Inside the Claude Code Source Leak: 1,900 Files, 510k Lines, and the Three‑Layer Memory Architecture

Incident Overview

On 31 Mar 2026, researcher Chaofan Shou posted a tweet linking to npm package @anthropic-ai/claude-code version 2.1.88, which unintentionally contained a 59.8 MB JavaScript source‑map file. The tweet generated >21 million views and multiple GitHub mirrors. Anthropic confirmed the leak as a packaging error, stating no customer data or credentials were exposed.

Leaked Architecture

The dump comprises ~1,900 TypeScript files and >510 k lines of code, forming an industrial‑grade AI agent system. Core components:

Query Engine (≈46 k lines) : Handles LLM API calls, streaming responses, caching, and task orchestration.

Tool System (≈29 k lines of definitions) : >40 permission‑controlled tools (file I/O, Bash execution, web scraping, etc.).

Multi‑Agent Orchestration : Parallel scheduling of sub‑agents (“swarms”).

IDE Bridge : Bidirectional communication between VS Code/JetBrains and the CLI.

Three‑Layer Memory Architecture

Designed to mitigate “context entropy” (loss of coherence in long‑running agents). The three layers are:

Layer 1 – MEMORY.md (lightweight index) : Stores pointers to actual data; always loaded in the prompt without large memory cost.

Layer 2 – Topic Files (on‑demand fetch) : Knowledge is split into topic‑specific files; the agent retrieves a file only when needed.

Layer 3 – Grep‑style Retrieval : Raw dialogue records are never fully loaded; the agent searches for specific identifiers on demand.

The design enforces a “write discipline”: the agent updates the index only after a file write succeeds, preventing failed writes from contaminating the prompt. Anthropic treats memory as a prompt‑derived construct that must be verified before use.

Unreleased Features Discovered

KAIROS (autonomous daemon) : When idle, the agent performs “memory consolidation” to resolve logical contradictions and turn vague insights into concrete facts.

Buddy (terminal pet) : Tracks metrics such as “chaos level” and “sarcasm score”.

Undercover Mode (anonymous contribution) : Requires the agent to hide all Anthropic internal information when submitting code to public repositories, enabling silent contributions.

Concurrent npm Supply‑Chain Attack

During the same window (00:21–03:29 UTC on 31 Mar), a supply‑chain attack targeted the axios package. Installations of Claude Code that fetched axios 1.14.1 or 0.30.4 received a malicious version containing a remote‑access trojan.

Immediate checks : Search lock files (e.g., package-lock.json) for the affected axios versions or the plain-crypto-js dependency. If present, treat the host as compromised, rotate all keys, and consider reinstalling the operating system.

Remediation steps :

Prefer native installation that bypasses npm: curl -fsSL https://claude.ai/install.sh | bash If npm must be used, uninstall version 2.1.88 and roll back to 2.1.86.

Lessons for Engineering Teams

Run npm pack --dry-run before publishing to verify package contents.

Exclude debugging artifacts such as .map files from production bundles.

Integrate security checks into CI/CD pipelines.

Re‑evaluate the security of the npm dependency chain and prioritize native installation methods.

Impact on AI Agent Design

The three‑layer memory solution provides a concrete blueprint for reducing context entropy in long‑running agents and may influence future AI agent architectures.