The Great Claude Code Leak of March 31, 2026: Everything We Learned
A deep dive into the accidental exposure that put the world's most advanced AI agent harness on the public internet — and sparked a watershed moment for open-source AI development.
Part 1: The Storyline — How It All Unfolded#
4 AM Wake-Up Calls and a 60 MB File#
On March 31, 2026 — a date that will likely go down in AI history — Anthropic quietly pushed an update to its flagship coding tool on npm. Version 2.1.88 of @anthropic-ai/claude-code looked routine from the outside. Inside, it contained a catastrophic mistake.
Bundled into the update was a 59.8 MB JavaScript source map file — cli.js.map — a debugging artifact that developers use to trace compiled code back to its human-readable original. If the map includes the sourcesContent field (which this one did), anyone who downloads it can reconstruct the entire source tree.
It didn't take long for someone to notice. At approximately 4:23 AM UTC, security researcher Chaofan Shou (@Fried_rice), an intern at Solayer Labs, posted on X:
"Claude code source code has been leaked via a map file in their npm registry!"
— along with a direct download link. The tweet reached 16–28.8 million views. Within the next two hours, GitHub repositories began springing up. The fastest-growing repo in GitHub history hit 50,000 stars in under two hours and accumulated 41,500+ forks. Developers were waking up to buzzing phones across every timezone.
One developer, Sigrid Jin (instructkr), recalled:
"At 4 AM on March 31, I woke up to my phone blowing up with notifications. The Claude Code source had been exposed, and the entire dev community was in a frenzy. My girlfriend in Korea was genuinely worried I might face legal action from Anthropic just for having the code on my machine."
What Was Inside#
The reconstructed codebase was staggering in scope: approximately 1,900 files, 512,000+ lines of strict TypeScript written using the Bun runtime and a React + Ink terminal UI framework. Key exposed files included:
| File | Size | Purpose |
|---|---|---|
| QueryEngine.ts | ~46,000 lines | Core LLM API engine — streaming, tool loops, token tracking |
| Tool.ts | ~29,000 lines | All agent tool types and permission schemas |
| commands.ts | ~25,000 lines | Registering and executing slash commands |
In total, the leak exposed internal API client logic, OAuth 2.0 authentication flows, permission enforcement, multi-agent coordination systems, hidden system prompts, and the pipelines for 44 unreleased feature flags.
Critically, no model weights, safety pipelines, or user data were exposed.
How It Technically Happened#
Anthropic uses Bun as their JavaScript runtime — a toolchain they reportedly acquired in late 2025. Bun has a known bug (Issue #28001, filed just twenty days before the incident) that causes source maps to be served in production even when disabled in configuration. Additionally, someone failed to add .map to .npmignore — the config file that tells npm what not to publish.
Claude Code engineer Boris Cherny confirmed it was plain developer error, not a tooling bug, and emphasized a blameless post-mortem philosophy:
"Mistakes happen. As a team, the important thing is to recognize it's never an individual's fault. It's the process, the culture, or the infra."
Anthropic's official statement was measured:
"Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We're rolling out measures to prevent this from happening again."
This Was Actually the Second Leak in Five Days#
Compounding the reputational damage: this was Anthropic's second major exposure in five days. A CMS misconfiguration on March 26 had already leaked draft blog posts about an unreleased model called Mythos. Fortune called it Anthropic's "second major security breach." The irony of a company marketing itself as the "safety-first AI lab" suffering back-to-back operational security failures was not lost on anyone.
Anthropic's DMCA Response — and Its Backfire#
Anthropic responded swiftly with DMCA takedown notices. The problem: the targeting was catastrophically broad. The notice swept over 8,100 repositories — including thousands of entirely unrelated forks of Anthropic's own public Claude Code repository containing only skills, tutorials, and documentation.
Developers received DMCA notices for repositories that had nothing to do with the leak. The Pragmatic Engineer's Gergely Orosz publicly called it DMCA abuse. Cherny acknowledged the overshoot, retracted the bulk of the notices, and narrowed the final takedown to one repo and 96 forks. By that point, however, the code was already permanently in the wild — mirrored on decentralized servers that DMCA cannot reach.
The Clean-Room Rewrite Gambit#
To evade DMCA, developer Sigrid Jin — using AI-assisted tools — rewrote the core logic in Python from scratch within hours of the leak. The resulting repo, claw-code, hit 100,000 stars within 24 hours, becoming the fastest-growing repository in GitHub history. Within hours, a separate Rust port also appeared.
The clean-room rewrite created a thorny legal puzzle. As Gergely Orosz observed: if Anthropic claims the AI-generated transformative rewrite infringes copyright, it could undermine their own defense in training-data copyright cases. And with Claude Code's own lead engineer having admitted that 100% of his recent contributions were written by Claude Code, the copyright status of the original code is itself contested.
Part 2: What We Learned — A Technical Deep Dive#
The Architecture of a Production AI Agent Harness#
This was the first time the world got a clear, authenticated look inside a production-grade, commercially successful AI agent. What the community found revealed both impressive engineering and a few uncomfortable surprises.
The Core: A Streaming Agentic Loop#
At the heart of Claude Code is a streaming agentic loop (query.ts) that starts executing tools while the model is still generating output. The harness includes:
- Live repo context loading on every turn: git branch info, recent commits, and CLAUDE.md files are re-read on every single query
- Aggressive prompt-cache reuse via a stable/dynamic prompt boundary — Anthropic avoids paying full token costs on each turn
- Dedicated Grep and Glob tools (rather than raw shell commands) for better-structured search results
- LSP (Language Server Protocol) access for call hierarchies, symbol definitions, and references
- Five distinct context-compaction strategies to handle context overflow at scale
The 5-Level Permission System#
The tool system is built around a granular, per-tool permission model — a design that limits blast radius if an agentic action goes wrong. The exposed code documented every layer of how Claude Code gates which capabilities are available under which trust contexts.
3-Tier Multi-Agent Orchestration#
The leaked code confirmed a three-tier multi-agent system: sub-agents, coordinators, and teams. Coordinator Mode assigns one Claude instance to manage multiple parallel worker agents through a mailbox system; workers run in isolated Git worktrees so they don't conflict with each other. Critically, sub-agents use prompt-cache KV forking to contain the full context without repeating work — meaning parallelism is effectively free in cost terms.
Three-Layer Memory Architecture#
The memory system has three distinct layers:
- A MEMORY.md index file
- Topic-specific files loaded on demand
- Full session transcripts that can be searched
There is also a Strict Write Discipline pattern: the agent can only update its memory index after a confirmed successful file write, preventing context pollution from failed attempts. The agent also treats its own memory as a "hint" and verifies facts against the actual codebase before acting.
Magic Docs: Self-Updating Documentation#
One novel internal pattern: engineers can create files with a MAGIC DOC header. When Claude Code is idle, it fires off a dedicated subagent — restricted to editing only that single file — to update its own documentation automatically. The tool restriction prevents scope drift while enabling automated upkeep.
The 44 Unreleased Feature Flags#
Perhaps the most viral discovery: 44 compile-time feature flags gating capabilities not yet publicly launched — real code, not vaporware.
KAIROS — The Always-On Daemon#
Referenced over 150 times in the source, KAIROS is an unreleased autonomous background-agent mode. It:
- Receives periodic <tick> prompts to decide whether to act proactively
- Maintains append-only daily log files
- Subscribes to GitHub webhooks
- Sends push notifications to phone or desktop
- Persists even after the terminal closes
A hidden system prompt reads:
"You should have a complete picture of who the user is, how they'd like to collaborate with you, what behaviors to avoid or repeat, and the context behind the work the user gives you."
autoDream — AI That Sleeps and Consolidates#
A companion to KAIROS. autoDream is a background memory consolidation process that triggers when the user goes idle. It merges observations, removes contradictions, prunes stale context, and converts vague notes into verified facts. The internal prompt literally tells Claude it is:
"performing a dream — a reflective pass over your memory files."
ULTRAPLAN — Cloud-Powered Deep Thinking#
ULTRAPLAN offloads complex planning to a remote cloud container running Opus 4.6 for up to 30 minutes. The user can review and approve the plan in a browser interface before execution begins, with a special sentinel value that "teleports" the approved plan back to the local terminal.
Voice Mode, Browser Control, and More#
| Feature Flag | Description |
|---|---|
| VOICE_MODE | Full voice command mode with its own CLI entrypoint |
| WEB_BROWSER_TOOL | Real browser control via Playwright (not just web fetch) |
| DAEMON | Background agents that work while you're away |
| AGENT_TRIGGERS | Event-driven agent behaviors via webhooks |
| COORDINATOR_MODE | Multi-agent swarm, accessible via CLAUDE_CODE_COORDINATOR_MODE=1 |
| BRIDGE_MODE | Control local CLI from claude.ai or mobile |
| DREAM | autoDream memory consolidation system |
| ULTRAPLAN | Remote 30-min cloud planning sessions |
BUDDY — The AI Tamagotchi (Easter Egg)#
One delightful Easter egg: buddy/companion.ts — an April Fools feature that generates a deterministic Tamagotchi-style AI pet per user, complete with:
- 18 species (including duck, axolotl, and "chonk")
- Rarity tiers and a 1% shiny rate
- RPG stats like CHAOS and SNARK (deliberately encoded to evade grep detection)
- Teaser window: April 1–7, 2026 | Full launch: gated for May 2026
The Most Controversial Discovery: "Undercover Mode"#
The single most debated finding was undercover.ts — approximately 90 lines of code that injects a system prompt instructing Claude to:
- Never identify itself as an AI
- Strip all Co-Authored-By attribution when contributing to external open-source repositories on behalf of Anthropic employees
Even more striking: the mode has a hard-coded NO force-OFF switch. You can force Undercover Mode on, but you cannot force it off. If the system isn't confident it's in an internal repo, it stays undercover.
The code also revealed internal model codenames — obfuscated using character-code arrays specifically to prevent string-matching detection:
| Codename | Meaning |
|---|---|
| Capybara | Next Claude model family (v2, with 1M context) |
| Fennec | Opus 4.6 |
| Tengu | Claude Code's internal name |
| Numbat | Still in testing |
The backlash on Hacker News was fierce:
"If a tool is willing to conceal its own identity in commits, what else is it willing to conceal?"
The Code Quality Debate#
The community was split on the quality of what they found:
- Zero test coverage across the entire codebase
- print.ts — a single file — is 5,594 lines containing one function that is 3,167 lines long with 12 levels of nesting
- Comments throughout appear written for AI agents working on the codebase, not human readers
- The codebase is heavily "vibe-coded" — generated and iterated by Claude itself
One X post captured the community's mixed feelings:
"Tired: Omg the Claude Code leak is a bunch of vibe coded garbage. Wired: Vibe coded garbage can get you to $2.5 billion annualized recurring revenue in under a year if the product market fit is there."
The Compound Security Crisis#
The leak didn't happen in isolation. That same day, a completely separate supply-chain attack hit the axios npm package — malicious versions containing a Remote Access Trojan were published between 00:21 and 03:29 UTC on March 31. Anyone running npm install on Claude Code during that window may also have been exposed to unrelated malware.
Threat actors also moved fast. Zscaler's ThreatLabz discovered a fake "Claude Code leak" GitHub repository delivering Vidar infostealer malware and GhostSocks (a network proxy) — in a Rust-based dropper disguised as a ZIP archive of leaked source. The malicious repo was appearing near the top of Google search results.
Part 3: The Open Source Explosion — What Got Built#
| Project | Language | Stars | Key Feature |
|---|---|---|---|
| claw-code | Python + Rust | 100K+ in 24h | Clean-room rewrite; DMCA-proof |
| open-multi-agent | TypeScript | ~8K lines | In-process agent SDK for any LLM |
| Kuberwastaken Rust Port | Rust | Viral | Base for ZeroClaw |
| OpenClaw | TypeScript | 160K–200K+ | Always-on personal AI assistant |
| OpenCode | Go | 127K+ | Enterprise-safe, 75+ LLM providers |
| ZeroClaw | Rust | Growing | Single-binary, Rust performance |
| NullClaw | Zig | 6,900+ | 678 KB binary, edge/ARM deployments |
| memU | Various | Emerging | Persistent agent memory layer |
claw-code: The Fastest Repository in GitHub History#
Within hours of the leak, claw-code became a clean-room Python rewrite of Claude Code's core architecture. It hit 100,000 stars in 24 hours — the fastest any GitHub repository had ever reached that milestone. A Rust port branch followed almost immediately. The repo's key legal argument: it does not contain a single line of the original TypeScript, making Anthropic's DMCA notices legally ineffective against it.
OpenCode: The Ecosystem's Open Alternative#
Already in the ecosystem before the leak, OpenCode (by the Anomaly team) surged dramatically afterward — reaching 127,000+ GitHub stars. Written in Go, MIT-licensed, supporting multiple LLM providers, and built with LSP-native codebase understanding, it became the clear "freedom pick" for developers wary of vendor lock-in.
OpenClaw, NullClaw, ZeroClaw#
The leak seeded an entire sub-ecosystem:
- OpenClaw — a self-hosted personal AI assistant and orchestration gateway (160K–200K stars)
- NullClaw — a minimalist Zig binary compiled to 678 KB that runs on $5 ARM hardware
- ZeroClaw — a Rust-based implementation with a growing community and single-binary deployment
Decentralized Mirrors#
Raw source archives were uploaded to decentralized git platforms with notes explicitly stating "will never be taken down," immune to any future DMCA efforts. A community documentation site aggregated architectural breakdowns for developers who never touched the leaked source directly.
Part 4: What This Opens Up — The Opportunities#
1. A Blueprint for Production-Grade AI Agent Harnesses#
Before March 31, 2026, anyone trying to build a competitive AI coding agent was guessing at what production-scale orchestration actually looked like. Now they don't have to. The three-layer memory architecture, the streaming tool loop, the multi-agent coordinator, the permission sandbox, the context-compaction strategies — it's all documented, analyzed, and debated.
"The bar for what 'production-grade' means just got documented in detail."
2. The Moat Has Moved to Model Quality, Not Tool Wrappers#
The leak exposed something the open-source community had long argued: the harness is not the moat. Google's Gemini CLI and OpenAI's Codex were already open. Now Claude Code's harness is effectively public too. Differentiation must increasingly come from model capabilities and user experience, not the scaffolding around the model. This accelerates a shift toward model-as-the-product thinking.
3. KAIROS and autoDream Reveal the Agentic Roadmap#
The existence of KAIROS and autoDream confirms the direction the industry is heading: proactive, persistent, memory-consolidating agents that operate continuously rather than reactively. For anyone building AI developer tooling, this is the North Star — and now it's publicly documented in production code. The key architectural challenge KAIROS introduces — separation of initiative from execution — is a design problem every agentic platform will need to solve.
4. The Model-Swappable Harness Opportunity#
The leaked architecture shows that the Claude model is pluggable. As one analysis noted:
"Drop DeepSeek or Gemini into the same Claude Code harness with some optimization and you may get improved coding ability with those models too."
This opens the door for model-agnostic harnesses — tools that can route to the best model for each task while retaining Claude Code's orchestration quality. Projects like Toolloop, an open-source multi-LLM agent framework by the Denser.ai team, are already building on this idea — offering Claude Code-like tools and skills that work across DeepSeek, Claude, GPT, Llama, or any model you swap in. Toolloop supports model swapping in both its CLI and SDK, letting AI app developers route cheaper models to simple tasks and reserve expensive ones for complex reasoning — cutting costs without sacrificing capability.
5. Identified Market Gaps: What Claude Code Doesn't Do Well#
The lack of test coverage, brittle memory, and silent degradation patterns in the leaked source represent open market opportunities:
- Better testing frameworks for agentic code
- More robust memory persistence layers
- Observability tooling designed specifically for multi-agent loops
6. The Multi-Agent Coordination Protocol May Become an Industry Standard#
The exposed permission system, sandboxing approach, and multi-agent coordination patterns are now the only fully documented production-grade implementation in the industry. Open-source projects can build on these battle-tested patterns rather than guessing. They may well become de facto standards.
7. A New Legal Frontier for AI-Generated Code IP#
The clean-room rewrite saga has opened a genuinely novel legal question: can AI-accelerated rewrites circumvent copyright? If a developer uses an AI to rewrite leaked code in a new language overnight, is that a derivative work or a new creative expression? This will affect every company relying on closed-source proprietary code in an era when AI can reconstruct functional equivalents at unprecedented speed.
8. The "Undercover Mode" Debate Demands Transparency Standards#
The revelation that an AI tool was actively hiding its involvement in open-source contributions — with no force-off switch — catalyzed a broader conversation about AI transparency norms in collaborative development. Expect:
- New open-source governance discussions
- Potential platform policies from GitHub
- Pressure on AI companies to adopt voluntary AI-authorship disclosure standards
Conclusion: The Bell That Cannot Be Un-Rung#
What began as someone forgetting to add .map to a config file has become one of the most significant events in the history of AI tooling. The blueprint for building a production-grade autonomous AI agent is now permanently public. Anthropic's product roadmap, internal model codenames, architectural decisions, and unreleased features are documented, analyzed, and debated by thousands of developers.
The irony is layered. A company that built Undercover Mode specifically to prevent internal information from leaking into external contexts leaked everything through a missing line in a config file. The same tool built to protect secrets exposed them all.
For the broader ecosystem, the message is clear: the race to build the best AI coding agent is no longer fought in secret. The architecture is out. The roadmap is visible. The remaining competition is in model quality, reliability, and the trust users are willing to extend to agents operating with increasing autonomy in their development environments.
The only thing left to build is the future — and now, at least, everyone knows what it looks like.
Key Stats at a Glance#
| Metric | Value |
|---|---|
| Lines of code leaked | 512,000+ |
| Files exposed | ~1,900 |
| Hidden feature flags | 44 |
| Unreleased features | 20+ |
| Stars on fastest repo (claw-code) | 100K in 24h |
| GitHub repos DMCA'd | 8,100+ |
| Views on original leak tweet | 16–28.8 million |
| Claude Code ARR at time of leak | ~$2.5 billion |
| Anthropic total ARR | ~$19 billion |
Sources: Fortune, The Guardian, Ars Technica, BleepingComputer, CyberSecurityNews, Zscaler ThreatLabz, Engineer's Codex, Layer5, WaveSpeed AI, The AI Corner, Dev.to, Medium/System Weakness, Latent.Space, and community discussions on Reddit, Hacker News, and X/Twitter.