Anthropic’s Claude Code leaks reveal private agent tools and unreleased models
Anthropic revealed the full source code of Claude’s code after a poorly configured source map file was published to npm, providing a rare look at the company’s most important commercial products.
The file, bundled with version 2.1.88, contains about 60 megabytes of internal material, including about 512,000 lines of TypeScript across 1,906 files. Chaofan Shou, a software engineer working at Solayer Labs, first flagged the leak, which quickly spread across X and GitHub as developers began testing the codebase.
The disclosure showed how Anthropic built Claude Code to stay on track during long coding sessions. One of the most obvious discoveries was a three-layer memory system centered on a lightweight file called MEMORY.md, which stores short references instead of full information. Detailed project notes are saved separately and pulled in only when needed, while past session history is selectively searched rather than loaded all at once. The code also tells the system to check its memory against the actual code before taking action, a design intended to reduce errors and false assumptions.
The source also suggests that Anthropic has been developing a standalone version of the Claude Code than what users currently see. The feature referred to repeatedly under the name KAIROS appears to describe a daemon mode in which the agent can continue to run in the background instead of waiting for specific information.
Another process, called autoDream, appears to handle memory consolidation during periods of inactivity by synchronizing contradictions and turning random observations into verified facts. Developers reviewing the code also discovered a number of hidden features, including references to browser automation with Playwright.
The leak also revealed the names of the internal models and performance data. According to the source, Capybara refers to a variant of Claude 4.6, Fennec corresponds to the release of Opus 4.6, and Nummbat is still in pre-launch testing.
Internal estimates cited in the code showed the latest version of Capybara with a false claims rate of 29% to 30%, up from 16.7% in the previous iteration. The source also mentioned a counterweight counterweight designed to keep the model from being too aggressive when refactoring user code.
Another more sensitive disclosure involves a feature referred to as Stealth Mode. The system information found suggests that Claude Code can be used to contribute to public open source repositories without revealing that AI was involved. The instructions specifically tell the model to avoid revealing internal identifiers, including Anthropic codenames, in commit messages or public git logs.
The leaks also revealed Anthropic’s consent engine, multi-agent workflow orchestration logic, bash authentication programs, and MCP server architecture, giving adversaries a detailed look at how Claude’s Code works. Exposing information may also give attackers a clear path to building repositories designed to exploit the agent’s trust model. The attached document says that another developer had already started rewriting parts of the system in Python and Rust under the name Claw Code within hours of the leak.
The source’s exposure coincided with a separate supply chain attack involving malicious versions of the axios npm package distributed on March 31. Developers who installed or updated Claude’s Code with npm during that time may have pulled a vulnerable dependency, which reportedly contained a remote access trojan. Security researchers have urged users to check their lock files, rotate data, and in some cases consider reinstalling the full operating system on affected devices.
The incident marks the second known case in nearly thirteen months where Anthropic disclosed sensitive internal technical information, following a previous episode in February 2025 involving unreleased model details.
After the recent breach, Anthropic designated its standalone binary installer as the preferred method of installing Claude’s Code because it bypasses a series of npm dependencies. Users remaining on npm are advised to pin safe versions that were released before the corrupted package.
