On March 31, 2026, Anthropic shipped version 2.1.88 of the @anthropic-ai/claude-code npm package with a 59.8 MB source map file that was never supposed to be there. Security researcher Chaofan Shou spotted the artifact shortly after 4 AM Eastern time and posted a download link on social media. The tweet drew 21 million views before noon. By that afternoon, a clean-room reimplementation of Claude Code's internal architecture had accumulated 50,000 GitHub stars in what was almost certainly the fastest-growing repository the platform had seen in years.

The Packaging Error

The incident traces back to a bug in Bun, the JavaScript runtime Anthropic adopted after acquiring the project in late 2024. Bun's bundler generates source maps by default, and a longstanding open issue means that explicitly setting development: false in the build configuration does not suppress them. The resulting maps end up in the output directory regardless. A missing *.map entry in .npmignore then meant those maps shipped alongside the production binary.

Key Facts

  • Lines of TypeScript exposed512,000
  • TypeScript files in the leak~1,900
  • Source map file size59.8 MB
  • GitHub stars for clean-room rewrite50,000 in under 2 hours
  • Social media views on discovery post21 million
  • Root causeBun bundler bug + missing .npmignore entry

Anthropic acknowledged the incident within hours and released a corrected package the same day. "This was a release packaging issue caused by human error, not a security breach," a company spokesperson said. "No sensitive customer data or credentials were involved or exposed." The Bun team has the underlying bug on its roadmap; the short-term fix is simple: add *.map to .npmignore or restrict the files field in package.json.

Inside the Leaked Code

The 512,000 lines of TypeScript across roughly 1,900 files confirmed Claude Code's documented architecture: a tools system handling file reads and bash execution, a query engine for LLM API calls, a multi-agent orchestration layer for spawning sub-agents on complex tasks, and a bidirectional IDE communication layer. What grabbed attention were three features present in the code but never publicly announced.

The first is KAIROS. Internal comments describe it as a persistent background agent: a Claude Code process that runs on a schedule between user sessions, compiling notes from prior work and sending push notifications back to the developer's device when it surfaces something worth flagging. KAIROS gets access to tools unavailable in standard sessions, including GitHub pull request subscriptions and direct file sends. Its response format is stripped down to a "brief output mode" suited to asynchronous, unattended operation. Code comments placed the teaser window at April 1-7 and a full launch in May 2026. Neither happened, which suggests Anthropic chose to delay after the leak rather than accelerate.

The second undocumented feature is Undercover Mode, an internal filter engineered to prevent model codenames and unreleased product names from appearing in public code commits. Given what was found in the third discovery, the filter's purpose is self-evident.

That third finding is a string inside an unreleased keyword filter list: sonnet-4-8, placed alongside opus-4-7 and mythos. Anthropic has made no announcement about a Sonnet 4.8 release. As of late May 2026, Claude Sonnet 4.6 remains the current Sonnet in the API and the default model for most production workloads. Whether the string represents a model in active training, a planning placeholder, or something in between is not publicly known.

"This was a release packaging issue caused by human error, not a security breach. No sensitive customer data or credentials were involved or exposed." Anthropic spokesperson, March 31, 2026

The Community Response

Developer reaction was fast and organized. Within hours of Shou's post, the source code had been mirrored and analyzed across multiple platforms. Teams produced Python and Rust reimplementations of individual subsystems. Summaries of the internal memory architecture spread through developer newsletters: the self-healing context management system, the way Claude Code maintains and resets the 200,000-token context window without losing task state, the scaffolding that lets the autonomous coding engine hand off work between sessions.

The clean-room GitHub rewrite, which recreated the architectural patterns without copying the original source, hit 50,000 stars in under two hours. It crossed 100,000 stars by the end of the week. For context, most significant open-source projects take months to reach that threshold.

What Changes, and What Does Not

For current Claude Code users, the practical effect of the leak is close to nothing. Exposed code reveals how the tool works; it provides no access to the underlying model, to user data, or to Anthropic's infrastructure. The vulnerability was in the packaging pipeline, not the product itself.

For developers building on top of Claude Code, the leak does provide an unusually complete picture of the internal API surface, which could inform third-party tooling before official documentation covers it. The Claude Code routines and desktop redesign from April had already pointed toward persistent, scheduled workflows. KAIROS, as described in the source code, is the logical extension of that direction: not an agent you start, but one that is already running.

What remains open is timing. Anthropic has not commented on the KAIROS release schedule since the incident, and the May 2026 window implied in the code comments has closed without an announcement. The company's pattern has been to ship features when they are ready rather than on a fixed calendar, which means KAIROS could arrive any time, or the feature could be substantially revised before it does. The 512,000 lines gave the developer community a snapshot of Anthropic's thinking as of late March. A lot can change in two months.

Further reading: Learn more about Claude's model family, read our background on Anthropic, or browse the latest Claude AI news.