Inside the Claude Code Source Leak: Architecture, Secrets, and Security Risks

On March 31, 2026 Anthropic published the Claude Code npm package and mistakenly included the full source map ( .map) files in the production build of version claude-code v2.1.88. The cli.js.map file (~60 MB) allowed anyone to reconstruct the entire TypeScript codebase, exposing roughly 1,900 source files and more than 510 k lines of code.

1. What was leaked?

Client CLI code – the frontend/wrapper, not the Claude model weights or backend server code.

Internal architecture – file‑system handling, Anthropic API interaction, telemetry logic, and a multi‑process communication protocol.

System prompts – hard‑coded prompts that guide Claude for code editing, testing, and Git management.

Tech stack – the tool runs on the Bun runtime and uses React + Ink to build the terminal UI.

2. Unexpected "gold mine" discoveries

New model code‑name "Capybara" – versions such as capybara-fast appear, with comments noting improvements on hallucination handling.

Emotion monitoring – the source records whether a user swears at Claude, using this as a frustration telemetry metric.

Hidden "buddy" pet system – a built‑in /buddy feature defines 18 creatures (e.g., Duck, Dragon, Capybara) with rarity levels and attributes like chaos, wisdom, and cuteness, which can evolve based on commit count or debug success.

3. Impact and current status

Security risk – researchers such as Chaofan Shou (Fuzzland) warned that the exposed source makes remote code execution (RCE) vulnerabilities easier to discover; malicious .claude/settings.json files have been cited as potential exploits.

Irreversible spread – Anthropic quickly withdrew the npm package, but the source was cloned and widely shared on GitHub (e.g., claude-code-source-code-deobfuscation).

Community reaction – jokes about "passive open‑source" because an AI‑assisted coding tool became fully visible.

💡 Summary: This was a classic supply‑chain configuration error. Although the core model algorithm remains hidden, the leak exposed Anthropic’s internal engineering details for building complex AI agents.

4. Architectural core: state machine and event‑driven design

Claude Code is a stateful terminal application.

React + Ink rendering layer – manages UI state via componentized progress bars and dialog bubbles.

Multi‑process model – the main process handles communication with Anthropic’s backend, while worker processes execute Git commands, file I/O, and test runs to avoid UI blocking.

5. Core logic: control loop

Tool‑use decision tree – when the model returns a call_tool command, the local code performs pre‑validation to prevent malformed paths or nonexistent commands.

Context management – a sliding‑window strategy automatically trims history, preserving the current project's .gitignore, directory tree, and recent error logs to save tokens and maintain logical coherence.

6. Security and permission safeguards

Double‑confirmation mechanism – dangerous operations such as rm -rf trigger a risk‑rating system before execution.

Command‑hijack prevention – the tool scans and escapes shell commands to mitigate prompt‑injection attacks.

7. Telemetry and diagnostics

Sentiment tracking – the code detects negative words (e.g., "you’re stupid") and flags the session as user_frustrated: true.

Performance bottleneck analysis – latency of each tool execution (e.g., how long grep takes to scan a large folder) is recorded.

8. Discoveries about the "Capybara" model

Dynamic sampling adjustment – the code adjusts temperature based on the model version (e.g., capybara-2026).

Targeted prompts – specific system prompts activate only for the new model to enhance reasoning on complex code.

9. Unreleased models: Capybara and Mythos

Capybara series – entries like capybara-2026-v1 are optimized for large‑scale file‑tree navigation.

Mythos – associated with an extremely large context window, apparently aimed at enterprise‑scale codebases.

10. Competitive insights

Comments in the code compare Claude Code to other tools (e.g., GitHub Copilot, Cursor) and note the need to be smarter than "X tool".

A humorous Git comment: // Git is hard, and we are all suffering.

11. Backdoor and debug switches

The EXTREME_DEBUG_MODE flag, when enabled, prints Claude’s internal chain‑of‑thought reasoning, originally for internal testing.

Small interlude: A GitHub user joked that after reading the source, Claude’s intelligence seems to come from its elegantly written prompts rather than the model itself.