← Back to blog

Claude Code Source Leaked via npm Source Map

March 31, 2026 — A deep dive into what was found

Credit where it's due: this was originally discovered by @Fried_rice on X. They noticed that Anthropic accidentally published a source map file alongside their bundled CLI on npm.

What Happened?

The npm package @anthropic-ai/claude-code version 2.1.88 was published with a cli.js.map file (59.8 MB) that contains the full original TypeScript source code. Source maps are debugging artifacts that map bundled code back to source — and they embed the raw source files in a field called sourcesContent.

This isn't a "hack" — it's a build configuration oversight where debug artifacts got published to production. But it does reveal a lot about Claude Code's internals that weren't meant to be public.

Hidden Feature Flags (62+ Found)

Claude Code uses Bun's feature() system for build-time feature flags. These get dead-code-eliminated in public builds, but the source reveals what's being worked on:

Major Unreleased Features

  • KAIROS (154 references) — An autonomous daemon mode that turns Claude Code into an always-on agent. Includes background sessions, "dream" memory consolidation, GitHub webhook subscriptions, push notifications, and channel-based communication.
  • TRANSCRIPT_CLASSIFIER (107 references) — "Auto Mode" that uses an AI classifier to auto-approve tool permissions, removing the permission prompts entirely.
  • COORDINATOR_MODE (32 references) — Transforms Claude into an orchestrator that spawns and manages parallel worker agents for research, implementation, and verification.
  • VOICE_MODE (46 references) — Speech-to-text and text-to-speech integration for voice interaction.
  • BUDDY (16 references) — A full Tamagotchi-style pet system with 18 species, rarity tiers (1% legendary), cosmetics (hats, shiny variants), and stats like DEBUGGING, PATIENCE, CHAOS, WISDOM, and SNARK.

Other Notable Flags

  • PROACTIVE — Autonomous work mode where Claude works independently
  • TEAMMEM — Team memory sync across users
  • FORK_SUBAGENT — Fork yourself into parallel agents
  • VERIFICATION_AGENT — Independent adversarial verification of work
  • ULTRAPLAN — Advanced planning capabilities
  • WEB_BROWSER_TOOL — Browser automation
  • SSH_REMOTE — SSH remote session support
  • TOKEN_BUDGET — Explicit token budget targeting ("+500k", "spend 2M tokens")

Internal Model Codenames

The source reveals animal-based internal codenames for Claude models:

  • Capybara — Appears to be a Claude 4.6 variant. Comments reference "Capybara v8" with specific issues: "29-30% false claims rate vs v4's 16.7%", "over-commenting by default", and "assertiveness counterweight" fixes.
  • Fennec — A deprecated codename that was migrated to Opus 4.6.
  • Numbat — An unreleased model. One comment reads: "Remove this section when we launch numbat."

Undercover Mode

One of the most interesting discoveries is "Undercover Mode" — a safety feature for when Anthropic employees contribute to public/open-source repositories. When active:

  • All AI attribution is stripped from commits
  • Model codenames (Capybara, etc.) are hidden
  • No "Claude Code" or "Generated by AI" mentions
  • The model isn't even told what model it is
  • There's no force-OFF switch — it defaults to ON for safety

The prompt literally includes: "You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover."

The Buddy Pet System

Yes, there's a full Tamagotchi-style companion system hidden in Claude Code:

  • 18 Species: duck, goose, blob, cat, dragon, octopus, owl, penguin, turtle, snail, ghost, axolotl, capybara, cactus, robot, rabbit, mushroom, chonk
  • Rarity: Common (60%), Uncommon (25%), Rare (10%), Epic (4%), Legendary (1%)
  • Cosmetics: 6 eye types, 8 hat options (crown, tophat, propeller, halo, wizard, beanie, tinyduck)
  • Stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK
  • Shiny variants exist

The "capybara" species name is actually obfuscated using String.fromCharCode() to avoid triggering their internal leak-detection scanners — which is how we know "capybara" is definitely a sensitive model codename.

Internal Anthropic Repos

The source includes an allowlist of internal Anthropic repositories where undercover mode is disabled:

  • anthropics/claude-cli-internal
  • anthropics/anthropic
  • anthropics/apps
  • anthropics/casino
  • anthropics/labs
  • anthropics/mobile-apps
  • anthropics/forge-web
  • anthropics/terraform-config
  • ...and more

Scale of the Codebase

Some files are massive — this is a serious production codebase:

  • main.tsx — 785KB, 4,684 lines
  • AgentTool.tsx — 228KB
  • BashTool.tsx — 157KB
  • bashSecurity.ts — 2,500+ lines of command validation
  • prompts.ts — 915 lines of system prompt engineering

How to See It Yourself

The source is still on npm at the time of writing. You can extract it yourself:

  1. Download the package from npm: @anthropic-ai/claude-code@2.1.88
  2. Find cli.js.map (59.8 MB)
  3. Parse the JSON and extract sourcesContent

I'm not redistributing the code — that would be a copyright issue. But discussing publicly-accessible artifacts is fair game.

What This Tells Us

A few takeaways from this accidental disclosure:

  • Claude Code is getting autonomous features — KAIROS, PROACTIVE, and COORDINATOR_MODE suggest a future where Claude works more independently.
  • Model versioning is complex — There are internal variants, fast modes, and codenames that the public API doesn't expose.
  • Security is taken seriously — 2,500+ lines just for bash command validation, undercover mode, sandboxing, and more.
  • They're building fun features — The buddy system is delightful and shows personality in the product.

References