What the Claude Code Source Leak Reveals About Anthropic’s AI CLI and Security

Leak Overview

Version v2.1.88 of the Claude Code CLI unintentionally bundled a 60 MB source‑map into the npm package. The source‑map contains the full TypeScript source tree (1906 files, ~510 000 lines), exposing the entire codebase.

Repository Access

The leaked source was quickly mirrored to a public GitHub backup. It can be cloned with:

git clone https://github.com/instructkr/claude-code.git

Full repository URL:

https://github.com/instructkr/claude-code

Discovered Hidden Features

Electronic Pet (Buddy) : A Tamagotchi‑style ASCII pet displayed in the terminal. It supports 18 species, six rarity tiers, and generates a unique ID per user account.

Kairos Persistent Assistant : Enables cross‑session long‑term memory. When the CLI is idle, it runs a four‑stage pipeline (targeting → collection → integration → pruning) to convert conversation fragments into structured notes.

Ultraplan : Uses the Opus 4.6 model to perform up to 30‑minute deep task planning, suitable for complex project design.

Multi‑Agent Coordination : Allows simultaneous independent agent instances to cooperate, increasing parallel task throughput by more than three times.

Cross‑Session Process Communication : Multiple Claude sessions on the same machine can exchange messages.

Daemon Mode : Runs the session manager as a background service.

Additional hidden slash commands (e.g., /btw) and an “Undercover mode” that strips Anthropic identifiers from pull‑request metadata.

Security Architecture

Every tool invocation passes a six‑level permission system followed by a four‑stage decision pipeline that validates permissions, analyses the requested action, and only then executes it. External commands and plugins are executed inside isolated sandboxes. I/O is handled via non‑blocking buffers, allowing the CLI to stream responses while background processing continues. When conversation token count exceeds a configurable threshold, an automatic context‑compression routine preserves critical logical chains.

Code Quality Concerns

While the overall architecture is well‑designed, several modules suffer from poor quality. Notably, src/cli/print.ts contains a single function of over 3000 lines with 12 nested levels and extremely high cyclomatic complexity, making maintenance difficult. Emotion detection is implemented with simple regular‑expression matching of profanity (e.g., “ffs”, “shitty”) rather than a dedicated AI model.

Related Anthropic Operational Incidents

Earlier in March, a third‑party CMS misconfiguration exposed roughly 3000 internal assets, including an unreleased model codenamed “Capybara”. The Claude Code source leak follows that incident, highlighting recurring operational lapses despite Anthropic’s public emphasis on AI safety. No model weights or training data were leaked; the exposure is limited to the client‑side CLI code and its hidden feature roadmap.

Key Takeaways

The accidental inclusion of a source‑map in an npm release can fully expose a proprietary codebase.

Public mirrors enable rapid community analysis and replication of the entire product stack.

Hidden modules reveal ambitious future capabilities (persistent memory, multi‑agent orchestration, deep planning) that were not announced.

Robust permission checks and sandboxing are present, but code‑base hygiene issues (e.g., massive monolithic functions) remain.

Operational security practices need reinforcement to prevent repeat of source‑map or configuration‑based leaks.