Claude Code npm Leak Reveals Unreleased Features Including KAIROS, BUDDY, and Agent Swarms
The company confirmed the incident on March 31, 2026, speaking with Venture Beat, attributing it to human error in the release packaging process. Version 2.1.88 of @anthropic-ai/claude-code shipped with a 59.8 MB Javascript source map file. Basically a debugging artifact that mapped minified production code back to the original Typescript, which pointed directly to a publicly accessible zip archive sitting on Anthropic‘s own Cloudflare R2 storage bucket.
Nobody had to hack anything. The file was just there.
Security researcher Chaofan Shou, an intern at blockchain security firm Fuzzland, spotted the issue and posted the direct bucket link on X. Within hours, mirrored repositories appeared on Github, some accumulating tens of thousands of stars before Anthropic’s DMCA takedowns hit. Community members had already begun stripping telemetry, flipping hidden feature flags, and drafting clean-room reimplementations in Python and Rust to sidestep copyright concerns.
The root cause was straightforward: Bun’s bundler generates source maps by default, and no build step excluded or disabled the debug artifact before publishing. A missing entry in .npmignore or the files field in package.json would have prevented the whole thing.
What developers found inside was detailed. The ~1,900 Typescript files covered tool execution logic, permission schemas, memory systems, telemetry, system prompts, and feature flags — a full engineering view of how Anthropic builds a production-grade agentic coding tool. Telemetry scans prompts for profanity as a frustration signal but does not log full user conversations or code. An “undercover mode” instructs the AI to remove references to internal codenames and project details from git commits and pull requests.
Several unreleased features sat behind flags. KAIROS is described as an always-on background daemon that watches files, logs events, and runs a “dreaming” memory-consolidation process during idle time. BUDDY is a terminal pet with 18 species — including capybara — carrying stats like DEBUGGING, PATIENCE, and CHAOS. COORDINATOR MODE lets a single agent spawn and manage parallel worker agents. ULTRAPLAN schedules 10- to 30-minute remote multi-agent planning sessions.
Anthropic told Venture Beat the incident involved no sensitive customer data, no credentials, and no compromise of model weights or inference infrastructure. “This was a release packaging issue caused by human error,” the company said, adding that it is rolling out measures to prevent a repeat.
Those measures may need to move quickly. This is the second time the same mistake has happened. A nearly identical source-map leak occurred with an earlier version of Claude Code in February 2025.
The March 31 incident also landed alongside a separate npm supply-chain attack on the axios package, active between 00:21 and 03:29 UTC. Developers who installed or updated Claude Code via npm during that window are advised to audit their dependencies and rotate credentials. Anthropic recommends its native installer over npm going forward.
Context matters here. Five days earlier, on March 26, a CMS misconfiguration at Anthropic exposed roughly 3,000 internal files covering details on the unreleased “Claude Mythos” model, also attributed to human error. Two significant accidental disclosures in less than a week raises questions about release hygiene at a company whose tools are actively used to write and ship code at scale.
The leaked source code remains available in archived and mirrored forms despite active takedown enforcement. Anthropic has not published a broader post-mortem or public statement beyond its comment to Venture Beat.
No user data was exposed. The core Claude models are unaffected. The blueprint for building a competitor to Claude Code, however, is now considerably easier to assemble.
FAQ 🔎
- Q: Was the Claude Code source code leak a hack? No — Anthropic confirmed the exposure was a packaging error, not a security breach or unauthorized access.
- Q: What was actually exposed in the Anthropic npm leak? Approximately 512,000 lines of TypeScript covering the Claude Code CLI, including telemetry, feature flags, hidden features, and agent architecture — not model weights or customer data.
- Q: Is my data at risk from the Claude Code npm incident? Anthropic says no user data or credentials were exposed; developers who installed via npm during the concurrent axios supply-chain attack window should audit dependencies and rotate credentials.
- Q: Has Anthropic leaked source code before? Yes — a nearly identical source-map leak involving an earlier Claude Code version occurred in February 2025, making this the second such incident in roughly 13 months.
Credit: Source link
