Anthropic inadvertently exposed 512,000 lines of Claude’s code source code on npm, revealing its AI memory architecture, unreleased models, and an “undercover” mode.
Anthropic appears to have accidentally exposed the inner workings of Claude Code, its popular agentic AI product, after a large internal source file was inadvertently published to a public software registry Monday morning.
A 59.8-megabyte JavaScript source map file — intended for internal debugging — was included by mistake in version 2.1.88 of the Claude Code package on npm, a widely used public registry for software packages. The file contained roughly 512,000 lines of TypeScript source code.
By 4:23 a.m. Eastern time, Chaofan Shou, an intern at Solayer Labs, had posted about the discovery on X, formerly Twitter, including a direct download link. Within hours, the code had been mirrored across GitHub and was being analyzed by thousands of developers.
Anthropic confirmed the incident in a statement emailed to VentureBeat. “Earlier today, a Claude Code release included some internal source code,” the company said. “No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”
The timing is particularly notable. Anthropic has reported an annualized revenue run rate of $19 billion as of March 2026, with Claude Code alone generating an estimated $2.5 billion in annualized recurring revenue — a figure that has more than doubled since the start of the year. Enterprise clients account for roughly 80 percent of that revenue.
A Three-Layer Memory Architecture
Among the most significant disclosures is how Anthropic engineered Claude Code to handle long, complex sessions without losing coherence — a persistent challenge in AI development sometimes called “context entropy.”
According to developers who analyzed the leaked code, the system uses a three-layer memory architecture built around a file called MEMORY.md, a lightweight index of pointers that is continuously loaded into the agent’s active context. Rather than storing data directly, the index stores the locations of data. Detailed project knowledge is held in separate files and retrieved only when needed, while session transcripts are scanned for specific identifiers rather than read in full.
The approach, which developers have described as a “skeptical memory” design, instructs the agent to treat its own stored information as a working hypothesis, verifying facts against the actual codebase before proceeding.
Also Read: Most Boards Were Built for a Pre-AI World. The Bill Is Coming Due.
An Autonomous Background Mode
The leaked code also references a feature called KAIROS — from the Ancient Greek concept meaning “the right moment” — mentioned more than 150 times in the source. The feature describes an autonomous background mode in which Claude Code continues operating while the user is idle.
In this mode, a process called autoDream performs what the code describes as “memory consolidation”: merging observations, resolving contradictions, and converting tentative notes into confirmed facts. A separate subprocess handles this maintenance independently, preventing it from interfering with the agent’s primary workflow.
Unreleased Models and Internal Benchmarks
The source code also offers an unusually candid look at Anthropic’s internal development pipeline. The leak identifies “Capybara” as the internal codename for a Claude 4.6 variant, with “Fennec” mapping to the Opus 4.6 model and an unreleased model called “Numbat” still in testing.
Internal comments note that the current Capybara v8 iteration carries a 29 to 30 percent false-claims rate — a regression from the 16.7 percent rate recorded in v4 — and that engineers have built in an “assertiveness counterweight” to prevent the model from making overly aggressive code changes.
An “Undercover” Contribution Mode
Perhaps the most widely discussed disclosure is a feature described in the code as “Undercover Mode,” which appears designed for AI-assisted contributions to public open-source repositories without attribution.
A system prompt found in the leaked file instructs the model: “You are operating UNDERCOVER… Your commit messages… MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.” The feature ensures that internal model names and AI attributions do not appear in public version-control logs.
Anthropic has not commented specifically on this feature.
Also Read: The AI Attack You Haven’t Heard Of. But Should.
What Users Should Do
Security researchers have flagged an additional, unrelated concern: a supply-chain attack on the axios software package that occurred hours before the Claude Code leak. Users who installed or updated Claude Code via npm on March 31, 2026, between 12:21 a.m. and 3:29 a.m. UTC may have inadvertently installed a malicious version of axios — either 1.14.1 or 0.30.4 — containing a remote access trojan.
Affected users should check their project lock files — package-lock.json, yarn.lock, or bun.lockb — for those version numbers or a dependency called plain-crypto-js. If either is found, security experts recommend treating the machine as fully compromised, rotating all credentials, and reinstalling the operating system.
Anthropic has designated a native installer — available at claude.ai/install.sh — as the recommended installation method, as it uses a standalone binary that does not rely on the npm dependency chain. Users who remain on npm should uninstall version 2.1.88 and pin their installation to version 2.1.86 or earlier.
As a precaution, users should also rotate their Anthropic API keys and monitor usage logs for unusual activity.
