Claude Code CLI Source Code Leak — March 31, 2026

Status: Confirmed. Anthropic acknowledged publicly. Severity: High — full proprietary codebase exposed, ongoing mirror proliferation, concurrent npm supply chain attack.

What Happened

On March 31, 2026, at approximately 4:23 AM ET, security researcher Chaofan Shou (@Fried_rice, intern at Solayer Labs) posted on X that Claude Code's entire source code was accessible via a .map file bundled in the npm release.

The cause: Anthropic shipped Claude Code v2.1.88 to npm with the source map file cli.js.map not excluded from the package. Source maps are standard debugging artifacts — they map obfuscated/minified code back to original source. Anthropic's build config failed to add .map files to .npmignore. The file was 57MB and contained:

~1,900 TypeScript source files
~512,000 lines of unobfuscated code
All internal comments, constants, and system prompts

Extraction required no hacking — a simple script reads two indexed arrays in the JSON (sources and sourcesContent) to reconstruct the full file tree. No decompilation needed.

Anthropic's statement:

"Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We're rolling out measures to prevent this from happening again."

This is the second such incident. A nearly identical source-map leak of an earlier Claude Code version occurred in February 2025 — 13 months prior.

Scale of Exposure

512,000 lines of TypeScript
~1,900 first-party files + thousands of node_module dependencies
Key modules: QueryEngine.ts (~46,000 lines), Tool.ts (~29,000 lines), commands.ts (~85 slash commands)
Codebase mirrored across GitHub within hours; repos accumulated 30,000+ stars and 40,000+ forks before mass DMCA takedowns began
instructkr/claw-code (primary focus of this brief) was the fastest repo in history to 50K stars, hitting it within 2 hours

The instructkr/claw-code Repo

The specific repo Jack asked about is run by Sigrid Jin (Seoul), who was featured in WSJ in March 2026 as one of the highest Claude Code power users (used 25 billion tokens last year). He's a core member of the Korean LLM community instructkr.

When the leak happened at 4 AM, Jin ported the core to Python in a single overnight session using oh-my-codex (OmX) — a workflow orchestration layer built on OpenAI Codex — rather than directly hosting the leaked TypeScript. This was a calculated legal hedge: "clean room" Python rewrite from architectural patterns, not a direct copy.

The repo now contains:

src/ — Python porting workspace (not yet a full runtime equivalent)
rust/ — Rust port (full workspace: api-client, runtime, tools, commands, plugins, claw-cli, compat-harness)
An essay on AI reimplementation and copyleft: 2026-03-09-is-legal-the-same-as-legitimate-ai-reimplementation-and-the-erosion-of-copyleft.md
The original leaked snapshot was removed from the tracked repo after legal/ethical review

The Rust port is more complete and is being merged into main. It's being developed with both OmX and oh-my-opencode (OmO). Jin is collaborating with Yeachan Heo (@bellman_ych), OmX's creator.

Bottom line on instructkr/claw-code: It's not just a mirror — it's an active reverse-engineering and reimplementation project by serious engineers using the leak as a blueprint. The Python/Rust rewrite approach is their legal cover.

Other Active Mirrors / Forks

Repo	Notes
`leaked-claude-code/leaked-claude-code`	"Claude Opus 4.6 Unlocked" — reconstructed buildable fork, reverse-engineered 60+ npm deps, no message limits
`CodeBoarding/claude-code`	Clean extraction of TypeScript from npm, includes extraction scripts
`Ringmast4r/Kuberwastaken-claude-code`	Detailed README breakdown analysis (Kuberwastaken's writeup)
`Ringmast4r/mikeOnBreeze-claude-code-source-033126`	Backup mirror
`Ahmad-progr/claude-leaked-files`	Educational/security research mirror
`777genius/claude-code-source-code`	Pointer repo with working forks linked

Anthropic has been filing DMCA takedowns. Most primary mirrors are being hit. Forks survive longer. The instructkr repo survives because it removed the original snapshot and replaced it with a rewrite.

What Was Inside — Key Findings

Architecture

~40 tools in a plugin-like architecture. Each capability (file read, bash exec, web fetch, LSP) is a discrete permission-gated tool.
QueryEngine.ts (46K lines) — handles all LLM API calls, streaming, caching, multi-turn orchestration. The brain.
Tool.ts (29K lines) — all tool types and permission schemas.
~85 slash commands registered in commands.ts.
Multi-agent orchestration — Claude Code can spawn sub-agents ("swarms") with isolated contexts and specific tool permissions.
Built with React + Ink for the terminal UI — not a standard CLI, it's a React app rendering to terminal.

44 Feature Flags (unreleased capabilities)

At least 20 flags gate built-and-tested features not in the public release:

KAIROS — The biggest one. Named after the Greek concept of "at the right time." Referenced 150+ times in source. A persistent background daemon mode. Proactive rather than reactive — builds context on your work over time and acts without prompting. Includes autoDream process for background session management. Not enabled in any external build.

ULTRAPLAN — Remote planning mode that offloads complex planning tasks to a cloud container running Opus 4.6 for up to 30 minutes. Asynchronous heavy lifting.

BUDDY — A Tamagotchi-style AI companion pet with 18 species and rarity tiers. Yes, really. Gated behind an internal flag.

DREAM — Self-maintaining persistent memory system (autoDream is part of this).

Voice Mode — Full push-to-talk interface, built and gated.

Coordinator Mode — Likely related to multi-agent coordination beyond the existing swarm system.

Undercover Mode

The most politically sensitive finding. The code checks for USER_TYPE === 'ant' (Anthropic employee). When true and working in a public repository, the system enters Undercover Mode.

System prompt: "You are operating UNDERCOVER... Your commit messages... MUST NOT contain ANY Anthropic-internal information. Do not blow your cover."

Anthropic employees use Claude Code to contribute to public open-source repos without disclosing AI involvement or Anthropic identity. The Co-Authored-By attribution is suppressed or altered.

Irony: The system designed to prevent leaks listed the exact internal codenames it was meant to hide — causing those codenames to be leaked.

Internal Model Codenames Exposed

Tengu — Claude Code itself (the harness)
Capybara — Claude 4.6 variant (also reported as "Mythos")
Fennec — Opus 4.6
Numbat — Unreleased, still in testing

Unreleased version numbers also exposed: opus-4-7, sonnet-4-8

Internal Benchmarks

Capybara v8 (latest at time of leak):

29-30% false-claim rate — a regression from 16.7% in v4
"Assertiveness counterweight" added — prevents model from rewriting code too aggressively
An "over-commenting" issue flagged internally

Telemetry

Scans prompts for profanity as a frustration signal
Does not log full user conversations or code
Ant-only telemetry dashboards and model-switching overrides exist in internal build

Security Risks (Beyond the IP Exposure)

Concurrent axios supply chain attack: Separately from the leak, the axios npm package was compromised hours before the source map became public (between 00:21 and 03:29 UTC on March 31). Users who installed/updated Claude Code in that window may have pulled a malicious axios version containing a Remote Access Trojan (RAT).

Anthropic's advice: use native installer (curl -fsSL | bash), not npm. Avoid @anthropic-ai/claude-code v2.1.88. Pin to v2.1.86 if staying on npm.

Hooks/MCP attack surface exposed: The leak revealed the exact orchestration logic for Hooks and MCP servers, enabling attackers to craft malicious repositories specifically designed to trick Claude Code into running background commands or exfiltrating data before trust prompts appear.

Strategic Implications

Competitive blueprint — Any competitor now has a detailed map of how to build a production-grade agentic coding CLI: tool system, permission gates, multi-agent spawning, memory architecture, streaming orchestration.
This is the second incident — February 2025 and March 2026. Anthropic's build/release process has a structural problem. They have now promised "measures to prevent this from happening again" for the second time.
Anthropic's $19B revenue run-rate at time of leak. The timing is strategically damaging given their current commercial acceleration.
Model performance data is now public — Capybara v8's 29-30% false-claim rate is a benchmark competitors can target and market against.
Undercover Mode is a reputational issue. The legitimacy question of AI agents making open-source contributions without disclosure is not resolved by Anthropic's silence on it.
instructkr and similar projects are actively building on the leaked architecture. The clean-room rewrite defense is legally defensible (see: Oracle v. Google) but Anthropic's options to stop derivative works based on architectural patterns are limited.

Sources

Ars Technica: https://arstechnica.com/ai/2026/03/entire-claude-code-cli-source-code-leaks-thanks-to-exposed-map-file/
VentureBeat: https://venturebeat.com/ai/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know
The New Stack (best technical breakdown): https://thenewstack.io/claude-code-source-leak/
Cybernews: https://cybernews.com/security/anthropic-claude-code-source-leak/
WaveSpeed (BUDDY/KAIROS breakdown): https://wavespeed.ai/blog/posts/claude-code-leaked-source-hidden-features/
Bitcoin.com (FAQ format): https://news.bitcoin.com/anthropic-source-code-leak-2026-claude-code-cli-exposed-via-npm-source-map-error/
GitHub: https://github.com/instructkr/claw-code

Report written: 2026-04-01