7 min Reading Time
On March 31, 2026, the complete source code of Claude Code surfaced publicly – not via a hack, but due to a single forgotten configuration line in an NPM package. The 512,000 lines of TypeScript that security researcher Chaofan Shou discovered inside a source map file paint a picture far beyond that of a simple AI chatbot: Claude Code is a full-fledged agent runtime – with a built-in tooling system, granular permission model, and multi-agent coordination layer. Analyzing this code reveals not only how Anthropic built its flagship developer tool – but how next-generation AI agent architectures fundamentally operate.
TL;DR
- The NPM package @anthropic-ai/claude-code v2.1.88 contained a 59.8 MB source map file with the complete TypeScript source code.
- The architecture runs on Bun, TypeScript, and React/Ink – featuring ~40 integrated tools and a four-tier permission system.
- 44 feature flags hint at unreleased capabilities: autonomous daemon mode (KAIROS), multi-agent coordination, voice control.
- Anthropic confirmed: “Packaging error caused by human failure.” No customer data or API keys were compromised.
- Over 8,100 GitHub mirrors were removed via DMCA takedown notices – but the code persists on decentralized platforms.
What Happened
On the morning of March 31, Chaofan Shou posted his discovery on X. Shou is a Ph.D. candidate at UC Berkeley, co-founder of blockchain security startup Fuzzland, and a bug bounty researcher who has reported vulnerabilities worth $around 1.7 million euros. His finding: version 2.1.88 of the official NPM package @anthropic-ai/claude-code included the file cli.js.map. This 59.8 MB source map contained, within its sourcesContent field, the full TypeScript source code for Claude Code – roughly 1,900 files totaling 512,000 lines of production code.
The source map also referenced a ZIP archive hosted on Anthropic’s publicly accessible Cloudflare R2 bucket. Within hours, the code was mirrored on GitHub. The most prominent repository garnered over 41,500 forks before Anthropic’s DMCA notices triggered GitHub to deactivate a total of 8,100 repositories.
The code remains available on decentralized platforms. Derivative projects – including a Python port and a Rust rewrite – survived the DMCA actions, as they are not direct copies. The likely root cause: Anthropic uses Bun as its runtime. An open Bun bug (reported March 11, 2026) documents that Bun’s bundler generates source maps by default – even in production mode. Neither .npmignore nor the files field in package.json had been configured to exclude .map files.
The community responded swiftly – and with irony: Within 24 hours, a Python port (claw-code, amassing 30,000 GitHub stars in record time) and a Rust rewrite emerged. On Hacker News, one comment dominated the discussion: “Anthropic markets Claude as a code-writing tool – and their own code leaked because of a missing .npmignore entry.”
Notably, this was Anthropic’s second data exposure incident within a week. Just days earlier, approximately 3,000 internal files appeared in a publicly accessible cache – including details about an unreleased AI model codenamed “Mythos.” For a company targeting an IPO with an estimated valuation of $around 331 billion euros, the timing could hardly be worse.
Not a Chat Interface – An Agent Runtime
Technical analysis of the source code confirms what many cloud developers suspected: Claude Code is not a chatbot with a terminal interface. It is a modular agent runtime – a framework that wraps a large language model with a rich, extensible toolkit.
Core architecture: Bun instead of Node.js as the runtime (Anthropic acquired Bun’s parent company); React with Ink for terminal rendering; Zod v4 for schema validation of all tool inputs and outputs; OpenTelemetry and gRPC loaded lazily on demand to minimize startup latency – a classic lazy-loading pattern signaling strong focus on developer experience.
The tooling system comprises roughly 40 discrete, permission-controlled utilities: filesystem access, Bash execution, web fetching, glob search, LSP integration, and external MCP server (Model Context Protocol) connectivity. The Query Engine alone – which handles API calls, streaming, caching, orchestration, and token counting – spans 46,000 lines of code.
The permission model operates across four tiers: Plan (read-only), Standard (with confirmation dialogs), Auto (wildcard approvals), and Bypass (full access). A classifier determines which permission level each action requires. A Bash validation layer scans commands for risk indicators before execution. The entire system supports OS-level sandboxing for both filesystem and network access.
The storage system is three-tiered: A compact MEMORY.md file holds short references – the first tier. Separate project notes load contextually – the second tier. The third tier selectively searches past sessions rather than loading the entire history. This design directly addresses a core challenge in LLM applications: context windows are finite, yet project context grows unbounded.
IDE integration works via a bidirectional, JWT-authenticated bridge to VS Code and JetBrains. Claude Code functions simultaneously as both an MCP client and an MCP server – it can integrate external tools and serve as a tool for other systems. This architectural decision positions Claude Code not as a standalone product, but as an integration layer for development infrastructure.
44 Feature Flags Expose the Roadmap
Especially revealing are the 44 compile-time feature flags for unreleased functionality. They reveal Anthropic’s strategic direction for Claude Code:
KAIROS is an autonomous daemon mode, running Claude Code as a persistent background agent. Each action has a 15-second blocking budget; daily logs are append-only. A subsystem named autoDream consolidates idle-time observations and transforms vague notes into concrete facts. With over 150 mentions in the source code, KAIROS signals advanced development – not experimental prototyping.
COORDINATOR_MODE implements multi-agent orchestration: One Claude agent directs multiple worker agents in parallel. The system prompt for the coordinator reads: “Do not rubber-stamp weak work.” This is multi-agent architecture not as research – but as production-grade engineering.
ULTRAPLAN is a deep-planning mode allowing up to 30 minutes of server-side execution – a magnitude longer than typical LLM interactions.
Other flags include VOICE_MODE (push-to-talk voice control in the terminal), BRIDGE_MODE (remote control of a Claude Code instance by an external process), and BUDDY – a Tamagotchi-like terminal pet with 18 species, rarity tiers, and five attributes (Debugging, Patience, Chaos, Wisdom, Snark). The pet is generated from a hash of the user ID and appears to have been planned as an April Fools’ Easter egg.
Two technical details deserve special attention: An anti-distillation mechanism (flag: ANTI_DISTILLATION_CC) injects fake tool definitions into API requests – to poison training data collected by competitors monitoring API traffic to train rival models. And an undercover mode strips all Anthropic references when Claude Code operates inside public repositories. Its internal instruction reads: “You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Do not blow your cover.”
What This Means for Cloud Architectures
The leak confirms a trend cloud architects should track closely: AI-powered development tools are not thin API wrappers. They are full-fledged runtime systems – with dedicated infrastructure, memory management, and orchestration logic.
Three insights for teams integrating AI tools into development workflows:
Complexity beneath the surface is substantial. 512,000 lines of code for a CLI tool underscores the engineering effort required to productively embed an LLM into developer workflows. The tooling system, permission model, and storage layer – each is a self-contained software component. Teams planning similar internal integrations must realistically assess scope.
Multi-agent is production architecture. The Coordinator Mode implementation demonstrates a concrete pattern: a central orchestrator delegates tasks to parallel workers, monitors output quality, and consolidates results. This pattern transfers directly to cloud-native microservice architectures – and it originates from a production system – not a research paper.
Source maps in NPM packages remain an underestimated risk. Bun’s default build configuration automatically generates source maps. Any team using Bun in CI/CD pipelines should verify whether .map files land in published artifacts. Running npm pack –dry-run before every publish is the simplest mitigation. That this issue recurred at Anthropic three times (v0.2.8, v0.2.28, and now v2.1.88) shows manual checks aren’t enough. An automated CI gate that fails the build if .map files appear in artifacts is the right solution.
Beyond that, the leak raises a strategic question: If AI agents are to be treated as runtime systems, their permission and sandboxing models must meet the same security standards as any other production infrastructure. Six documented CVEs in Claude Code prior to the leak – including API key leakage and sandbox bypasses – suggest the industry hasn’t yet universally achieved that maturity level.
Frequently Asked Questions
Were customer data or API keys exposed?
No. Anthropic and independent security analyses confirm: neither customer data nor credentials were present in the source code. What was exposed was the application code for the Claude Code CLI – not the AI models, training data, or operational secrets.
What is a source map – and why is it a risk?
Source maps are JSON files that map compiled JavaScript back to its original source. They contain a sourcesContent field holding the full, human-readable source text. In production packages, they expose architecture, internal logic, and endpoints. Tools like reverse-sourcemap can reconstruct an entire directory structure from a single .map file.
Why does Anthropic use Bun instead of Node.js?
Anthropic acquired Bun’s parent company. Bun delivers faster startup times and an integrated bundler toolchain – critical for CLI tools. However, Bun’s bundler generates source maps by default – a documented bug (reported March 11, 2026) that contributed directly to the leak.
Is the source code still accessible?
Over 8,100+ repositories were deactivated on GitHub via DMCA notices. The code remains available on decentralized platforms such as Gitlawb. Independent projects have reimplemented the architecture in Python and Rust – as standalone implementations, they fall outside DMCA scope.
What do the feature flags mean for Claude Code users?
The 44 flags indicate features under active development. KAIROS (autonomous daemon), COORDINATOR_MODE (multi-agent), and VOICE_MODE (voice input) point toward significant expansion. Whether – or when – these features will roll out to all users remains unclear post-leak; Anthropic may adjust internal roadmaps accordingly.
Editor’s Reading Recommendations
- → Source Map in NPM Package: How Anthropic Exposed 512,000 Lines of Production Code (SecurityToday) – A supply-chain security analysis of the incident
Header Image Source: Pexels / Markus Spiske (px:6190327)
