Claude Code leaks 512K source-map lines and hidden KAIROS flags

• Anthropic’s npm package for Claude Code exposed an unminified source map, and multiple posts plus the Hacker News thread converged on the same basic scope: hundreds of thousands of lines of TypeScript and roughly 1,900 files were recoverable from the shipped artifact Matt Pocock linked leak post.
• The recovered client code appears to reveal product internals that normally stay server-side or undocumented, including references to an unreleased “Capybara” model, employee-only “undercover mode,” and other hidden feature flags discussed in community analysis TestingCatalog AILeaks thread.
• For engineers, the bigger lesson is packaging and observability: the HN discussion points to how much can be inferred from shipped agent clients, from anti-distillation mechanics to prompt-classification hooks, even without backend access.
• Early Hacker News speculation tied the leak to a Bun production sourcemap bug, but Claude Code creator Boris Cherny later said it was “not related to bun” and was “just developer error” early thread summary Cherny reply.

Matt Pocock’s initial post said a “big chunk of Claude Code’s source code” was exposed through an npm .map file, sizing it at “~512K lines of code” across “~1,900 files.” A later screenshot-based post from Wes Roth shows a cli.js.map file at 57MB and a populated src tree with files such as main.tsx, QueryEngine.ts, setup.ts, and tool, command, and component directories directory screenshot [img:2|57MB sourcemap].

That scope matters because this was not a tiny debug artifact. The HN thread frames it as a packaging failure that effectively shipped the CLI’s readable TypeScript to anyone pulling the npm package, while the linked leak post notes a direct downloadable archive circulated quickly. Separately, a repository linked from the original discussion claims to be a “clean-room” recreation built after the incident, underscoring how fast leaked client logic can be inspected and replicated clean-room repo.

The most concrete product signal is that community analysis found references to an unreleased “Capybara” model in Claude Code’s client, with TestingCatalog’s post tying it to “undercover mode.” Other posts go further, claiming strings such as “capybara-v2-fast” and even references to future Opus and Sonnet versions, but those details remain unconfirmed because they come from third-party screenshots rather than Anthropic model screenshot.

The HN discussion surfaces lower-level implementation details with clearer engineering relevance. One commenter says an ANTI_DISTILLATION_CC path injects anti_distillation: ['fake_tools'] into requests so the server can slip decoy tool definitions into the system prompt, a rare public look at one way an agent vendor may try to resist prompt or toolset extraction. The same thread also points to prompt-sentiment handling, and Rahat’s regex post says Claude Code detects phrases like “wtf” or “this sucks” and logs an is_negative: true analytic flag rather than changing runtime behavior. Boris Cherny later confirmed that signal exists, saying the team uses it on a dashboard they call the “fucks” chart Cherny on dashboard.

Community threads also enumerate hidden modes including “Coordinator Mode,” “Auto Mode,” and “Kairos,” described as an “autonomous daemon mode with background sessions and memory consolidation,” but those claims come from secondary reading of the leak rather than official documentation, so they are best treated as reported feature flags, not shipped capabilities AILeaks thread follow-up post.

The postmortem signal changed over the day. Early discussion on Hacker News proposed a Bun production sourcemap issue, with one commenter saying Claude Code may have been built “expecting it not to output source maps, but it is” early thread summary. Cherny later directly contradicted that theory, writing that it was “not related to bun” and was “just developer error” Cherny reply.

For AI engineers, the lasting takeaway is how much operational detail lives in the client. The HN thread called it a case study in “how an AI coding tool is packaged and protected,” because the exposed code appears to include permissioning logic, hidden employee paths, analytics hooks, and anti-distillation controls. Even without backend weights or server code, a shipped agent client can reveal architecture, eval assumptions, and product-roadmap hints that competitors and auditors can inspect immediately.