Claude Code Source Leak: What 512,000 Lines Revealed

On March 31, 2026, Anthropic shipped version 2.1.88 of Claude Code via npm. Tucked inside was a cli.js.map file, 59.8 MB, that any browser could fetch directly from a public S3 bucket. A source map is a debugging artifact that translates minified production code back into readable TypeScript. Bun, the JavaScript runtime Anthropic acquired in late 2025, generates them by default. Nobody added *.map to .npmignore.

Chaofan Shou spotted it first. Within minutes the code was mirrored to GitHub. Within hours, claw-code hit 75,000 stars and was being called the fastest-growing repo in GitHub history. Anthropic filed DMCA takedowns against direct clones. The rewrite forks stayed up.

The most significant find in the source is a fully built, unreleased autonomous agent mode hidden behind feature flags called PROACTIVE and KAIROS.

KAIROS is not reactive. Every few seconds it receives a heartbeat: “anything worth doing right now?” It decides on its own. If it acts, it can fix errors, push files, respond to messages, all without you typing a thing. It has three tools that normal Claude Code sessions never see: push notifications to your phone when the terminal is closed, file delivery for things it created unprompted, and GitHub PR subscriptions so it watches your repo for changes around the clock.

At night it runs a process the source literally calls autoDream. It forks a subagent with limited tool access, consolidates memory, removes contradictions, and compresses daily observations down to under 200 lines and 25KB. Close your laptop Friday. Open it Monday. KAIROS has been running the whole time.

Distillation is how smaller AI companies build fast, cheap models: point an agent at a bigger model’s API traffic and train on what you capture. Anthropic knew this was happening to Claude Code. Their defense is genuinely clever.

The ANTI_DISTILLATION_CC flag makes Claude Code send anti_distillation: ['fake_tools'] in every API request. The server silently injects decoy tool definitions into the system prompt. Any competitor training on that captured data gets poisoned schemas baked into every example.

There is a second layer via CONNECTOR_TEXT: the server buffers the assistant’s full reasoning between tool calls, summarizes it, signs the summary cryptographically, and returns only the summary to API traffic recorders. Even a perfect man-in-the-middle attack yields digests, not chain-of-thought.

The author of the most detailed technical breakdown estimated both mechanisms can be bypassed in about an hour with a MITM proxy. The actual protection is legal, not technical. But the design decision is worth understanding: Anthropic targeted the distillation attack surface at data collection time, not at inference time. That is the right place to intervene.

Claude Code’s memory system is not a CLAUDE.md file. It is a 3-layer index built around a single insight: the context window is a scarce resource, so treat it like one.

Layer 1 is the Index: always loaded, just pointers, roughly 150 characters per line. Layer 2 is Topic files: loaded on demand when the index pointer says they are relevant. Layer 3 is Transcripts: never loaded into context directly, only searched with grep when needed.

The write discipline is strict: write to a topic file first, update the index second. Never dump content into the index. If a fact can be re-derived from the codebase in the time it takes to look it up, it is not stored at all.

autoDream runs as a forked subagent with limited tool access so it cannot corrupt the main context while reorganizing. Memory is treated as a hint, never as truth. The agent verifies before acting on it.

Most open source agent frameworks load all memory into context every turn. That is expensive and noisy. Claude Code treats retrieval like a database query: cheap pointers always present, expensive content fetched only when needed.

Here is something competitors probably discovered the hard way. API requests from Claude Code contain placeholder values that Bun’s native HTTP stack, written in Zig, overwrites with computed cryptographic hashes before transmission. These hashes prove a request came from a genuine Claude Code binary.

The reason this lives in Zig rather than JavaScript is deliberate. JavaScript can be patched, monkey-patched, or proxied at runtime. Zig compiled into the Bun binary cannot be inspected or overridden without recompiling from source. This is why tools like OpenCode faced friction beyond just legal notices: they were being blocked at the API layer too.

undercover.ts, 90 lines, instructs Claude Code to strip all Anthropic internals from commit messages and PR descriptions when working on external repositories. No Co-Authored-By attribution. No mention of internal codenames. No reference to “Claude Code” itself. You can force it ON with an environment variable. There is no way to force it OFF.

The community noticed the irony immediately: Anthropic built a system specifically designed to prevent internal information from leaking through code contributions. Then they leaked the entire source code through a file they forgot to exclude from their npm package.

Loved this breakdown?

Hit a like!For more simple explanations, useful insights on coding, system design and tech trends, Subscribe To My Newsletter! 🚀

Follow me on Youtube, LinkedIn, X and Instagram to stay updated.

See you next week with more exciting content!

Signing Off, Scortier