In the tech industry, there is a distinct type of embarrassment that arises from being caught with your doors unlocked rather than from a botched product launch or a poor earnings call. While looking through the public npm registry on a Tuesday morning that Anthropic’s engineering team would probably prefer to forget, Chaofan Shou, a security researcher, discovered something that shouldn’t have been there.
The entire source code for Anthropic’s flagship AI coding tool, Claude Code, was visible. The entire 512,000 lines. Everything is 59.8 megabytes.
| Field | Details |
|---|---|
| Company | Anthropic |
| Founded | 2021 |
| Headquarters | San Francisco, California, USA |
| Founders | Dario Amodei, Daniela Amodei (and others from OpenAI) |
| Flagship Product | Claude AI (conversational AI assistant) |
| Leaked Product | Claude Code — AI coding CLI tool |
| Incident Date | Tuesday morning, version 2.1.88 published to npm |
| Leak Size | 512,000 lines of TypeScript · 59.8 MB · ~2,000 files |
| Discovered By | Security researcher Chaofan Shou |
| Viral Reach | 27+ million views on X (formerly Twitter) |
| Root Cause | Bun bundler bug + missing .npmignore exclusion rule |
| Anthropic’s Response | “No sensitive customer data or credentials were exposed” |
| Estimated Valuation | ~$61.5 billion (as of 2025 funding round) |
| Key Competitors | OpenAI, Google DeepMind, Meta AI |
The twist of bitterness was almost poetic. A feature known as “Undercover Mode,” a subsystem designed especially to stop internal Anthropic secrets from leaking into public repositories, was hidden inside that exposed code. Despite having built a system to protect its privacy, the company gave the entire system to the internet due to a known bundler bug and a missing one-line exclusion rule.
The irony of creating a secrecy engine within code that you unintentionally release to the public is difficult to ignore.
Once you follow the technical explanation, it becomes less dramatic and more unglamorous. After purchasing the runtime in late 2024, Anthropic moved Claude Code to Bun as its bundler. Bun has a bug where source maps are generated even when they are specifically disabled.
This bug has been reported, documented, and is currently open in its public issue tracker as issue #28001. This edge case is not obscure. It only requires a few files and roughly twelve lines of code to replicate.
It has been flagged for weeks for anyone who follows Bun’s changelog. According to Bun’s own website, source maps should be suppressed in production mode. The actual behavior adds a source map reference to the output despite completely disregarding that instruction.
The actual exposure is found in source maps. A source map includes the original, unminified, unobfuscated source of each file it references, making them more than just debugging tools. Users have not yet received comments, system prompt strings, internal constants, or feature flags. It’s all readable.
Additionally, npm’s registry included files that aren’t specifically excluded because no *.map exclusion was added to the.npmignore file. It appears that there was no final check in the process—nothing in CI that opened the output tarball and verified what was truly inside before publishing.
More than 27 million people viewed Shou’s post, which included a link to an archive of the content on X. The public now knew whatever Anthropic had hoped to keep hidden for a calculated reveal.
To be honest, the code’s contents were more intriguing than the leak itself. When developers examined the source, they discovered 44 unreleased feature flags that described completed functionality that had not yet been shipped.
One of them, called KAIROS, is a persistent background assistant that keeps track of your activities and responds to them without your explicit request. It has special features like PushNotification and SubscribePR that aren’t available in any of the software’s public versions.
Another, BUDDY, is best described without editorializing as a complete Tamagotchi-style virtual companion that appears to be deterministically assigned based on a hash of your user ID. It has eighteen species, shiny variants, procedurally generated stats, and ASCII art sprites.
According to reports, a May 2026 launch was hinted at. A third, ULTRAPLAN, assigns complicated planning tasks to a remote Opus 4.6 session that can solve an issue for up to 30 minutes before sending the outcome back to your local terminal.
It’s still unclear if Anthropic’s plans for any of these features would have changed as a result of the leak or if they would have shipped on their scheduled dates. A different kind of harm than losing customer data is the perception that the company’s roadmap has essentially become an open book for rivals to read at their leisure.
The code’s memory architecture also provides insight into Claude Code’s perspective on knowledge over time. It uses a three-layer system: a background subagent called “Dream” that periodically consolidates memory through four phases before pruning it down to a capped size; topic files fetched on demand; and a lightweight index that lives permanently in context and stores pointers rather than facts. The system still verifies before acting on anything it remembers, treating memory as hints rather than ground truth.
The stranger material comes next. An anti-distillation mode that poisons traffic for anyone attempting to train a rival model on Claude Code’s behavior by inserting phony tools into the system prompt. a client attestation system that verifies the binary is genuinely Claude Code and not a third-party wrapper by incorporating cryptographic proof into every request.
And perhaps the most blatantly human of all: sentiment analysis-based frustration detection based on regex pattern matching (wtf, ffs, shit). sensible. A little endearing. efficient.
Anthropic acknowledged the leak and said that no customer information or credentials were compromised, attributing it to human error. As far as it went, the statement was precise and measured. However, Bun’s bug—which he will eventually fix—is not the true lesson here.
It has to do with release procedures that don’t include a last sanity check, where someone opens the output package and asks, “What’s really in here?” It takes roughly ten seconds to respond to that question. No one asked in this instance.
