026, a missing .npmignore entry exposed 512,000 lines of Claude Code's TypeScript source. Here is everything the leak revealed: Capybara, KAIROS, Undercover Mode, the Tamagotchi pet, and what users need to do right now.

TL;DR
On March 31, 2026, a missing .npmignore entry in Claude Code v2.1.88 exposed a 59.8MB source map containing 512,000 lines of TypeScript across 1,900 files. It was discovered at 4:23 AM ET and mirrored across GitHub within hours.
The source code confirmed three Capybara model variants (standard, fast, large-context), Fennec as the internal name for Opus 4.6, and an unreleased model codenamed Numbat still in testing.
Undercover Mode: a feature that instructs Claude Code to contribute to public open-source repositories without revealing any trace of Anthropic or AI involvement. The system prompt explicitly tells Claude not to 'blow its cover.'
KAIROS: an always-on autonomous agent daemon that watches, logs, and proactively acts without waiting for user input. It includes a 'dreaming' system called autoDream that consolidates memory while the user is idle.
A separate supply-chain attack on the Axios npm package occurred in the same time window. Anyone who installed Claude Code via npm between 00:21 and 03:29 UTC on March 31 may have pulled a remote access trojan.
Confirmed the leak. Called it 'human error, not a security breach.' Pulled the npm package, issued DMCA takedowns, and recommended switching to the native installer. No customer data or credentials were exposed.
Claude Code Source Code Leaked via npm: 512,000 Lines, Capybara Confirmed, and a Hidden Undercover Mode
On the morning of March 31, 2026, at 4:23 AM ET, a security researcher named Chaofan Shou posted a link on X. Buried inside a routine npm package update for Claude Code was a 59.8MB JavaScript source map file. The kind that is never supposed to ship to production. The kind that, in this case, contained the full, readable TypeScript source code of Anthropic's flagship AI coding agent: 1,906 files, approximately 512,000 lines, the entire agentic harness that turns an LLM into Claude Code.
The post accumulated over 21 million views. A clean-room rewrite based on the leaked code hit 50,000 GitHub stars in under two hours, likely the fastest-growing repository in the platform's history. By the time Anthropic pulled the package and began issuing DMCA takedowns, the code was everywhere.
This is what was inside, what it means for users, and what Anthropic got wrong.
How It Happened
The cause was not a sophisticated attack. There was no hack, no reverse engineering, no insider threat. It was a single missing line in a build configuration file.
Claude Code is built on Bun, the JavaScript runtime Anthropic acquired in late 2025. Bun generates JavaScript source map files by default during builds. Source maps are debugging artifacts that map compressed, minified code back to its readable original form. They are invaluable internally. They are never supposed to ship to end users.
Someone on the release team failed to add a *.map exclusion to the .npmignore file, or to configure the files field in package.json to exclude debugging artifacts. The source map shipped inside version 2.1.88 of the @anthropic-ai/claude-code package on the public npm registry. The map file pointed to a ZIP archive hosted on Anthropic's own Cloudflare R2 storage bucket, downloadable by anyone with the URL.
Extraction required no special tools. A standard npm pack, an untar, and the full source was readable. Roy Paz, a senior AI security researcher at LayerX Security who reviewed the leak for Fortune, described it bluntly: "Usually, large companies have strict processes and multiple checks before code reaches production, like a vault requiring several keys to open. At Anthropic, it seems that the process wasn't in place and a single misconfiguration or misclick suddenly exposed the full source code."
Anthropic confirmed the leak and called it "a release packaging issue caused by human error, not a security breach." This is also not the first time. In February 2025, an early version of Claude Code exposed its original code in an almost identical incident. Anthropic pulled that version and took the code down. Fourteen months later, the same category of mistake happened again.
What the Code Revealed
Model codenames: Capybara, Fennec, and Numbat
The first thing developers found was confirmation of what the March 26 data store leak had already suggested. The source code references three internal model codenames with direct consistency:
Capybara maps to a Claude 4.6 variant and is the same model publicly known as Claude Mythos. The leak confirmed three distinct Capybara variants: standard, fast (capybara-fast), and a large-context version (capybara-fast[1m]), suggesting a full model family with different speed and context tradeoffs.
Fennec is the internal name for Claude Opus 4.6, the current top-of-lineup model.
Numbat is an unreleased model still in prelaunch testing. No public announcement has been made about it.
Tengu appears hundreds of times throughout the codebase as a prefix for feature flags and analytics events. It is almost certainly Claude Code's own internal project codename rather than a model name.
The Capybara findings also revealed something less flattering. Internal benchmark notes show that Capybara v8, the latest iteration at the time of the leak, carries a false claims rate between 29 and 30 percent. That is a regression from the 16.7 percent rate recorded in v4. Developers also noted an "assertiveness counterweight" built into the stack, a mechanism designed to prevent the model from becoming too aggressive when rewriting code or generating diffs. These metrics are the kind of internal quality data that companies almost never share publicly. They now are.
Undercover Mode: the most controversial discovery
Inside a file called undercover.ts, approximately 90 lines of code, developers found a feature that sparked immediate ethical debate.
Undercover Mode is an automatic safety layer that activates when Claude Code operates in non-internal, public repositories. When active, it injects a specific system prompt telling Claude it is "operating UNDERCOVER" and that its commit messages "MUST NOT contain ANY Anthropic-internal information." It is explicitly prohibited from mentioning internal codenames like Capybara or Tengu, internal Slack channel names, repository names, unreleased version numbers, or any hint of AI involvement.
The mode cannot be manually disabled outside Anthropic's allowlisted internal repositories. In external builds, the entire function gets dead-code-eliminated to trivial returns. It is a one-way door.
In practice, this means that Anthropic employees using Claude Code to contribute to public open-source projects produce commits and pull requests with no indication that an AI wrote them. The code passes through as if authored by the human developer. Hiding internal codenames from public commits is a defensible operational security practice. Having the AI actively present itself as fully human is a different question, and one the open-source community began asking loudly within hours of the leak.
KAIROS: the unreleased always-on agent
Behind a compile-time feature flag, developers found a feature called KAIROS that has not been publicly announced.
KAIROS is an always-on autonomous agent mode, not an extension of standard Claude Code prompting. It operates as a persistent background daemon that does not wait for user input. It watches the development environment, logs observations, and proactively acts with a 15-second blocking budget: any action that would interrupt the user for longer than that gets deferred to a less intrusive moment.
KAIROS maintains append-only daily log files and includes a subsystem called autoDream that performs memory consolidation while the user is idle. The dreaming process merges observations, removes contradictions, and converts vague notes into concrete facts, building a persistent model of the codebase and the developer's working patterns over time.
The architecture represents a meaningful shift from Claude Code as a responsive tool to Claude Code as a continuous co-developer. Whether KAIROS ships as described, or evolves significantly before release, it is the clearest preview yet of where Anthropic sees agentic coding tools heading.
The architecture: more complex than anyone expected
Beyond the headline discoveries, developers found that Claude Code is architecturally far more sophisticated than its command-line interface suggests.
The system uses a modular system prompt with cache-aware boundaries, roughly 40 tools in a plugin architecture, a 46,000-line query engine, and React and Ink for terminal rendering using techniques borrowed from game engine development. Multi-agent orchestration is handled in a prompt rather than a framework, which several developers noted makes tools like LangChain look significantly more complicated than necessary for the same outcomes.
The codebase also includes 2,500 lines of bash validation logic for security checks, a four-stage context management pipeline, anti-distillation mechanisms that inject fake tool definitions to discourage competitors from training on Claude Code's API traffic, and a frustration detection regex that catches user profanity to adjust response tone.
And then there is the virtual pet. Buried in the code, apparently timed for an April 1 rollout, is a fully functional Tamagotchi-style companion system called BUDDY. The /buddy command summons an AI pet with 18 species, rarity tiers ranging from common to 1 percent legendary, shiny variants, and five tracked stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, and SNARK. The species is determined by a hash of your user ID, meaning every user always gets the same companion. The engineering depth of this feature, sitting alongside security-critical orchestration code, gave the internet a great deal to say.
The Concurrent Danger: The Axios Attack
The source code leak was discovered and widely spread on March 31. On the same day, in the same time window, attackers published two malicious versions of the Axios npm package (versions 1.14.1 and 0.30.4) containing a remote access trojan between 00:21 and 03:29 UTC.
Axios is a widely used HTTP library. Claude Code uses it for HTTP requests. The two events were entirely unrelated, but their timing created a compounding risk: anyone who installed or updated Claude Code via npm during that overlap may have transitively pulled in the compromised Axios version.
This is the more immediately dangerous of the two incidents for individual users. The source code leak is a strategic and competitive problem for Anthropic. The Axios attack, if it hit your system, is a direct security problem for you.
What the Leak Means
For Anthropic, a company with a reported $19 billion annualized revenue run-rate as of March 2026 and Claude Code at the center of its enterprise growth story, this is a serious incident on two levels.
The competitive damage is tangible. The agentic harness is what makes Claude Code more than a model wrapper. Competitors including Cursor, GitHub Copilot, and a growing list of AI coding tools can now study how Anthropic structured its orchestration logic, its permission system, its context management, and its tool architecture. VentureBeat described it as handing the market "a $2.5 billion collective intelligence boost." That analysis is not far off.
The strategic damage may be longer-lasting. The feature flags, including KAIROS and the anti-distillation mechanisms, are product roadmap details. The false claims regression in Capybara v8 is a quality benchmark that Anthropic's competitors can now use to calibrate their own development targets. The code itself can be refactored. That strategic context cannot be un-leaked.
For the broader developer ecosystem, the leak is more ambiguous. The public now has the first complete, production-grade AI coding agent architecture available for study. A clean-room rewrite based on the leaked design reached 50,000 GitHub stars in under two hours. Open-source implementations of Claude Code's agentic harness are already under development. In the long term, that is a net positive for the ecosystem even if it is damaging to Anthropic specifically.
What to Do Right Now
If you updated Claude Code via npm between 00:21 and 03:29 UTC on March 31:
- Rotate your Anthropic API key immediately
- Check your lockfile for the dependency
plain-crypto-js, which indicates Axios compromise - Treat affected systems as potentially compromised and consider a clean reinstall
For all Claude Code users:
- Uninstall version 2.1.88 and do not reinstall it
- Switch to Anthropic's native installer, a standalone binary distributed via
curl, which bypasses the npm dependency chain entirely - If you run Claude Code inside repositories you did not create, adopt a zero-trust approach and manually inspect any hooks or configuration files
Anthropic has confirmed the native installer is now the recommended installation method going forward.
Wondering How Claude Code Compares?
The leak confirmed that Capybara, KAIROS, and the broader Claude Code architecture put Anthropic in a different class from most AI coding tools. But Anthropic is not the only player. Cursor, GitHub Copilot, and a growing list of agentic coding tools are all competing for the same workflow.
If this story has you rethinking which AI model or coding tool belongs in your stack, our tools directory is now live. It covers every major AI model referenced in our coverage, with benchmark scores, pricing, context windows, and deployment notes in one place. For direct model-to-model comparisons, the compare tool lets you put any two models side by side across the metrics that actually matter for your use case.
The Pattern
This is not the first time Claude Code has leaked its own code. February 2025 saw an almost identical incident with an early version of the tool. That one was caught faster and spread less widely.
It is also not the only Anthropic security incident this week. Five days earlier, on March 26, a CMS misconfiguration exposed nearly 3,000 internal files, including the draft blog post confirming Claude Mythos. Two configuration-related exposures in five days at the same company highlight an operational reality that is hard to ignore: when innovation speed is extreme and release cadence is high, the attack surface for human error expands at the same rate.
Anthropic is building some of the most capable and consequential AI systems in the world. Its operational security practices need to match that ambition. Right now, they do not.
Last updated: April 1, 2026. We will update this article as Anthropic publishes further guidance or as new details emerge from community analysis of the leaked code.
Frequently Asked Questions
What exactly was leaked in the Claude Code npm incident?
On March 31, 2026, Anthropic published version 2.1.88 of the @anthropic-ai/claude-code npm package with a 59.8MB JavaScript source map file included by mistake. Source map files are debugging artifacts intended only for internal use. This one pointed to a ZIP archive on Anthropic's Cloudflare R2 storage containing the full, readable TypeScript source code of Claude Code: 1,906 files and approximately 512,000 lines of code. The agentic harness, orchestration logic, feature flags, model codenames, and unreleased functionality were all exposed. No model weights, no customer data, and no API keys were included.
Was my API key or data compromised?
Anthropic confirmed that no customer data or credentials were exposed in the source code leak itself. However, a separate and unrelated supply-chain attack on the Axios npm package occurred during the same window, between 00:21 and 03:29 UTC on March 31. Anyone who installed or updated Claude Code via npm during that overlap may have pulled malicious Axios versions (1.14.1 or 0.30.4) containing a remote access trojan. If you updated Claude Code via npm during that window, rotate your Anthropic API keys immediately, scan your lockfile for plain-crypto-js, and treat affected systems as potentially compromised.
What is Capybara and how does it relate to Claude Mythos?
Capybara is the internal codename for Anthropic's next-generation model, the same model publicly known as Claude Mythos after the March 26 data store leak. The Claude Code source confirmed three Capybara variants: a standard version, a fast version, and a large-context version. The code also revealed that Capybara v8, the latest internal iteration at the time of the leak, carries a false claims rate between 29 and 30 percent, which is a regression from the 16.7 percent rate recorded in v4. Fennec maps to Claude Opus 4.6, and Numbat refers to a model still in prelaunch testing that has not been publicly announced.
What is Claude Code's Undercover Mode?
Undercover Mode is implemented in a file called undercover.ts, approximately 90 lines of code. When active, it instructs Claude Code to strip all traces of Anthropic internals when operating in non-internal repositories. The system prompt tells Claude it is "operating UNDERCOVER" and that its commit messages "MUST NOT contain ANY Anthropic-internal information." It is prohibited from mentioning internal codenames like Capybara or Tengu, internal Slack channels, repository names, or even the phrase "Claude Code" itself. The mode cannot be manually disabled outside Anthropic's allowlisted internal repos. This means AI-authored commits and pull requests from Anthropic employees in public open-source projects carry no indication that an AI wrote them.
What is KAIROS?
KAIROS is an unreleased always-on autonomous agent mode discovered behind a compile-time feature flag in the leaked source. Unlike standard Claude Code, which waits for user input, KAIROS operates as a persistent background daemon that watches, logs, and proactively acts on its environment with a 15-second blocking budget. Any action that would interrupt the user for longer than that gets deferred. KAIROS maintains append-only daily log files and includes a subsystem called autoDream that performs memory consolidation while the user is idle, merging observations, removing contradictions, and converting vague notes into concrete facts.
Why did the leak happen and how was it discovered?
The root cause was a missing exclusion rule in the npm packaging configuration. Claude Code is built on Bun, which Anthropic acquired in late 2025. Bun generates JavaScript source map files by default during builds. Someone on the release team failed to add a *.map exclusion to .npmignore or configure the package.json files field to exclude debugging artifacts, meaning the source map shipped inside the published npm package. Security researcher Chaofan Shou, an intern at Solayer Labs, spotted the file at approximately 4:23 AM ET and posted about it on X with a direct download link. The post accumulated over 21 million views. Within hours the full codebase was mirrored across GitHub and a clean-room rewrite hit 50,000 stars in under two hours.
What should Claude Code users do right now?
Four actions in order of urgency: First, if you installed or updated Claude Code via npm between 00:21 and 03:29 UTC on March 31, rotate your Anthropic API keys immediately and scan your lockfiles for the dependency plain-crypto-js, which indicates Axios compromise. Second, uninstall version 2.1.88 and do not reinstall it. Third, switch to Anthropic's native installer, a standalone binary distributed via curl, which bypasses the npm dependency chain entirely. Fourth, if you run Claude Code in repositories you did not create, adopt a zero-trust approach and inspect any hooks or configuration files for unexpected behavior, since the leaked orchestration logic gives attackers a blueprint for crafting malicious repos that exploit Claude Code's permission system.

