Claude Code npm source map leaks CLI internals, prompts, and unreleased features

• Claude Code version 2.1.88 on npm appears to have shipped with a source map that let people reconstruct the CLI’s readable source, turning a packaging mistake into a public architecture reveal initial leak tweet HN core summary.
• The most important technical finding is not the prompts, it is the amount of product and safety scaffolding sitting around the model: anti-distillation flags that request decoy tools, hook and plugin plumbing, session compaction logic, and a giant CLI runtime that centralizes agent behavior HN discussion Alex Kim analysis.
• Community analysis also surfaced unreleased or hidden behavior, including “undercover mode,” frustration detection, and references to a proactive agent mode called KAIROS, which reads more like roadmap leakage than ordinary code exposure HN core on follow-up analysis HN discussion on follow-up analysis.
• The cleanup made the story worse. Anthropic’s DMCA notice targeted one repo plus listed forks, but GitHub processed the takedown across a network of 8.1K repositories, then Anthropic filed a partial retraction asking GitHub to reinstate everything except the named repo and 96 listed forks Theo DMCA tweet retraction tweet Gergely on network-wide takedown.
• For AI tool vendors, this is a packaging and operations failure more than a model secrecy failure. No model weights or customer data were reported exposed, but build outputs, internal prompts, and enforcement workflows were all visible at once Alex Kim analysis Gergely on original notice.

The weird bits surfaced fast: the npm package page showed 2.1.88 live while the leak spread, the official GitHub repo moved to v2.1.89 soon after, the Alex Kim write-up pulled out fake tool injection and KAIROS references, and GitHub’s own original DMCA notice plus retraction showed how a repo cleanup spilled into a much broader fork takedown.

The basic fact pattern is simple. A source map in the public @anthropic-ai/claude-code npm package let outsiders reconstruct readable CLI source. The npm package listing shows 2.1.88 published during the incident window, and the official GitHub repo shows v2.1.89 landing shortly after.

That matters because the incident looks like a packaging failure, not an intrusion. HN commenters pointed at a possible Bun production source map issue Bun build bug comment, though that remains a community theory, not a confirmed root cause. Either way, the engineering lesson is plain: your published artifact is part of your security boundary.

The real story here is the anti-distillation mechanism. According to both the HN thread and Alex Kim’s analysis, Claude Code can send anti_distillation: ['fake_tools'] in API requests, which causes the server to inject decoy tool definitions into the prompt path HN comment on anti-distillation Alex Kim’s write-up.

That is more revealing than the usual leaked prompt snippets. It shows Anthropic treating prompt capture and agent imitation as an active adversarial problem. If you build agent products, that design choice is worth studying: the company appears to assume competitors or wrappers will record interactions and try to clone the behavior, so the system can poison the observation layer itself.

One of the more credible practitioner reactions came from the HN commenter who called out src/cli/print.ts at roughly 3,167 lines, handling the agent loop, signals, rate limits, AWS auth, MCP lifecycle, plugin install and refresh, and worktree bridging HN comment on CLI internals.

That is interesting for two reasons:

• Claude Code is not a thin shell around a model API. It carries a lot of orchestration logic locally.
• The boundaries between interface, runtime, and operations appear blurry, which makes accidental exposure more costly because one file can reveal product behavior, infrastructure assumptions, and release mechanics at once.

Anthropic’s public docs make part of this visible already. The hooks reference and hooks guide describe extensive lifecycle automation, shell hooks, HTTP hooks, and MCP tool hooks. The leak seems to have shown how much more of that wiring exists behind the public surface.

Public discussion zeroed in on a line that tells the agent not to mention Claude Code or say it is an AI in commit messages and PR descriptions HN comment on undercover mode. Read plainly, that suggests a mode for blending into normal developer output.

There is also reported logic for detecting user frustration, plus subscription and compaction-related internals in the leaked code Alex Kim’s write-up. None of that is shocking on its own. Put together, it shows that serious coding agents now have product instincts baked into the runtime: when to stay quiet, how to manage user trust, how to compress context, and how to avoid looking clumsy in version control.

For engineers, this is a useful correction to the usual “agent equals prompt plus tools” mental model. Shipping one of these products means building a behavior layer around the model, not just a command wrapper.

The roadmap leakage may be more strategically painful than the code leak. HN commenters and secondary analysis called out references to KAIROS, described as an always-on or proactive agent mode, plus other features like AFK mode, fast mode, and task budgeting tweet on unreleased features HN comment on KAIROS.

Treat those specifics carefully, because most came from public reverse engineering rather than an official changelog. Still, the pattern is believable and consistent: Claude Code appears to have a much larger product surface in flight than what is publicly documented. Competitors did not just get implementation details. They got hints about where terminal agents are headed next.

The repo enforcement sequence is almost its own incident. Theo reported that GitHub disabled a repo that did not contain the leaked Claude Code source, only a prior skill edit Theo on mistaken takedown. Gergely Orosz then traced the public paperwork: Anthropic’s original DMCA notice named the nirholas/claude-code repo and 96 listed forks, but GitHub’s notice says it processed the takedown against the entire network of 8.1K repositories because the reported network exceeded 100 repositories and the submitter alleged most forks were infringing Gergely on network-wide takedown Gergely on original notice.

Anthropic then filed a partial retraction stating that all repositories except the named repo and the 96 individually listed forks should be reinstated. That does not answer every procedural question, but it does settle the narrow factual one: the overbroad removals were reversed in public paperwork within hours.

This story will be remembered as a leak, but engineers should probably file it under operational exposure. One shipped artifact exposed implementation details, hidden safeguards, prompt behavior, and unreleased features. One cleanup workflow then swept in unrelated repos before being narrowed back down.

That combination is the useful lesson. If you ship AI developer tools, you need release checks for debug artifacts, tighter separation between runtime logic and internal notes, and takedown processes that do not expand faster than humans can audit. Claude Code’s model capabilities may remain the moat. The surrounding system is what the public got to inspect.