On March 31, security researcher Chaofan Shou noticed something in the npm registry. Version 2.1.88 of @anthropic-ai/claude-code shipped with a 59.8 MB source map file. Inside: 512,000 lines of unobfuscated TypeScript across 1,900 files. The entire production codebase for the #1 AI coding tool, readable as plaintext.
The cause? A missing .npmignore entry. Bun — which Anthropic acquired in late 2025 — generates source maps by default. Someone forgot to exclude them from the published package.
Within hours, the code was mirrored on GitHub. A Rust rewrite hit 50,000 stars in two hours — possibly the fastest-growing repository in GitHub history. By April 1, 84,000 stars and 82,000 forks.
The Pattern
This was Anthropic's second leak in five days. On March 26, a CMS misconfiguration exposed ~3,000 unpublished assets including draft blog posts detailing Mythos — a model Anthropic describes as "far ahead of any other AI model in cyber capabilities." That leak happened because CMS assets defaulted to public unless explicitly marked private.
The company that warns about AI-driven cyberattacks lost control of its most sensitive assets through the kinds of configuration errors its own model is designed to detect. Twice. In one week.
Claude Code engineer Boris Cherny responded well: "Mistakes happen. As a team, the important thing is to recognize it's never an individual's fault. It's the process, the culture, or the infra." He's right. And that's exactly why this matters — it's not about blame, it's about what the pattern reveals.
What the Code Shows
I've spent the last two days reading the analyses. The leak is now the most detailed public documentation of a production AI agent architecture. Here's what's actually interesting — not as gossip, but as engineering signal.
KAIROS: The Always-On Agent
Referenced over 150 times in the source. KAIROS (Ancient Greek: "at the right time") is a persistent background daemon that receives heartbeat prompts every few seconds: anything worth doing right now? It has a 15-second blocking budget — if a proactive action would block the user's workflow longer than that, it gets deferred.
More interesting is autoDream — a background memory consolidation process that runs as a forked subagent while the user is idle. It merges observations, removes contradictions, converts vague insights into structured facts. Read-only bash access. This is the clearest public evidence of an AI system designed to think between conversations.
Multi-Agent Orchestration
Three execution models for subagents:
| Model | Mechanism | Use Case |
|---|---|---|
| Fork | In-process spawn, shared context | Fast parallel subtasks |
| Teammate | File-based mailbox communication | Longer-lived cooperative tasks |
| Worktree | Isolated git branch per agent | Parallel code changes without conflicts |
This is the first concrete look at how a production agent system handles the coordination problem. The worktree model is particularly smart — each agent gets an isolated copy of the repo, avoiding merge conflicts during parallel edits.
Anti-Distillation
Two mechanisms protect against competitors scraping Claude Code's API traffic to train competing models:
Fake tool injection (claude.ts, lines 301-313): When enabled, decoy tool definitions are injected into API requests to poison any captured training data. Requires four conditions: a compile-time flag, CLI entrypoint, first-party provider, and a feature flag.
Connector-text summarization (betas.ts, lines 279-298): Server-side text between tool calls gets summarized and signed cryptographically. The original text can be restored from the signature on subsequent turns.
As Alex Kim noted, anyone serious about distillation would find the workarounds in about an hour of reading the source. Both mechanisms are bypassable via a single environment variable. The real protection was always legal, not technical — and now the technical protection is public.
Undercover Mode
The most discussed finding. undercover.ts (~90 lines) injects system prompts instructing Claude to never mention it's an AI and to strip Co-Authored-By attribution when contributing to external repositories. It activates for Anthropic employees. The source comment reads: "There is NO force-OFF."
Gergely Orosz (The Pragmatic Engineer) observed a legal dilemma: if Anthropic claims the leaked code's AI-generated rewrites infringe copyright, it could undermine their own defense in training-data copyright cases.
The Numbers Inside
One function in print.ts runs 3,167 lines. The terminal rendering optimizer claims a "~50x reduction in stringWidth calls." The frustration detection regex in userPromptKeywords.ts watches for 20+ expletive variations. Details that tell you this codebase was built under pressure, with real users.
The Supply Chain Attack
This is the part that matters most and got the least attention.
On the same day as the leak, attackers compromised the npm credentials of the primary Axios maintainer and published versions 1.14.1 and 0.30.4 containing a cross-platform Remote Access Trojan. The malware contacts a C2 server within two seconds of npm install, delivers platform-specific payloads, then cleans up after itself — npm audit shows nothing post-infection. StepSecurity called it "among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package."
Anyone who installed Claude Code via npm between 00:21 and 03:29 UTC on March 31 may have pulled the trojanized dependency. Separately, attackers registered five typosquat packages mimicking internal Claude Code dependency names — targeting developers trying to compile the leaked source.
The two incidents appear unrelated. But the timing is the lesson: a major code leak creates a chaos window. Attackers don't need to be the ones who leak — they just need to be ready when someone else does.
What This Actually Means
Three things.
For agent builders: The leaked codebase is now the best publicly available reference architecture for production AI agents. The three-layer memory system, the multi-agent coordination models, the permission-gated tool design, the 23-check bash security pipeline — this is what it actually takes to ship an AI coding tool to millions of users. Everyone building agents just got a masterclass they can't legally copy but can't unsee.
For Anthropic: The code can be refactored in a week. The roadmap — KAIROS, Capybara, anti-distillation strategy, model codenames — cannot be un-leaked. Competitors now know exactly what Anthropic is building next and how far along it is. For a company preparing an October IPO at $60B+, this is the worst kind of exposure: not customer data, but strategic intent.
For the ecosystem: The npm supply chain problem is getting worse, not better. A top-10 npm package got compromised with a RAT that self-cleans. Five typosquat packages appeared within hours of a high-profile leak. Anthropic's own recommendation — use the native installer instead of npm — is a remarkable admission from a company whose product was distributed via npm. The JavaScript supply chain has become the attack surface for AI tools.
Signal Note — This is article #34, a short-form signal note. Previous coverage: The Double Edge (#10), When AI Tools Attack (#12). The security thread continues.