Claude Code's Source Code Just Leaked — And What's Inside Changes Everything We Thought About AI Coding Tools

To understand this leak, you need to understand what a source map is. When developers write software in TypeScript, they compile it into JavaScript before publishing. The compiled code is harder to read — variable names are shortened, logic is compressed, structure is flattened. A source map is a file that reverses this process. It maps the compiled code back to the original source, line by line. It is essential for debugging during development. It is never supposed to ship in a public package.

Version 2.1.88 of the @anthropic-ai/claude-code package, published to npm — the world's largest JavaScript package registry — included a source map weighing 59.8 megabytes. For reference, a typical source map for a production package is a few hundred kilobytes. This one was 200 times larger. Inside it was a URL pointing to a zip archive on Anthropic's Cloudflare R2 storage. The archive contained Claude Code's full, unobfuscated TypeScript source code.

Anthropic's official response called it 'a release packaging issue caused by human error, not a security breach.' They emphasized that no customer data or credentials were exposed. Both of these statements are technically accurate and entirely beside the point. What was exposed was something more valuable than credentials: the complete intellectual property of Anthropic's flagship developer product.

The leaked codebase is not a monolith. It is a carefully modular system organized around three pillars: a query engine, a tool system, and a permission model.

The Query Engine is the brain. At 46,000 lines, it is the largest single module in the codebase. It handles every interaction with the underlying Claude model — streaming API calls, managing token counts, caching responses, orchestrating tool-call loops, and implementing retry logic when things go wrong. If you have ever used Claude Code and noticed that it seems to 'think' in steps, executing one tool, reading the result, then deciding what to do next — the query engine is what makes that loop work.

The Tool System is the hands. Claude Code exposes approximately 40 discrete tools — file reading, file writing, shell execution, git operations, web fetching, code search, and more. Each tool is a plugin with its own permission gate. When Claude Code asks to run a bash command or edit a file, it is not a freeform action: it is a specific tool invocation that passes through a permission layer before execution. This architecture explains why Claude Code can be simultaneously powerful and safe — every action is individually gated.

The Permission Model is the guardrail. Every tool call must pass through a permission check that considers the tool type, the user's configured permission level, and the specific action being requested. Users can allow certain tools automatically while requiring approval for others. This is not cosmetic — it is deeply embedded in the architecture.

Named after the ancient Greek concept of kairos — the opportune moment, the right time to act — KAIROS is the most significant discovery in the leaked source code. It is not a feature inside Claude Code. It is a fundamentally different operating mode.

Today, Claude Code is reactive. You ask it to do something, it does it, then it waits. KAIROS changes that model entirely. It is an always-on background daemon that continues working after the developer stops typing. Think of it as the difference between a calculator and a coworker: a calculator waits for input, a coworker takes initiative.

The most striking component is the autoDream process. During idle periods — when the developer is away, sleeping, or working on something else — KAIROS performs what the code calls 'memory consolidation.' It reviews the day's observations, merges overlapping notes, removes contradictions, and converts vague insights into structured facts. It is, in effect, thinking about what it learned today so it can be more useful tomorrow.

The architecture uses append-only daily log files, receives periodic tick prompts that trigger proactive decision-making, and has a strict 15-second budget for any autonomous action. It can subscribe to PR updates, send push notifications, and maintain heartbeat signals. The code references to KAIROS appear over 150 times in the source — this is not an experiment. It is a product in development.

For non-technical readers: imagine a junior developer on your team who, every night after work, organizes their notes, reviews what happened during the day, and comes in the next morning with a clear plan. That is KAIROS. Except it does this at machine speed, never forgets anything, and never takes a day off.

One of the most technically sophisticated findings in the leak is a mechanism Anthropic calls anti-distillation. The concept is simple. The implementation is elegant. And the implications are significant.

Here is the problem it solves: when Claude Code makes an API call to Anthropic's servers, the request includes the full system prompt — a detailed set of instructions that tells Claude how to behave, what tools are available, and how to use them. If a competitor were to intercept or record this API traffic, they could extract these prompts and use them to train their own models. In AI, this is called distillation: training a cheaper model to imitate an expensive one by learning from its inputs and outputs.

Anthropic's defense: when anti-distillation is active, Claude Code sends a flag that tells the server to inject fake tool definitions into the system prompt. These are tools that do not exist — plausible-sounding capabilities with realistic descriptions and parameter schemas, but no actual implementation. If a competitor trains on this traffic, their model learns to use tools that are not real. It is the digital equivalent of a cartographer who adds a fictional street to a map to catch copiers.

The mechanism is gated behind a GrowthBook feature flag and is only active for first-party CLI sessions — meaning it does not affect third-party integrations or API consumers. It specifically targets scenarios where Anthropic suspects its own product traffic is being recorded for competitive training.

Of all the revelations in the leak, Undercover Mode may be the most controversial. It is a feature designed to systematically remove any evidence that AI was involved in writing code.

When active, Undercover Mode strips AI attribution from commit messages, removes internal codenames (Capybara, Tengu, Fennec, Numbat) from generated code, prevents mentions of Anthropic's internal Slack channels or repository names, and injects strict instructions into the model's prompts to prevent any leakage of Anthropic's involvement.

The stated purpose is to allow Claude Code to contribute to public repositories without revealing that the code was AI-generated. In a world where many open-source projects and companies have policies about AI-written code, this is a feature designed to bypass those policies by making detection impossible.

The irony is almost too perfect: a mode built to prevent information leaks was itself discovered through the biggest information leak in Anthropic's history. The code that hides fingerprints had its own fingerprints exposed through the same packaging pipeline it was designed to protect.

For the broader industry, this raises serious questions about transparency and disclosure. If AI tools can be configured to hide their own involvement, how do maintainers of open-source projects verify that contributions meet their policies? How do companies audit whether their codebase was human-written or AI-generated? Undercover Mode does not just raise ethical questions — it makes those questions harder to answer.

The leaked source code contains 44 feature flags for capabilities that have not been publicly announced. Feature flags are conditional switches in code — a built feature sits behind a flag that can be turned on or off without redeploying the software. They are standard engineering practice for gradual rollouts. But 44 of them in a single product suggests a significant volume of unreleased work.

The code reveals several model codenames. Capybara is the internal name for a Claude 4.6 variant, currently on its eighth iteration (v8). Fennec maps to Opus 4.6. And Numbat is an unreleased model still in testing. Perhaps most interesting is a performance metric: Capybara v8 shows a 29-30% false claims rate — a regression from v4, which achieved 16.7%. This suggests that scaling model capability sometimes comes at the cost of accuracy, a tradeoff the source code explicitly tries to manage through what it calls 'assertiveness counterweights.'

The codename 'Tengu' appears over a hundred times in the source. In Japanese mythology, Tengu are supernatural beings known for martial arts mastery and mischief. In Claude Code's source, Tengu appears to be the internal project name for the product itself — or possibly for a major upcoming version.

The market's response was swift and severe. Cybersecurity stocks experienced their sharpest single-session decline since the start of the AI boom.

CrowdStrike fell 7%. Palo Alto Networks dropped 6%. Zscaler declined 4.5%. Okta, SentinelOne, and Fortinet each lost approximately 3%. The broader tech sector index fell 3%. Bitcoin dropped to $66,000 from above $70,000. The combined market capitalization loss across the cybersecurity sector alone was measured in billions.

The market logic was straightforward: the leaked code, combined with separately leaked details about Anthropic's 'Claude Mythos' model, revealed AI capabilities sophisticated enough to perform advanced code analysis, create custom exploits, and execute complex attack scenarios. One analyst characterized the implication as 'turning any ordinary hacker into a nation-state adversary.' Whether or not that assessment is hyperbolic, the market treated it as credible.

For cybersecurity companies, the concern is existential economics. Their business model is built on the assumption that sophisticated attacks require sophisticated attackers — and sophisticated attackers are scarce. If AI tools dramatically lower the skill floor for launching advanced attacks, the volume of threats increases faster than defensive tools can scale. The market repriced accordingly.

If you are a developer, the practical takeaways are clear. First, understand what your tools are doing. Claude Code's architecture is now public knowledge — its permission model, its tool system, its anti-distillation defenses. This transparency (however involuntary) allows developers to make more informed decisions about which AI tools they trust and how they configure them.

Second, the KAIROS revelation means that AI coding tools are heading toward autonomy. The current generation of tools waits for you to ask. The next generation will act on its own, within boundaries you define. Whether this excites you or concerns you depends on how much you trust those boundaries — and the leak shows that those boundaries are being carefully designed.

If you are not a developer, here is what matters: the software you use every day — your banking app, your messaging platform, your healthcare portal — is increasingly being written or assisted by AI tools exactly like Claude Code. This leak revealed that these tools are more complex, more autonomous, and more strategically deployed than most people realize. The question of how AI writes code is becoming inseparable from the question of how much we can trust the software it produces.

Anthropic called this a 'packaging error caused by human error.' That is true. It is also insufficient. When the same error happens twice in fifteen months, the conversation shifts from 'what happened' to 'why does this keep happening.' For an AI safety company — one whose founding mission is to build safe, trustworthy AI — the pattern matters more than the incident.

There is a line that separates a tool from a system. A tool does what you tell it. A system makes decisions, takes initiative, and operates even when you are not watching. Claude Code, as it exists today, is a tool. KAIROS, as it exists in the leaked code, is a system.

This is the most important takeaway from the entire leak. Not the fake tools. Not the undercover mode. Not the stock market crash. The most important thing is the trajectory: AI coding tools are becoming AI coding systems. They are moving from reactive to proactive, from session-based to persistent, from doing what you say to anticipating what you need.

Whether this trajectory leads to dramatically better software or dramatically new risks depends on choices that are being made right now — by AI labs, by development teams, by regulators, and by the developers who decide how much autonomy to grant these systems. The leak gave us a premature look at that future. What we do with that knowledge is up to us.