If you've been anywhere near Dev Twitter (or X, whatever we're calling it now) in the last couple of days, you've probably already seen this. But if you haven't — buckle up, because this one's wild.
On March 31st, Anthropic accidentally shipped the entire source code of Claude Code in a public npm package. Yes, you read that right. The whole thing. Nearly 2,000 TypeScript files. Over 512,000 lines of code. Just… out there. For everyone to see.
And the internet did what the internet does — it went absolutely nuts.
Wait, How Did This Even Happen?
So here's the thing — this wasn't some sophisticated cyber attack. Nobody hacked into Anthropic's servers. There was no insider threat, no zero-day exploit. It was a packaging mistake.
When Anthropic pushed version 2.1.88 of the @anthropic-ai/claude-code npm package, someone accidentally included a source map file in the build. If you're not familiar, source maps are dev tools — they map compiled/minified code back to the original source. Super useful during development. Absolutely should never ship in production.
But it did. And security researcher Chaofan Shou caught it almost immediately and posted about it on X. That post? It blew up to over 28.8 million views.
Anthropic pulled the version from npm pretty quickly, but by then it was way too late. The code had already been extracted and uploaded to GitHub.
Anthropic's official response was basically: "This was a release packaging issue caused by human error, not a security breach. No customer data or credentials were exposed." They also said they're putting measures in place so this doesn't happen again.
Fair enough. But the code is out there now, and there's no putting that genie back in the bottle.
The GitHub Repo That Broke Records
Within hours, a GitHub repo called instructkr/claw-code popped up with the leaked source. And here's the crazy part — it hit 50,000 stars in under 2 hours. As of now, it's sitting at over 84,000 stars and 82,000 forks.
That's not just popular. That's one of the fastest-growing repos in GitHub history.
What's interesting is that the repo didn't stay as just a code dump. The maintainers turned it into something more — a clean-room reimplementation project. They've been porting the architecture to both Python and Rust, building it out as a research tool for studying AI agent systems. They've been pretty clear that it's not affiliated with Anthropic and that they deliberately avoided storing the original leaked snapshot.
The repo includes a Python workspace with modules for commands, tools, a query engine, and a CLI, plus a full Rust workspace with crates for everything from the API client to plugin systems to a compatibility layer for editor integration.
It's kind of become this hub for developers who want to understand how AI coding agents actually work under the hood.
OK But What's Actually In The Code?
This is where it gets really interesting. People have been tearing through the source and sharing their findings, and some of this stuff is genuinely fascinating. Let me walk you through the highlights.
The Self-Healing Memory Thing
You know how LLMs have a fixed context window, right? So when you're in a long coding session with Claude Code, it eventually has to decide what to keep and what to throw away. Well, turns out Claude Code has this really clever system for handling that.
It's not just doing dumb truncation. There's a four-stage context management pipeline that compresses and reorganizes information to keep the most relevant stuff around. Developers who've studied it are calling it a "self-healing memory architecture" — basically the system can reconstruct important context even after compaction. Pretty smart.
Multi-Agent Swarms
Claude Code isn't just one agent. When you give it a complex task — like a big refactor across multiple files — it can spawn sub-agents. Think of it like a team lead delegating tasks to specialists. These agents work on different parts of the problem and their results get coordinated back together.
This explains why Claude Code is weirdly good at large multi-file changes. It's not doing it all in one pass.
The Tools Under The Hood
At its core, Claude Code runs on a tool system that handles file reading, bash execution, API calls — all the stuff that makes it feel like it actually understands your project. There's a query engine that routes requests to the right model with the right context, and a bidirectional communication layer that connects IDE extensions to the CLI.
Nothing too surprising here if you've thought about how these tools must work, but it's cool to see the actual implementation.
KAIROS — The Background Agent
OK, this one is wild. There's a feature in the code called KAIROS that basically turns Claude Code into a persistent background process. It can fix errors, run tasks, and even send push notifications to you — all without you explicitly asking it to do anything.
Imagine you push some code, go grab coffee, and come back to a notification saying "hey, I noticed a bug in your last commit and fixed it." That's what KAIROS seems to be building toward.
"Dream" Mode
And if KAIROS wasn't enough, there's also this experimental thing called Dream mode. It lets Claude continuously think in the background — brainstorming ideas, iterating on your existing code, and preparing suggestions for when you come back.
It's like having a junior dev who never sleeps and is always noodling on improvements to your codebase. Whether that's exciting or terrifying probably depends on your perspective.
Undercover Mode (Yes, Really)
This one raised a lot of eyebrows. There's a mode called "Undercover Mode" that's designed for making contributions to open-source repos without revealing that Anthropic is behind them. The system prompt literally tells the agent not to include any Anthropic-internal information in commits or PRs.
People have a lot of opinions about this. Some see it as shady — Anthropic secretly contributing to open-source projects without disclosure. Others argue it's pretty standard for companies to contribute to open source without broadcasting it. Either way, it's not a great look when it gets discovered through a leak.
Fighting Model Distillation
Here's something the AI industry watchers will find interesting. The code includes a system that detects when competitors might be scraping Claude Code's outputs to train their own models (this is called model distillation). When it suspects scraping, it injects fake tool definitions into the API responses to poison the training data.
This makes sense given that Anthropic has publicly accused certain AI firms of using distillation attacks against Claude. Now we can see exactly how they've been fighting back.
The Security Mess
So far I've been talking about this mainly as an IP issue and a fascinating peek behind the curtain. But there's a real security problem here too.
AI security company Straiker put it bluntly: with the full source code available, attackers don't need to brute-force jailbreaks anymore. They can study exactly how data flows through the context pipeline and craft inputs designed to survive compaction. Basically, they can build persistent backdoors that stick around for an entire session.
That's… not great.
The Supply Chain Attack
To make things worse, the timing of the leak overlapped with a supply chain attack on the Axios npm package. If you installed or updated Claude Code via npm on March 31st between 00:21 and 03:29 UTC, you might have pulled a trojanized version of Axios that included a cross-platform remote access trojan.
If you're in that window, you need to:
- Downgrade to a known safe version immediately
- Rotate ALL secrets — API keys, SSH keys, tokens, everything Claude Code had access to
- Check your systems for any suspicious activity
I'm not being dramatic here. This is a legit "drop everything and deal with this" situation if it applies to you.
Typosquatting Packages
And because things weren't bad enough already, attackers started registering npm packages with names similar to internal Claude Code dependencies. A user called "pacifier136" published packages like audio-capture-napi, color-diff-napi, image-processor-napi, and a few others. Right now they're empty stubs, but that's how dependency confusion attacks work — squat the name, wait for installs, then push a malicious update.
If you've been trying to build the leaked source, be extremely careful about what packages you're pulling in.
Oh, And There's More
Here's the kicker — this wasn't even Anthropic's only security incident that week. Just days before the Claude Code leak, details about an unreleased AI model (reportedly called "Mythos") and other internal data were found sitting on an unsecured CMS. Anthropic later confirmed they'd been testing this new model with early access customers and called it the most capable model they've ever built.
Two significant data exposures in one week. For a company that has built its entire brand around being the "safety-first" AI lab, that's a rough look. It doesn't mean their AI safety research isn't legit — it absolutely is — but operational security is clearly something they need to tighten up.
What This Means For The Rest Of Us
I think there are a few takeaways here, beyond the obvious "don't ship source maps in production."
AI coding tools have deep access. We're giving these tools access to our codebases, our terminals, our secrets. When something goes wrong — whether it's a leak, a supply chain attack, or a compromised build — the blast radius is huge. We need to think about these tools as critical infrastructure, not just developer convenience.
The packaging step is a security boundary. This whole thing happened because of a build configuration mistake. Your CI/CD pipeline isn't just about deployment speed — it's about security. Source maps, debug symbols, internal configs — all of these need to be explicitly excluded from production builds, and that exclusion needs to be verified automatically.
Open source benefits from transparency, even accidental transparency. The community has learned an enormous amount about how modern AI agent systems work from studying this code. The clean-room reimplementation projects are already advancing our understanding of agent orchestration, context management, and tool systems. There's real value here for the field.
Audit your dependencies. This isn't new advice, but it matters more than ever. Lock your package versions. Use integrity checks. Pay attention to what's in your node_modules. The typosquatting and supply chain attacks that followed this leak show how quickly bad actors can exploit confusion.
Final Thoughts
Look, mistakes happen. I'm not going to pile on Anthropic for a packaging error — anyone who's shipped software has made similar kinds of mistakes at some point. The difference is that when your tool is used by millions of developers worldwide and has deep access to their systems, the stakes are just higher.
What I am going to say is: if you use Claude Code (or any AI coding tool), take this as a reminder to treat it with the same security diligence you'd give to any other piece of infrastructure with privileged access. Check your installs, rotate your keys, and keep an eye on the follow-up advisories.
And if you're a developer who's curious about how these AI agent systems actually work — go check out the claw-code repo. It's a genuinely fascinating read. Just, you know, be careful what you npm install while you're at it.
What do you think about the leak? Too much panic, or are we not panicking enough? Drop your thoughts in the comments — I'd love to hear what other devs are thinking about this.
Top comments (0)