Claude Code's innards revealed as source code leaked online - theregister.com

Detailed Analysis

Anthropic's Claude Code suffered a significant accidental source code exposure on March 31, 2026, when a 59.8 MB JavaScript source map file was inadvertently bundled into the public npm package @anthropic-ai/claude-code version 2.1.88. The file contained approximately 513,000 lines of unobfuscated TypeScript spread across 1,906 files, constituting the complete client-side agent harness of the product. Security researcher Chaofan Shou publicly disclosed the leak on X, and within hours the exposed codebase had been downloaded from Anthropic's Cloudflare R2 bucket, mirrored to GitHub, and forked tens of thousands of times. Anthropic characterized the incident as a packaging error and "release issue caused by human error, not a security breach," affirming that no sensitive credentials or user data were exposed. Some analysts have pointed to a potential underlying cause: a known bug in the Bun JavaScript runtime that serves source maps in production mode despite documentation advising otherwise.

The substantive damage from the leak lies not in credential exposure but in competitive and strategic disclosure. The source code surfaced unreleased features, internal performance metrics, and feature flags for fully developed but unlaunched functionalities. Most critically, the leak revealed details of a system internally designated **KAIROS** — Anthropic's anti-distillation mechanisms designed to prevent the contamination of model training pipelines. The exposure of KAIROS hands competitors detailed insight into how Anthropic is attempting to protect its proprietary models from being reverse-engineered through data distillation, a sophisticated and strategically sensitive safeguard. Additional revealed features include nightly memory distillation routines, daily append-only logging systems, and background daemon workers operating on five-minute refresh cycles — details that collectively sketch a comprehensive picture of Anthropic's near-term product roadmap for agentic AI tooling.

The security aftermath extended beyond intellectual property concerns into active threat actor exploitation. Within the window between disclosure and takedown, malicious actors created GitHub repositories purporting to distribute the leaked source code but actually delivering the Vidar information stealer and GhostSocks proxy tool — a rapid weaponization that underscores how supply chain incidents in high-profile open-source ecosystems attract opportunistic malware campaigns almost immediately. Anthropic issued takedown notices and developers began reverse-engineering the legitimate code in parallel, compressing what would normally be a slow, speculative intelligence-gathering process for competitors into a matter of days. The incident highlights how even accidental, non-malicious infrastructure errors can generate downstream security threats entirely outside the original organization's control.

The leak arrives at a pivotal moment for agentic AI development, a space where Claude Code competes directly with tools such as OpenAI's Codex environment and a growing field of open-source coding agents. The exposure of internal architecture reveals Anthropic's specific design philosophy around persistent agent state, memory management, and background processing — architectural decisions that represent years of iterative engineering and reflect the company's broader strategy for deploying long-horizon autonomous agents. The disclosure of anti-distillation infrastructure is particularly consequential in an industry increasingly concerned with model moats: if competitors can study and replicate or circumvent KAIROS-style protections, the competitive barriers Anthropic has engineered into its deployment pipeline are materially weakened.

More broadly, the Claude Code incident illustrates a systemic vulnerability in modern software supply chains, where the proliferation of package registries like npm creates high-surface-area distribution channels for accidental disclosures. The suspected involvement of a Bun runtime bug — if confirmed — would point to a class of infrastructure-level risk that extends beyond Anthropic to any organization using emerging JavaScript runtimes in production build pipelines without rigorous source map auditing. As AI companies accelerate release cadences to remain competitive, the pressure on packaging and deployment hygiene increases proportionally. The incident is likely to prompt broader industry scrutiny of how AI development toolchains handle debug artifacts, and may accelerate adoption of automated source map detection in CI/CD pipelines across the sector.