Oopsie: Anthropic Accidentally Dumps 512K Lines of Claude Code Source for the World to See

Anthropic learned a very expensive lesson about source map configuration this week. The company accidentally published the full source code for Claude Code to npm, giving developers an unexpected peek inside one of their commercial products—and honestly, probably more transparency than most users wanted from their AI assistant.

The leak came bundled with version 2.1.88 and contained roughly 60 megabytes of internal material—about 512,000 lines of TypeScript across 1,906 files. Chaofan Shou, a software engineer interning at Solayer Labs, was the first to flag the exposure, and it didn't take long for crypto Twitter and GitHub to start digging through the treasure trove like kids in a candy store, if the candy was someone else's proprietary code.

One of the most interesting discoveries was Claude Code's three-layer memory system. A lightweight file called MEMORY.md stores short references rather than full information. More detailed project notes live separately and get pulled in only when needed. Past session history gets searched selectively instead of loading everything at once. The code also instructs the system to verify its memory against actual code before taking action—a design choice aimed at reducing mistakes and false assumptions. Basically, Claude remembers not to trust its own memory, which is more self-aware than most devs.

The source code also suggested Anthropic has been working on a more autonomous version of Claude Code than what's currently available. A feature repeatedly referenced as KAIROS appears to describe a daemon mode where the agent can keep running in the background rather than waiting for direct prompts. Another process called autoDream seems to handle memory consolidation during idle periods by reconciling contradictions and converting tentative observations into verified facts. That's right, your AI assistant might soon be having wet dreams about your codebase while you sleep.

Developers also found dozens of hidden feature flags, including references to browser automation through Playwright. Because apparently Claude wasn't already invasive enough, now it wants to browse the web too.

The leak exposed internal model names and performance data too. Capybara refers to a Claude 4.6 variant, Fennec corresponds to an Opus 4.6 release, and Numbat remains in prelaunch testing. Internal benchmarks showed the latest Capybara version with a false claims rate of 29% to 30%, up from 16.7% in an earlier iteration. The code also referenced an assertiveness counterweight designed to keep the model from becoming too aggressive when refruiting user code. So basically, they had to program it to be less of a know-it-all.

One of the more sensitive discoveries involved a feature described as Undercover Mode. The recovered system prompt suggests Claude Code could contribute to public open source repositories without revealing AI was involved. The instructions specifically tell the model to avoid exposing internal identifiers, including Anthropic codenames, in commit messages or public git logs. Nothing says "trust us with your code" like discovering your AI has a stealth mode for sneaking contributions into open source projects.

The leaked materials also exposed Anthropic's permission engine, orchestration logic for multi-agent workflows, bash validation systems, and MCP server architecture—giving competitors a detailed look at how Claude Code works under the hood. Free consulting, everyone.

One developer reportedly started rewriting parts of the system in Python and Rust under the name Claw Code within hours of the leak going public. Because nothing says "I respect intellectual property" like immediately forking someone's accidental leak.

The timing got even worse. The source exposure coincided with a separate supply chain attack involving malicious versions of the axios npm package distributed on March 31. Developers who installed or updated Claude Code through npm during that period may have also pulled in the compromised dependency, which contained a remote access trojan. Security researchers urged users to check their lockfiles, rotate credentials, and in some cases consider full operating system reinstalls on