Claude Code source map leaks 512K lines in npm package

• Matt Pocock's first report and bridgemindai's file inventory both point to the same failure mode: Anthropic shipped a public cli.js.map file with the @anthropic-ai/claude-code npm package, exposing roughly 512,000 lines of readable TypeScript across about 1,900 to 2,300 files.
• The leak exposed more than implementation detail. Rohan Paul's undercover-mode screenshot and TestingCatalog's thread surfaced internal model references such as Capybara plus instructions designed to keep Anthropic-specific clues out of public commits and PRs.
• According to Alex Kim's analysis, the code also contains anti-distillation features that ask the server to inject fake tools, plus a native client attestation scheme meant to prove requests came from an official binary.
• Cedric Chee's notes and the follow-up HN thread both point to unfinished agent infrastructure, including KAIROS, background sessions, transcript compaction, and a /dream memory-distillation flow.
• Public docs already describe official features like claude agents, claude auto-mode defaults, MCP support, and remote control in Anthropic's CLI reference, which makes the leaked extras easier to separate from the supported product surface.

The npm package page still shows version 2.1.88 as a public release from that day, while Alex Kim's write-up adds the weirdest internals: fake-tool poisoning, a Zig-level attestation header, and a comment about 250,000 wasted API calls a day from compaction failures. You can also read the practitioner's reaction in the main HN thread and the follow-up HN thread, where commenters focused less on the drama and more on how a production CLI was packaged, instrumented, and feature-flagged.

The concrete part is boring and brutal. Anthropic published @anthropic-ai/claude-code to npm, and version 2.1.88 was publicly visible on the package page with cli.js.map inside the distributable.

Matt Pocock's report sized the exposure at about 512,000 lines and 1,900 files. bridgemindai's screenshot counted 2,304 files, a 57 MB source map, a 785 KB main.tsx, 103 commands, 331 utils, 146 components, 87 hooks, and 45 tools. The exact totals vary by how people counted generated and nested files, but the engineering picture is the same: this was not prompt leakage, it was a full implementation leak.

The official CLI reference helps show what belonged in public view. Anthropic already documents commands like claude agents, claude auto-mode defaults, plugin management, MCP configuration, and claude remote-control. Everything below came from code paths and feature flags that were not part of that published surface.

Undercover mode is the most socially revealing part of the leak. Rohan Paul's screenshot shows the mode defaults to on unless the repo remote matches an internal allowlist, and the comments say there is no force-off switch.

Cedric Chee's captured prompt spells out what the model must avoid in public work: internal model codenames, unreleased version numbers, internal repo names, Slack channels, the phrase "Claude Code," any hint that it is an AI, and even Co-Authored-By lines. Alex Kim's analysis says Anthropic can force the mode on with CLAUDE_CODE_UNDERCOVER=1, while external builds dead-code-eliminate the employee-only branches.

That makes Undercover Mode more specific than generic commit cleanup. It is a dedicated prompt layer for public repositories, aimed at hiding internal names and AI attribution at the same time.

The cleanest technical reveal is that Claude Code appears to defend its API surface in two different ways. According to Alex Kim's analysis, an ANTI_DISTILLATION_CC flag can send anti_distillation: ['fake_tools'] so the server injects decoy tool definitions into the prompt. the main HN thread summary highlighted the same mechanism as one of the most interesting findings.

The same post describes a native client attestation path: requests carry a cch=00000 placeholder that Bun's lower-level HTTP stack replaces with a computed hash before the request leaves the process. Kim frames it as transport-level DRM for first-party clients, and notes that the whole system is still feature-flagged and kill-switchable.

Those details matter because they show where Anthropic put the real defenses. The code did not rely only on closed prompts or unpublished endpoints. It also used server-side prompt mutation and binary-level request shaping.

This is Christmas morning for coding-agent nerds. AILeaksAndNews listed KAIROS, coordinator mode, auto mode, and a buddy system, but the more useful detail came from Cedric Chee's thread, which tied KAIROS to background agents, memory consolidation, deterministic cron jitter, and a four-step AutoDream process that revisits transcripts and updates memory files.

Alex Kim's analysis adds a few harder edges:

• KAIROS looks like a gated autonomous mode with background daemon workers.
• The code references GitHub webhook subscriptions and a refresh loop every five minutes.
• A /dream skill is described as nightly memory distillation.
• autoCompact.ts contains a comment claiming 1,279 sessions had 50 or more consecutive failures, wasting about 250,000 API calls per day globally before Anthropic capped consecutive failures at three.

the follow-up HN thread also pulled out a subtler implementation detail: pre-compaction conversations stay preserved in session JSONL logs and are filtered before API submission. That is a useful glimpse of how a long-running agent can compress context for the model without throwing away the full local record.

The lightest feature in the leak is also the most specific. Rahat's thread says Claude Code uses a regex to tag prompts containing phrases like "wtf," "ffs," "piece of shit," and "this sucks" as is_negative: true for analytics, and that employee builds can turn that frustration into a prompt asking users to share transcripts.

The same leak exposed a /buddy system. Cedric Chee described a deterministic collectible companion keyed off a user hash, with species, rarity, stats, ASCII animation, and an April 1 to 7 activation window. the main HN thread summary echoed the same idea, noting a little virtual pet generated from a user's UUID.

That last bit is new information, not color from the margins. It shows the leaked tree was not only production code and safety plumbing. It also contained dormant seasonal features, employee-only telemetry hooks, and product experiments that were never meant to leave the bundle.