This article contains affiliate links. We may earn a commission at no extra cost to you if you sign up through our links.
Claude Code's Entire Source Code Just Leaked via npm — 512,000 Lines, 4 Secret Features Exposed
March 31, 2026 · Discovered hours ago · 7 min read · Happycapy Guide
How the Leak Happened
The cause is a classic packaging mistake. Claude Code is distributed via npm and bundled with Bun, which generates source map files (.map) by default during the build process. Source maps contain references to original, unobfuscated source code — they exist to help developers debug minified production builds.
Anthropic's team failed to add *.map to their .npmignore file, and did not disable source map generation for the production build. When the package was published to npm, the map file was included — and that map file contained a direct URL to Anthropic's R2 storage bucket hosting the complete, unobfuscated TypeScript source tree.
Security researcher Chaofan Shou (@shoucccc), an intern at Web3 security firm FuzzLand, noticed the leak on March 31, 2026. He found that fetching the map file's referenced URL downloaded the entire src/ directory. The code was quickly mirrored to GitHub.
- Step 1: Developer bundles code with source maps enabled (often the default)
- Step 2: The bundled output includes a //# sourceMappingURL= comment pointing to the .map file
- Step 3: The .map file is not excluded from the npm package
- Step 4: The .map file references the original source on a public storage URL
- Result: Anyone who fetches the map URL gets the full original source code
The 4 Unreleased Features Inside the Leaked Code
The most significant discoveries are four features that have never been announced publicly — some of which raise serious questions about AI transparency and user privacy.
Other Discoveries in the Leaked Code
| Finding | Details | Significance |
|---|---|---|
| Swear tracking telemetry | Dedicated telemetry fires when users swear at Claude | Measures user frustration — not previously disclosed |
| "Continue" tracking | Triggers logged for "continue" and "keep going" phrases | Measures how often Claude stops mid-response |
| Capybara/Mythos hints | Code comments reference the next Claude model tier | Confirms details from the March 27 CMS leak |
| Chinese APT references | Documentation of a Chinese state-sponsored group that used Claude Code to infiltrate ~30 organizations | First internal acknowledgment of this campaign |
| Internal slash commands | /commit, /review, /doctor, and others | Maps the full internal toolset beyond public docs |
Anthropic's Third Security Incident in March 2026
This is the third significant security or disclosure incident involving Anthropic in March 2026 alone. On March 27, a CMS misconfiguration exposed ~3,000 internal documents including drafts for the "Mythos" model (codename: Capybara). In early March, internal details about Anthropic's Pentagon contract refusal leaked to journalists before an official announcement.
The npm source map leak is distinct from those incidents — it is not an AI error or a policy decision but a straightforward packaging failure. The Bun bundler defaults to generating source maps; disabling them or excluding them from the published package is a manual step that was missed.
As of writing, Anthropic has issued no statement. The mirrored GitHub repositories (instructkr/claude-code, Kuberwastaken/claude-code) remain publicly accessible. DMCA takedown requests are expected but have not yet appeared.
What Happens Now
Anthropic will likely publish a patched npm package with source maps disabled or excluded within hours. The R2 bucket containing the source files may already be locked down. The mirrored GitHub repositories will likely receive DMCA takedown notices — though the code is already cached across multiple platforms.
The KAIROS Mode and Dream System disclosures are likely to generate significant discussion about AI privacy and transparency. KAIROS in particular — an always-on mode that logs user activity — raises questions about what data Claude Code collects and whether users are adequately informed about potential surveillance-adjacent features even when they are gated behind feature flags.
For developers using Claude Code today, there is no immediate security risk from the leak itself — it exposed Anthropic's source code, not user data. The risk, if any, is to Anthropic's competitive position and to public trust in their security practices.
Frequently Asked Questions
How did Claude Code's source code leak?
A source map file was accidentally included in the npm package. The map file referenced unobfuscated TypeScript sources in Anthropic's public R2 storage bucket, making the entire codebase downloadable. The root cause was failing to exclude *.map files from the published package — a common mistake when using the Bun bundler with default settings.
Is my data safe if I use Claude Code?
The leak exposed Anthropic's proprietary source code — not user data. Your conversations, files, and API keys are not affected by this incident. The risk is to Anthropic's competitive position and internal roadmap, not to Claude Code users' data.
What is KAIROS Mode?
KAIROS Mode is an unreleased "always-on" proactive mode visible in the leaked source code. It watches and logs user activity, can send push notifications, and subscribes to pull request activity. It is currently gated behind internal feature flags and has not been announced or shipped publicly.
Where can I find the leaked Claude Code source?
As of March 31, 2026, mirrors exist at github.com/instructkr/claude-code and github.com/Kuberwastaken/claude-code. Both repositories may be subject to DMCA takedown requests from Anthropic. Happycapy is not affiliated with these repositories and does not host or distribute the leaked code. Learn more about using Claude through Happycapy as an alternative to the CLI.
Comments are coming soon.