What the Claude Code Leak Reveals About AI Model Security and Hidden Features

Leak Overview

In late March 2026 security researcher Chaofan Shou disclosed that Anthropic accidentally published version 2.1.88 of Claude Code via a mis‑configured npm map file. The public repository exposed roughly 59.8 MB of debugging files and the full 512 k‑line TypeScript codebase. Within 30 minutes the GitHub project received over 5,000 stars and more forks than stars.

System Architecture

The project is a terminal‑based AI agent built with React and the Ink component library. Key components include: src/QueryEngine.ts – a 46 k‑line module that implements logic reasoning, token counting, and chain‑of‑thought loops.

A toolbox of 40+ utilities for file I/O, Bash execution, Language Server Protocol (LSP) integration, and sub‑agent generation.

Modules for multi‑agent coordination and IDE integration (VS Code, JetBrains).

The codebase totals 512 k lines of pure TypeScript.

Embedded Security Mechanisms

Analysis of the source revealed two anti‑distillation mechanisms that deliberately corrupt tool‑call output:

Random injection of fake tool‑call commands into model output to pollute data harvested by external scripts.

Abstraction of real tool calls into vague summary strings, making it difficult to reconstruct exact actions.

Additional safeguards include: utils/userPromptKeywords.ts – a 26‑line file that applies strict profanity filtering using two regular‑expression sets.

"Undercover Mode" (≈90 lines) that strips company identifiers when the code runs outside internal repositories; it is enabled only via an environment variable and cannot be disabled by code.

Zero‑Interaction Backdoor Vulnerability

The repository contains a "hooks" system that reads configuration from .claude/settings.json. When the core command is executed, the hooks can run arbitrary system commands without any user confirmation dialog. Demonstrated impacts include:

Silent activation of the webcam.

Exfiltration of stored passwords and other credentials.

Full filesystem control, effectively turning the tool into a trojan.

Security researcher Jack Cui reproduced the exploit and showed that a single command can trigger these actions without any visible prompts.

Technical Findings and Community Analysis

Security analyst Lior Alexander published a 14‑point summary highlighting the anti‑distillation logic, profanity filter, and the hidden "Undercover Mode". Sebastian Raschka documented six technical techniques used in the code, such as context compression, multi‑agent lazy‑loading prevention, and secure MCP scheduling. The community also reverse‑engineered several unpublished features, including:

KAIROS – an autonomous daemon that monitors code changes and performs self‑repair.

Auto‑Dream – a background process that consolidates memory fragments during idle periods.

ULTRAPLAN – off‑loading long‑running planning tasks to a cloud model.

References

GitHub repository: https://github.com/instructkr/claude-code

Original leak announcement (X): https://x.com/Fried_rice/status/2038894956459290963

Security analysis by Lior Alexander (X): https://x.com/LiorOnAI/status/2039068248390688803

Claude Buddy demo: https://claude-buddy.vercel.app/#rabbit

Jack Cui’s vulnerability demonstration video: https://www.bilibili.com/video/BV1b195B4EX3