What we know so far: Anthropic is facing renewed scrutiny from the AI and security communities after internal source code for Claude Code – its fast-growing agentic development environment – was briefly made public via npm. The incident not only exposed how the tool works under the hood, but also coincided with a separate supply-chain compromise involving the popular Axios JavaScript library, raising concerns for teams that rely on Claude Code in production.

The exposure traces back to version 2.1.88 of the @anthropic-ai/claude-code package on npm, which was published with a 59.8MB JavaScript source map intended only for internal debugging.

The map file enables the reconstruction of roughly 512,000 lines of TypeScript code powering Claude Code's orchestration layer and CLI. Within hours of the release, mirrors of the reconstructed repository appeared on GitHub as developers began dissecting the codebase.

Anthropic confirmed the incident in an emailed statement, characterizing it as a packaging failure rather than a direct security breach: "Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We're rolling out measures to prevent this from happening again."

The leaked source map sheds light on the core challenges of long-running agentic workflows: context drift, reliability, and autonomous operation.

One of the most closely analyzed components is a layered memory system that departs from naïve "log everything and retrieve later" designs. A file called MEMORY.md serves as an index of pointers that remains in context, while actual project knowledge is split across topic-specific files that are retrieved only when needed.

// Related Stories

Developers examining the code describe this as a "self-healing memory" approach, in which the agent keeps its index in sync with successful writes and treats its own memory as a fallible hint rather than ground truth – prompting it to re-verify against the live codebase before taking action.

Another recurring motif in the source is KAIROS, a feature flag referenced more than 150 times that underpins Claude Code's always-on "daemon" mode. Instead of waiting for explicit prompts, KAIROS-backed workflows allow the agent to continue operating in the background, consolidating memory and resolving contradictions while the user is idle.

Internal logic for an "autoDream" process shows the agent merging observations, pruning inconsistent states, and rewriting fuzzy notes into concrete assertions – all routed through a forked sub-agent to avoid contaminating the main reasoning thread.

The leak also revealed details about Anthropic's internal model roadmap and quality challenges. Codenames such as Capybara, Fennec, and Numbat appear to correspond to Claude 4.6 – class variants and experiments, with comments noting that a current Capybara v8 iteration exhibits a false-claim rate in the high 20 percent range – worse than earlier versions.

Guardrails such as an "assertiveness counterweight" are built into the stack to rein in overconfident refactors and noisy diffs, suggesting that Anthropic is still actively balancing speed, verbosity, and factual accuracy at the agent layer.

Perhaps the most contentious discovery is an "Undercover Mode," in which Claude Code is configured to contribute to public open-source repositories without revealing its Anthropic origin. The system prompt warns: "You are operating UNDERCOVER… Your commit messages MUST NOT contain ANY Anthropic-internal information. Do not blow your cover."

This implementation offers a ready-made pattern for organizations that want AI agents to interact with public infrastructure while concealing traces of internal tooling and model identifiers.

For users, the more immediate risk is not the code exposure itself, but how it intersects with a separate npm incident. During a brief window on March 31, 2026, attackers published two malicious Axios versions (1.14.1 and 0.30.4) that embedded a remote access trojan and could be pulled transitively by projects installing Claude Code from npm.

Security researchers advise scanning lockfiles for those versions or for the injected dependency, plain-crypto-js. Systems found to be running the compromised packages should be treated as fully compromised, with secrets rotated and operating systems reinstalled.

Anthropic is steering users toward its native installer – a standalone binary distributed via a curl-and-bash script – as the primary channel going forward, arguing that it avoids npm's volatile dependency graph and can automatically apply security fixes.

For those remaining on npm, the leaked 2.1.88 build should be removed, and installations should be pinned to a known-good version while the company ships patched releases.

At the same time, teams are being urged to harden their own practices: adopt a zero-trust approach when running Claude Code in unvetted repositories, manually inspect hooks and configuration files, rotate Anthropic API keys, and closely monitor usage telemetry for any signs of abuse now that the agent's orchestration logic is publicly accessible.