Share

On March 31, 2026, security researcher Chaofan Shou noticed something odd: the complete source code of Claude Code — Anthropic's flagship AI coding CLI — was sitting in plain sight on the public npm registry. 512,000 lines of TypeScript. 59.8 MB of source maps. Everything.

The irony? The code contains an "Undercover Mode" specifically built to prevent internal Anthropic secrets from leaking into public commits. They built a secrecy subsystem, then accidentally published everything.

How a Known Bun Bug Exposed Everything

This part deserves more attention than most coverage gave it, because it wasn't just "someone forgot a flag." It was the intersection of a known runtime bug, a packaging decision, and a process that had no safety net.

When Anthropic acquired Bun in late 2024, Claude Code migrated to it as its bundler. The problem is that Bun's bundler has a bug that's been sitting open since early 2026: even when you explicitly set development: false, source maps still get generated and served.

This is issue #28001. The reproduction is trivial — three files, a dozen lines, and you'll see a //# sourceMappingURL= comment appended to the output even in "production" mode. The expected behavior is documented on Bun's own site: source maps should be disabled in production. The actual behavior ignores that setting entirely.

So when Claude Code was built, source maps were generated. That part isn't surprising given the bug. What's surprising is that those .map files made it into the npm package at all. A source map isn't just a debugging aid — it contains the original, unminified, unobfuscated source code. Every file. Every comment. Every system prompt string. Every internal constant.

The missing piece was .npmignore, or more precisely, the absence of *.map in it. When you publish to npm, the registry happily includes everything that isn't explicitly excluded. Nobody added the exclusion rule. And apparently no one in the release process checked what was actually inside the tarball npm pack was producing — something you can do in about 10 seconds.

What made the exposure worse is that the source map didn't just inline the code. According to The Register's reporting, it also referenced a ZIP file hosted on an Anthropic-owned Cloudflare R2 bucket. So even if you didn't get the npm package, there was apparently a second path to the same material.

The bug is still open as of this writing. Bun's team is aware of it. But the responsibility for the leak doesn't really sit with Bun — it sits with whoever owns the Claude Code release process. You don't ship sensitive proprietary code and assume your bundler will protect it. You check. You add exclusion rules. You run a script in CI that fails the build if .map files appear in the output package. These are not exotic practices. They're tedious and obvious, which is exactly why they tend to get skipped when a team is moving fast.

The punchline is that the bug that caused this has been filed, tagged, and visible in a public repository for weeks. Anyone paying attention to Bun's issue tracker would have seen it.

What Was Hidden Inside

The source revealed 44 feature flags covering finished-but-unreleased functionality:

• KAIROS — A persistent background assistant that observes your activity and acts proactively, without being asked. It has exclusive tools like PushNotification and SubscribePR, none of which exist in the public build.
• BUDDY — A full Tamagotchi-style pet companion with 18 species, shiny variants, procedurally generated stats, and ASCII art sprites. Your buddy is deterministically chosen from your user ID hash. Launch teased for May 2026.
• ULTRAPLAN — Offloads complex planning to a remote Opus 4.6 session that gets up to 30 minutes to think, then teleports the plan back to your local terminal.
• Multi-Agent Coordinator Mode — Turns Claude Code into a multi-agent orchestrator that spawns parallel workers, assigns tasks, and synthesizes results.

Also spotted: flags for VOICE_MODE, BRIDGE_MODE, AFK_MODE, and WORKFLOW_SCRIPTS.

The Memory Architecture

The memory system is a three-layer design worth understanding:

1. A lightweight MEMORY.md index (~150 chars per line) lives permanently in context — it stores pointers, not facts.
2. Actual knowledge lives in topic files, fetched on demand.
3. A background "Dream" subagent periodically consolidates memory in four phases: Orient → Gather → Consolidate → Prune (capped at 200 lines / ~25KB).

The key insight: memory is treated as hints, not ground truth. The system still checks before trusting anything.

The Paranoid Stuff

• Anti-distillation mode: Can inject fake tools into the system prompt to poison traffic being recorded by anyone trying to train a competitor on Claude Code's behavior.
• Client attestation: Every request includes a billing header that the native Bun runtime replaces with a cryptographic hash — proving the binary is actually Claude Code. This partly explains the friction with third-party tools.
• Frustration detection via regex: Yes, regex. wtf|ffs|shit pattern matching for user sentiment analysis. Pragmatic.

The Bigger Picture

Legal exposure: Any competitor who read this code is now "contaminated." Clean-room implementations (like the already-emerging Claw-Code rewrite in Rust) are likely how this plays out legally — analyze only the test suite behavior, implement from spec, not from source.

What it took to prevent this: Four things. Add *.map to .npmignore. Disable source maps in production. Add a CI check blocking .map files in npm packages. Manual review before publishing. None of them hard. All skipped.

The company that sells the world's most popular AI coding tool apparently skips the engineering discipline it should be preaching.