Claude Code Leak Reveals Advanced Agentic Architecture
Anthropic's Claude Code source (1,906 files, 512K+ TypeScript lines) leaked via npm source map, exposing multi-agent orchestration, persistent memory (KAIROS), Tamagotchi pet (BUDDY), and ironic anti-leak Undercover Mode.
Source Map Misconfig Exposed Full Claude Code Source
Publishing minified TypeScript to npm without excluding source maps (.map files) leaked Claude Code's entire codebase. Bun bundler generates maps by default; forgetting *.map in .npmignore or disabling them publishes a map linking to uncompressed src.zip on a public Cloudflare R2 bucket. Result: 1,906 files, 512,000+ lines downloadable via curl. Security researcher Chaofan Shou (@Fried_rice) discovered it March 31, 2026; archived GitHub repo gained 1,100 stars, 1,900 forks. This mirrors prior Mythos CMS leak (3,000 docs public due to default config), highlighting need for explicit security boundaries in defaults.
Hidden Features Show Proactive Agent Evolution
BUDDY, a feature-flagged Tamagotchi AI pet, seeds from user ID hash with 18 species (duck to legendary ghost), rarity tiers, cosmetics, and stats (DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK). Claude generates name/personality on hatch with animations; planned April 1 teaser for employees. KAIROS ("Always-On Claude") persists across sessions via private dir memory logs, runs nightly "dreaming" to consolidate context (handles midnight boundaries), and proactively initiates tasks. ULTRAPLAN enables 30-min cloud planning. These push agents beyond invocation to always-on collaborators, with production edge-case handling.
Granular Permissions and Multi-Agent Orchestration
Claude Code structures 40+ tools (file read, bash, web fetch, LSP, git) as permission-gated plugins with validation, confirmation prompts for scope changes, and audit trails—separating observation from action for safety. Query engine (46K lines) manages LLM calls, streaming, caching. Coordinator mode (CLAUDE_CODE_COORDINATOR_MODE=1) spawns parallel worker agents, each with isolated context/tools/tasks, plus inter-agent protocols and failure recovery. Custom React terminal renderer powers CLI; main.tsx entry is 785KB. This production complexity exceeds public surface, setting high bar for agentic coding tools.
Undercover Mode's Ironic Anti-Leak Failure
utils/undercover.ts injects prompts to hide AI use in public repos: bans internal codenames (e.g., Tengu for Claude Code), unreleased versions, repo names. Employees use Claude Code for OSS contributions undercover. Yet the leak—likely from Claude Code build—exposed Tengu flags everywhere. Lesson: match assumed (e.g., no maps in prod) to actual security; explicit configs prevent repeats like ROME or CMS incidents.