What the Claude Code Source Leak Reveals About Anthropic’s Upcoming “Kairos” AI Assistant

Incident Overview

On March 31, 2026, security researcher Chaofan Shou discovered that Anthropic’s npm package for Claude Code unintentionally included a full source‑map file ( cli.js.map, 59 MB). The map exposed the complete TypeScript codebase—1,900 files and roughly 512,000 lines—to the public.

Anthropic removed the map after the discovery, but the code had already been archived on GitHub, gaining over 1,100 stars and 1,900 forks.

Core Architecture Exposed

Tool system : more than 40 utilities (file operations, shell execution, web access, etc.) totaling about 29 k lines.

Query engine : handles LLM API calls, streaming, task orchestration (≈46 k lines).

Multi‑agent coordination : parallel task handling (size not disclosed).

IDE bridge : integration with VS Code, JetBrains (size not disclosed).

Kairos assistant mode : a 24/7 AI assistant (size not disclosed).

Other core systems : configuration, authentication, authorization, logging (remaining code).

Technology stack: Bun runtime (instead of Node.js), React + Ink for terminal UI, Zod v4 for validation, and about 50 slash commands.

Security and Permission Model

Four‑level permission modes: default (interactive), auto (ML‑based), bypass, yolo (“reject all”).

Risk grading per tool: LOW / MEDIUM / HIGH.

YOLO classifier: a lightweight ML model that decides whether to allow an operation.

Path‑traversal protection: URL‑encoding, Unicode normalization, backslash injection handling.

Protected files such as .gitconfig, .bashrc, .zshrc cannot be edited automatically.

Kairos Mode – The “Jarvis” Assistant

Kairos is described as a “7 × 24 hour online all‑purpose AI assistant” that turns Claude Code from a programming tool into a continuous intelligent operating system.

Key capabilities :

Continuous monitoring and proactive actions, logging observations, decisions, and actions. Any proactive action is limited to 15 seconds; longer operations are deferred.

“Brief” output mode that only speaks when it has valuable information.

Exclusive tools such as SendUserFile (push files to the user), PushNotification (send device notifications), and SubscribePR (monitor pull‑request activity).

GitHub webhook integration via the KAIROS_GITHUB_WEBHOOKS switch.

Scheduled check‑in skills that allow sessions to be persisted and resumed.

Other Unreleased Features

Dream system : background “autoDream” engine that runs a four‑phase memory integration (locate, collect, integrate, prune) with gate conditions (time ≥ 24 h, session ≥ 5, lock acquisition).

ULTRAPLAN : a remote Cloud Container runs Opus 4.6 for up to 30 minutes to solve complex tasks; results are streamed to the browser and can be approved to return to the local terminal.

Buddy pet system : a Tamagotchi‑style electronic pet with 18 species, rarity tiers, and attributes (debug, patience, chaos, wisdom, sarcasm); launch expected May 2026.

Undercover Mode : when Anthropic staff use Claude Code in public repos, the tool injects a system prompt that forbids leaking internal model names, version numbers, project names, or even the “Claude Code” identifier.

Penguin Mode : fast‑mode API endpoint /api/claude_code_penguin_mode.

Internal model code‑names history: Fennec → Opus, Tengu → Claude Code, Capybara → another internal name.

Impact Assessment

Competitive advantage : rivals can dissect the architecture and product design, shortening their catch‑up time.

Company image : the incident exposes immature release‑process and supply‑chain security practices.

Business outlook : Claude Code accounts for about 18 % of Anthropic’s revenue; the leak could affect its IPO plans.

Unreleased functionality : Kairos, ULTRAPLAN and other flagship features are now publicly known.

Developer community : the 512 k lines of high‑quality TypeScript become a learning resource; the architecture (multi‑agent coordination, memory system, permission model) is likely to be studied, but using it may breach Anthropic’s terms of service.

Recommendations

For Claude Code users: update via the official npm channel ( npm install -g @anthropic-ai/claude-code), avoid downloading the leaked GitHub version, and audit the .claude/ configuration for unexpected hooks.

For open‑source maintainers: be aware that Anthropic staff may submit PRs using Claude Code; those PRs will not be marked as AI‑generated because of Undercover Mode. Enable CI checks and code review.

For npm package maintainers: use npm pack --dry-run to preview publish contents, whitelist files via the files field in package.json instead of relying on .npmignore, and add CI checks to prevent accidental publishing of .map files.

Conclusion

The leak was a low‑level mistake that caused a high‑impact security breach, but Anthropic’s core moat—its large language model, cloud infrastructure, brand trust, and enterprise‑grade services—remains intact. The exposed code shows a vision where AI assistants act proactively (Kairos), reflect on their memory (Dream), coordinate multiple agents, and even control the user’s computer, essentially becoming a “Jarvis‑like” system.