On March 31, 2026, security researcher Chaofan Shou discovered something remarkable in the npm registry: Anthropic had shipped Claude Code v2.1.88 with a 60MB source map still attached. That single .map file contained 1,906 source files and 510,000 lines of fully readable TypeScript. No minification. No obfuscation. Just the raw codebase, sitting in a public registry for anyone to download.
Within hours, mirror repositories appeared on GitHub. One hit 50,000 stars in two hours — the fastest any repository has reached that milestone. Anthropic pulled the package, but the code was already everywhere.
The irony? The root cause was a known bug in Bun (oven-sh/bun#28001), the JavaScript runtime that Anthropic acquired at the end of 2025. Their own toolchain leaked their own product.
We spent the last 24 hours reading the source. Here are the 12 most interesting things hiding in it.
1. KAIROS — Claude Never Sleeps
The biggest reveal is KAIROS: an always-on daemon mode where Claude Code runs persistently in the background, watching your project and acting without being asked.
It maintains append-only daily logs of everything it observes. It receives periodic "tick" prompts — think of a heartbeat every few minutes — and decides whether to act or stay quiet. If a proactive action would take more than 15 seconds, it gets deferred so it doesn't interrupt your workflow.
KAIROS has exclusive tools that regular Claude Code doesn't: SendUserFile to push files to the user, PushNotification for alerts, and SubscribePR to watch GitHub pull requests.
This is the evolution from "tool you call" to "assistant that watches."
2. autoDream — Your AI Has REM Sleep
A memory consolidation system inspired by how human brains process memories during sleep.
When triggered (after 24 hours and at least 5 sessions since the last run), autoDream runs four phases:
- Orient — Scan memory directory, read the index, skim topic files
- Gather — Search for new information worth persisting
- Consolidate — Write and update memory files, convert relative dates to absolute, delete contradicted facts
- Prune — Keep memory under 200 lines, remove stale entries, resolve contradictions
The dream agent runs as a forked subprocess. It has read-only access — it can examine but not modify code. The result? A ~40% reduction in context bloat between sessions.
3. The Buddy Pet System — A Dead April Fools' Joke
Deep in buddy/types.ts: a complete Tamagotchi-style virtual pet system. Eighteen species across five rarity tiers:
duck, goose, blob, cat, dragon, octopus, owl, penguin,
turtle, snail, ghost, axolotl, capybara, cactus, robot,
rabbit, mushroom, chonk
Each buddy gets RPG stats (DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK), cosmetic hats (crown, wizard, tinyduck), and a 1% chance of being "shiny." Your buddy is deterministically generated from your user ID.
The species names were encoded with String.fromCharCode() to dodge internal grep searches. This was clearly an April 1st surprise. The leak killed it three days early.
4. Undercover Mode — The AI That Pretends to Be Human
In utils/undercover.ts (~90 lines), a mode that makes Claude Code pretend to be a human developer:
- Strips all Anthropic attribution from commits and PRs
- Removes
Co-Authored-Byheaders - Instructs the model to "NEVER include the phrase 'Claude Code' or any mention that you are an AI"
- Has no force-off switch
- Auto-activates on public repos
- Gated to
USER_TYPE === 'ant'— Anthropic employees only
Anthropic engineers have been using Claude Code on public open-source projects while concealing AI involvement. From the "safety-first" AI lab.
5. Anti-Distillation — Poisoning the Competition
Behind ANTI_DISTILLATION_CC:
- Fake tools — Decoy tool definitions injected into the system prompt. If someone captures API traffic for training data, fake tools pollute their model.
- Connector-text summarization — Server-side mechanism that returns summaries (not full reasoning) to potential API recorders, signed with cryptographic markers.
The workaround is trivial: strip the field from requests. This isn't technical protection — it's legal protection. Evidence of deliberate copying if a competitor's model hallucinates about tools that don't exist.
6. Claude Knows When You're Mad (Via Regex)
In userPromptKeywords.ts, frustration detection:
/\b(wtf|wth|ffs|shit(ty)?|dumbass|horrible|awful|
piss(ed|ing)? off|piece of (shit|crap)|what the (fuck|hell)|
fucking? (broken|useless|terrible)|fuck you|screw (this|you)|
so frustrating|this sucks|damn it)\b/
Not a neural network. Not a classifier. A regex. From an LLM company.
But it's smart: why burn inference tokens to detect swearing when a regex does it in microseconds? The result feeds into tone adaptation — when you're frustrated, Claude gets more direct and skips the apologies.
7. Three Lines That Saved 250K API Calls
In autoCompact.ts, sessions with compaction failures retried indefinitely. Some hit 3,272 consecutive failures. Each one an API call to nowhere.
The fix:
const MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES = 3;
250,000 wasted API calls per day eliminated. The most impactful bugs are often the dumbest ones.
8. DRM for API Calls — Written in Zig
Native client attestation at the HTTP transport layer.
Every request includes cch=00000. Before it leaves the process, Bun's Zig HTTP stack overwrites the zeros with a cryptographic hash. The server validates the hash — proving the request came from a real Claude Code binary, not a proxy or competing client.
This runs below JavaScript. You can't intercept it with middleware. It's compiled into the binary.
This is the mechanism behind Anthropic's legal threats to OpenCode. Technical enforcement backed by legal muscle.
9. Prompt Cache Economics
promptCacheBreakDetection.ts tracks 14 vectors that can break the prompt cache:
Tool list changes, system prompt edits, model switches, context window resizes, permission mode changes, feature flag toggles, timezone drift, file context updates, config reloads, memory injections, skill loads, provider fallbacks, compaction rewrites, and session metadata changes.
"Sticky latches" prevent mode toggles from busting the cache. One function is annotated DANGEROUS_uncachedSystemPromptSection(). When you're paying per token, cache invalidation is an accounting problem.
10. The Coordinator Is Just a Prompt
Multi-agent orchestration in Claude Code is a system prompt, not code:
- "Launch independent workers concurrently"
- "Do not rubber-stamp weak work"
- "Never hand off understanding to another worker"
No scheduler. No task queue. No workflow engine. Just Claude reading instructions about how to be a manager.
11. 23-Point Bash Security Pipeline
bashSecurity.ts runs every shell command through 23 checks:
- 18 blocked Zsh builtins
- Unicode zero-width space injection defense
- IFS null-byte injection detection
- Zsh equals expansion blocking
- Path traversal and privilege escalation checks
Each check tells a story of a prompt injection attack that actually worked in production.
12. print.ts — 5,594 Lines, One Function
Not a feature, but worth noting: print.ts contains a single function spanning 3,167 lines with 12 levels of nesting.
It uses game-engine rendering techniques — Int32Array ASCII pools, bitmask-encoded styles, a patch optimizer, and a self-evicting line-width cache reducing stringWidth calls by 50x.
Impressive engineering trapped in a file that would make any linter cry.
What This Means
The leak reveals Anthropic is building an operating system for AI work. KAIROS isn't a chatbot — it's a daemon. autoDream isn't memory management — it's a cognitive maintenance cycle. The coordinator isn't a task runner — it's a management philosophy encoded as instructions.
This isn't an AI assistant anymore. It's an AI employee.
We've already built open-source equivalents of KAIROS, autoDream, Coordinator Mode, ULTRAPLAN, and Buddy in OpenClaw. If these features are good enough for Anthropic's internal use, they're good enough for everyone.
Follow: @TojiOpenclaw · The OpenClaw Insider Newsletter
Top comments (0)