On the morning of March 31, 2026, a security researcher discovered that the entire source code of Claude Code, Anthropic's flagship AI coding CLI tool, had been inadvertently published to the public npm registry. Within hours, over 512,000 lines of TypeScript code had been mirrored across GitHub and picked apart by thousands of developers worldwide. The Claude Code leak is now being called one of the most significant accidental source code exposures in the history of the AI industry.
For engineers, founders, and technical leaders paying attention to AI development, this incident offers a rare and unfiltered look at how one of the most commercially successful AI coding tools is actually built. Here is what happened, what the Claude Code leaked prompt and source files reveal, and what it all means for the broader AI engineering ecosystem.
How the Leak Happened
The leak traces back to version 2.1.88 of the @anthropic-ai/claude-code package on npm. A 59.8 megabyte JavaScript source map file, the kind used internally for debugging, was accidentally bundled into the production release. Source map files bridge the gap between minified production code and the original source, and they are not supposed to ship publicly. In this case, someone either forgot to exclude the .map file from the package or did not configure the bundler to skip source map generation for production builds.
By approximately 4:23 a.m. ET, Chaofan Shou, a researcher at Solayer Labs, had spotted the file and posted about it on X. The post included a direct download link to the source archive, and the story spread rapidly from there. A GitHub mirror of the leaked code climbed past 5,000 stars within 30 minutes. Anthropic pulled the affected package, but by then the code had already been widely distributed and archived.
Anthropic confirmed the incident in a statement, describing it as a release packaging issue caused by human error rather than a security breach. The company said that no customer data or credentials were exposed and that it was rolling out measures to prevent a similar incident in the future.
What the Claude Code System Prompt Leaked Reveals
The most discussed aspect of the leak is the Claude Code system prompt leaked in full. System prompts are the foundational instructions that tell an AI model how to behave, what it can and cannot do, and how to interact with users and tools. Most AI companies treat these prompts as proprietary, and for good reason. They represent a significant investment in prompt engineering and agent design.
The leaked prompts reveal that Claude Code is not a simple wrapper around an AI model. It is a complex, multi-layered agent system with sophisticated tool-calling logic, permission enforcement, and context management. The system dynamically assembles different prompts based on the user's environment, the task at hand, and various internal feature flags.
One of the most technically interesting discoveries is a three-layer memory architecture designed to keep Claude AI reliable during long, complex coding sessions. At its core is a lightweight index file that stores pointers to project knowledge rather than the knowledge itself, keeping the working context lean. The system also prevents the agent from logging failed attempts into its own memory, which keeps its internal state clean and reduces the kind of confusion that plagues other AI coding tools over extended sessions.
Hidden Features and Internal Roadmap
Beyond the system prompts, the leak exposed 44 feature flags covering capabilities that are fully built but not yet shipped to the public. These are not speculative features on a roadmap document. They are compiled code sitting behind flags that are turned off in the external build.
Among the more notable discoveries is a feature internally called KAIROS, which enables Claude Code to act proactively in the background rather than waiting for user input on every step. The system operates on timed intervals and has a 15-second blocking budget, meaning any background action that would interrupt the user for more than 15 seconds gets deferred. Another feature called ULTRAPLAN allows the tool to offload complex planning tasks to a remote cloud session running a more powerful model, giving it up to 30 minutes to think through a problem before presenting the result for approval.
The source code also revealed internal model codenames. A Claude 4.6 variant carries the codename Capybara, Opus 4.6 is internally called Fennec, and an unreleased model called Numbat appears to still be in testing. Internal development notes attached to the Capybara model indicate that its eighth iteration has a false claims rate of 29 to 30 percent, up from 16.7 percent in the fourth version. Engineers had also built what is described as an assertiveness counterweight, a mechanism that prevents the model from being too aggressive when rewriting user code.
And in a lighter discovery, someone at Anthropic had quietly built a fully functional virtual pet system buried inside the codebase, complete with 18 species, rarity tiers, and detailed stat tracking.
The Security Angle
While the leak did not expose model weights, training data, or user information, the security implications are real and worth understanding.
The most immediate concern involves a coincidental supply chain attack on the axios npm package, which Claude Code uses as a dependency. A malicious version of axios was published to npm in the same early morning window on March 31. Anyone who installed or updated Claude Code via npm between 12:21 a.m. and 3:29 a.m. UTC may have pulled in a compromised version containing a remote access trojan. Developers who updated during that window should check their lockfiles for axios versions 1.14.1 or 0.30.4 and a dependency called plain-crypto-js. If either is present, the machine should be treated as compromised.
Beyond the axios issue, the broader concern is that the leaked source code gives researchers and potential bad actors a detailed map of Claude Code's permission logic, tool-calling orchestration, and security guardrails. Attackers could use this information to design malicious repositories that exploit the agent's trust boundaries before a user ever sees a permission prompt.
Anthropic now recommends using its native installer rather than npm for Claude Code installations, since the native path bypasses the npm dependency chain entirely. Users still on npm should uninstall version 2.1.88 and pin to version 2.1.86. Rotating API keys and monitoring usage for anomalies is also advisable as a precaution.
The Undercover Mode Controversy
One discovery from the Claude Code leaked source has generated discussion beyond the engineering community. The code contains a system called Undercover Mode, which is designed to prevent Claude Code from revealing that it is an AI tool when making contributions to public, open-source repositories.
When Undercover Mode is active, the system prompt instructs the model not to include any mention of Claude Code, Anthropic, internal model codenames, or AI attribution in commit messages or pull requests. The explicit language in the prompt tells the model not to blow its cover.
Anthropic likely uses this for internal dogfooding, allowing employees to test Claude Code on real open-source projects without revealing unreleased capabilities. But the discovery has raised questions about transparency in open-source development and whether AI-generated contributions should be disclosed. There is currently no industry consensus on this issue, and it is likely to become a more active area of debate as AI coding tools become more prevalent.
What This Means for Engineers and the AI Industry
The Claude Code leak is significant for several reasons that go beyond Anthropic specifically.
First, it confirms that the most commercially successful AI coding tools are built on far more sophisticated architecture than many people assumed. Claude Code is not just an API call with a nice terminal interface. It is an autonomous agent with layered memory, proactive scheduling, multi-model orchestration, and hundreds of engineering decisions baked into its design. Engineers building competing tools or evaluating AI coding assistants now have a detailed reference architecture to study.
Second, the leak highlights the growing importance of supply chain security in AI development. AI coding tools that run locally, execute commands, and interact with codebases are a high-value target. The accidental exposure of Claude Code's internal logic, combined with the coincidental axios supply chain attack, is a reminder that security in the AI tooling layer is not optional.
Third, the incident underscores the extraordinary demand for engineers who understand both AI systems and security. Companies building agentic AI tools need developers who can reason about trust boundaries, permission models, and adversarial inputs. This is an area where the talent gap is real and growing.
Finding Your Next Role with AI
For engineers who are watching the AI coding tools space evolve and want to work at the companies building the next generation of these tools, the opportunity is significant. AI startups are hiring aggressively for roles in agent infrastructure, security, developer tooling, and full-stack engineering.
Fonzi AI connects vetted software engineers with VC-backed AI startups and tech companies through a structured weekly hiring process called Match Day. Companies on the platform submit salary-backed interview requests directly to engineers, which means you see compensation details before you ever take an interview. If you have experience in areas like cloud infrastructure, security, developer tools, or AI systems, the startups on Fonzi are actively looking for people with exactly those skills.
Looking Ahead
Anthropic will recover from this incident. The company has a $19 billion annualized revenue run rate and a product that developers rely on daily. But the leak has permanently changed the competitive landscape for AI coding tools. The architecture, the prompt engineering, and the feature roadmap are now public knowledge. What was proprietary is now a shared blueprint.
For the broader AI industry, the lesson is straightforward. As AI tools become more autonomous and more deeply embedded in developer workflows, the stakes around security, transparency, and responsible engineering will only get higher. The companies that get this right will earn the trust of the developers they serve. The ones that do not will find that trust is very difficult to rebuild.
FAQ
What was the Claude Code leak and how did it happen?
What did the Claude Code system prompt reveal about how the tool works?
What hidden features were found in the Claude Code source code?
Is the Claude Code npm package safe to install after the leak?
What is Claude Code Undercover Mode and why is it controversial?
