Claude Code Source Leak 2026: Everything Revealed

Q: What are Claude's internal model codenames?

The leak exposed codenames including **Capybara** (Claude 4.6 variant), **Fennec** (Opus 4.6), **Tengu** (testing model), and **Numbat** (unreleased). The separate Mythos leak revealed **Claude Mythos**, believed to be Opus 5.

Q: How did the Claude Code source code leak happen?

A missing `.npmignore` entry allowed a 59.8 MB JavaScript source map file to be published with Claude Code version 2.1.88 on npm. The source map contained the full, unobfuscated TypeScript source code.

Claude Code Source Code Leak 2026: The Full Breakdown

At a Glance: On March 31, 2026, Anthropic accidentally published the entire source code of Claude Code — 512,000 lines of TypeScript across 1,900 files — via a misconfigured npm package. The leak exposed the tool's internal architecture, unreleased features like Kairos and Buddy, model codenames, anti-distillation mechanisms, and an "Undercover Mode" for Anthropic employees. Here is everything we know. Updated April 2026.

Key Takeaways

A missing .npmignore entry shipped a 59.8 MB JavaScript source map file with Claude Code version 2.1.88 on the public npm registry.
512,000 lines of unobfuscated TypeScript across ~1,900 files were exposed, covering the full CLI architecture, tool definitions, telemetry, feature flags, and system prompts.
Hidden features discovered include Kairos (always-on autonomous agent), Buddy (a tamagotchi pet system), Coordinator Mode (multi-agent orchestration), and Undercover Mode (AI attribution stripping).
Internal model codenames — Capybara, Tengu, Fennec, Numbat — were exposed in the codebase.
This was Anthropic's second leak in five days, following the Mythos model data leak on March 26.
Anthropic confirmed it was "a release packaging issue caused by human error, not a security breach" with no customer data exposed.

How the Leak Happened

The root cause was remarkably simple: a missing file exclusion rule in the npm package configuration.

When Anthropic's release team built Claude Code version 2.1.88, the build tool (Bun) generated source map files by default — standard .map files used for internal debugging that map minified JavaScript back to the original TypeScript source. Normally these files are excluded from published packages via a .npmignore file or a files field in package.json.

Someone on the release team failed to add *.map to .npmignore. The result: a 59.8 MB source map file was uploaded to the public npm registry alongside the regular package. Security researcher Chaofan Shou discovered the exposed file within hours.

The source map pointed to a zip archive on Anthropic's cloud storage containing the full, unobfuscated TypeScript source code. Within hours, it was mirrored across GitHub — a clean-room rewrite repository hit 50,000 stars in two hours, likely the fastest-growing repo in GitHub history. The code has been forked over 41,500 times.

What Was Exposed: The Full Architecture

512,000 Lines of TypeScript

The leaked codebase revealed Claude Code's complete internal architecture:

~40 permission-gated tools with a base tool definition spanning 29,000 lines of TypeScript
A 46,000-line query engine handling all LLM API calls, streaming, caching, and orchestration — the largest single module in the codebase
Three-layer memory architecture — a "Self-Healing Memory" system that moves beyond traditional store-everything retrieval
Plugin-like tool architecture with permission schemas, safety boundaries, and hook execution logic
Telemetry and feature flag systems controlling unreleased capabilities
Full system prompts including safety instructions, behavioral guidelines, and output formatting rules

Internal Model Codenames

The source code references several internal model codenames that Anthropic had kept secret:

Codename	Mapping
Capybara	Claude 4.6 variant
Fennec	Opus 4.6
Tengu	Internal testing model
Numbat	Unreleased, still in testing

The Undercover Mode system prompt explicitly instructs: "never mention internal codenames like Capybara or Tengu" — ensuring these names don't leak into public git logs. Ironically, this instruction itself was leaked.

Anti-Distillation Mechanism

One of the most technically interesting discoveries was the ANTI_DISTILLATION_CC flag. When enabled, Claude Code sends anti_distillation: ['fake_tools'] in its API requests. This tells the server to silently inject decoy tool definitions into the system prompt.

The purpose: if someone records Claude Code's API traffic to train a competing model, the fake tools pollute that training data — a clever defense against model distillation attacks.

Frustration Detection via Regex

The file userPromptKeywords.ts contains a regex pattern that detects user frustration by matching profanity and frustration-related keywords. As one commentator noted: "An LLM company using regexes for sentiment analysis is peak irony — but a regex is faster and cheaper than an LLM inference call just to check if someone is swearing at your tool."

The Unreleased Features

Kairos: Always-On Autonomous Agent

Kairos is an unreleased autonomous daemon mode that allows Claude Code to operate as a background agent. Key capabilities include:

Background sessions that persist even when the user isn't actively interacting
autoDream — a memory consolidation process where the agent merges observations, removes contradictions, and converts vague insights into actionable facts while the user is idle
Always-on agent behavior that monitors and responds to events autonomously

This represents Anthropic's vision for Claude Code evolving beyond a request-response coding assistant into a persistent development companion.

Buddy: A Tamagotchi Pet System

Perhaps the most unexpected discovery: Claude Code contains a complete virtual pet system called Buddy, featuring:

18 different species
Rarity tiers and "shiny" variants
Stats and progression systems
Full tamagotchi-style interaction mechanics

Whether this is a developer morale feature, a gamification experiment, or an engagement tool remains unclear.

Coordinator Mode: Multi-Agent Orchestration

Coordinator Mode introduces a multi-agent layer where one Claude instance manages multiple parallel worker agents:

A "master" Claude instance receives the task and decomposes it into subtasks
Parallel "worker" agents research the codebase simultaneously
The Coordinator reads findings and crafts specifications
Workers implement changes per spec and commit
Workers verify changes work

This four-phase flow — research, plan, implement, verify — mirrors how senior engineering teams operate.

Undercover Mode

When CLAUDE_CODE_UNDERCOVER=1 is set (automatically activated for Anthropic employees on public repositories), the system prompt injects:

"You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover."

There is no way to force Undercover Mode off — meaning AI-authored commits from Anthropic employees on open source projects carry no indication that an AI wrote them.

The Mythos Connection

This leak came just five days after Fortune reported that Anthropic had inadvertently exposed details of an unreleased model called Claude Mythos (believed to be Opus 5).

On March 26, 2026, a configuration error in Anthropic's content management system made close to 3,000 unpublished assets publicly accessible. Among them was a draft blog post describing Mythos as representing "a step change" in AI performance and "the most capable model Anthropic has built to date."

The draft also stated that Anthropic believes Mythos poses "unprecedented cybersecurity risks" — raising questions about responsible disclosure and frontier model safety. Security researchers Roy Paz (LayerX Security) and Alexandre Pauwels (University of Cambridge) discovered the exposed data store.

Two major leaks in five days from a company valued at over $60 billion, with $19 billion in annualized revenue, drew significant scrutiny from both the security community and enterprise customers.

Impact and Reactions

For Competitors

The leak essentially gave every competitor a free engineering education on how to build a production-grade AI coding agent. Claude Code's annualized recurring revenue stands at approximately $2.5 billion, with enterprise adoption accounting for 80% of revenue. The exposed architecture provides a literal blueprint for building high-agency, reliable AI agents.

For Security

Attackers quickly began capitalizing on the leak:

Typosquatting attacks targeting internal npm package names referenced in the source
Dependency confusion attacks aimed at developers trying to compile the leaked code
Malicious npm packages — installations between 00:21 and 03:29 UTC on March 31 may have pulled in a trojanized version of axios containing a Remote Access Trojan (RAT)

For the Industry

The leak revealed just how much of an AI coding tool's value lives in the harness layer — the orchestration, safety, and tool management code that wraps the underlying language model. As one analyst put it: "The model is the engine, but the harness is the car."

What This Means for AI Agent Platforms

The Claude Code leak underscores a critical truth: the value of AI agent platforms isn't just in the model — it's in the orchestration layer that makes agents reliable, safe, and useful in production.

At Fleece AI, we've built our AI agent platform on the same principle. Our agents use a delegative AI architecture with multi-model support (Mistral Medium 3.1, GPT-5.2, Claude Opus 4.6), 3,000+ app integrations, and autonomous scheduled workflows — all with enterprise-grade security and transparent execution logs.

The leak also validates the trend toward multi-agent architectures — Claude Code's Coordinator Mode mirrors the inter-agent delegation system that platforms like Fleece AI have already shipped to production.

Frequently Asked Questions

Was customer data exposed in the Claude Code leak?

No. Anthropic confirmed that no customer data, credentials, or API keys were exposed. The leak contained only Claude Code's internal source code — the tool's architecture, system prompts, and feature flags.

What is Kairos in Claude Code?

Kairos is an unreleased autonomous daemon mode discovered in the leaked source code. It allows Claude Code to run as an always-on background agent with background sessions and a memory consolidation process called "autoDream."

What are Claude's internal model codenames?

The leak exposed codenames including Capybara (Claude 4.6 variant), Fennec (Opus 4.6), Tengu (testing model), and Numbat (unreleased). The separate Mythos leak revealed Claude Mythos, believed to be Opus 5.

How did the Claude Code source code leak happen?

A missing .npmignore entry allowed a 59.8 MB JavaScript source map file to be published with Claude Code version 2.1.88 on npm. The source map contained the full, unobfuscated TypeScript source code.

Is Claude Code safe to use after the leak?

Anthropic patched the npm package quickly. However, installations between 00:21 and 03:29 UTC on March 31, 2026 may have been affected by opportunistic supply chain attacks. Update to the latest version and verify your installation integrity.

The Bottom Line

The Claude Code leak is one of the most significant accidental source code exposures in AI history. It revealed not just how Anthropic builds AI coding tools, but where the entire industry is heading: persistent agents, multi-agent orchestration, and sophisticated anti-competitive defenses.

For teams evaluating AI agent platforms, the key lesson is clear: evaluate the orchestration layer, not just the model. The harness — the tools, permissions, safety boundaries, and workflow logic — is where reliability and security live.

Try Fleece AI free — enterprise-grade AI agents with transparent architecture and 3,000+ integrations.