Claude Code Source Code Leaked: 512,000 Lines Reveal the Future of AI Agents

On March 31, 2026, someone at Anthropic made a human error that exposed the best-kept secrets in the AI agent industry. A .map (sourcemap) file was accidentally included in a Claude Code npm package update. Within minutes, 512,000 lines of TypeScript were being downloaded, analyzed, and rewritten by the community.

It wasn't a hack. It wasn't a security breach. It was a .npmignore that didn't exclude a debug file. Bun, the runtime Claude Code uses, generates sourcemaps by default. Someone forgot to exclude it from the package. And with that, the entire source code of the world's most popular coding tool was exposed.

What exactly happened

Chaofan Shou, a security researcher, was the first to notice. He wrote a short script, downloaded the source code directly from Anthropic's R2 bucket, and posted the link on X. No credentials needed, no exploitation — the file was there, public, for anyone with curiosity and a terminal.

Boris Cherny, a Claude Code engineer at Anthropic, confirmed it was human error, not a tooling bug. His response was notable: "Mistakes happen. As a team, the important thing is to recognize it's never an individual's fault. It's the process, the culture, or the infra."

Anthropic patched the package quickly and started sending DMCAs to take down mirrors. But by then, the code was on GitHub, IPFS, and being rewritten in Python. The genie wasn't going back in the bottle.

The scale: 512,000 lines of code, ~1,900 files, the main component (main.tsx) at 785KB. This wasn't a prototype — it was the complete product.

KAIROS: the agent that runs 24/7 without being asked

The most important finding from the leak isn't a bug or a vulnerability — it's a feature Anthropic never announced. Hidden behind feature flags called PROACTIVE and KAIROS, the codebase contains a fully built autonomous agent mode.

KAIROS runs in the background, 24/7, without you asking. Every few seconds it receives a heartbeat prompt: "anything worth doing right now?" It evaluates what's happening and decides: act, or stay quiet. If it acts, it can fix errors, respond to messages, update files, run tasks. Everything Claude Code already does, just without you initiating it.

KAIROS's exclusive tools that regular Claude Code doesn't have:

• Push notifications — reaches you on your phone or desktop even when the terminal is closed

• File delivery — sends you things it created without being asked

• PR subscriptions — watches your GitHub and reacts to code changes on its own

Most interesting: KAIROS maintains append-only daily logs of everything it observes, decides, and does. It cannot erase its own history. At night it runs a process the code literally calls autoDream — consolidating what it learned during the day and reorganizing memory. Close your laptop Friday, open it Monday, KAIROS has been working the whole weekend.

If this sounds familiar, it's because OpenClaw already does exactly this. Heartbeats, proactive execution, persistent memory, daily logs, memory consolidation — it's all been in OpenClaw for months. The difference is that OpenClaw is open source and you can use it today. KAIROS is locked behind Anthropic's internal feature flags.

BUDDY: the AI Tamagotchi nobody expected

The finding that went most viral was BUDDY — a complete virtual pet system for Claude Code users. 18 species (duck, dragon, axolotl, capybara, mushroom, ghost...), rarity tiers from Common to Legendary (1% drop rate), shiny variants, 5 stats per buddy (DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK), and cosmetic hats.

The species is deterministically generated from a hash of the userId — you always get the same one. Claude writes the name and personality on first hatch. The buddy lives in a speech bubble next to the input box. According to internal comments in the code, it was an April Fools teaser planned for April 1-7, with full launch targeted for May 2026.

The architecture revealed

Beyond the hidden features, the leak revealed how Claude Code works internally. The most relevant technical findings:

• Fewer than 20 default tools (of 60+ available): BashTool, FileReadTool, FileEditTool, WebFetchTool, WebSearchTool, TodoWriteTool, among others

• 3-layer memory: MEMORY.md as index → topic files loaded on demand → full searchable session transcripts

• 5 types of context compaction for handling long conversations

• Subagents with fork-join using KV cache — sharing full context without duplicating tokens

• Anti-distillation: injecting fake tool definitions (fake_tools) into prompts to poison training data for competitors trying to copy behavior

• 44 hidden feature flags and 20+ unreleased features: background agents, multi-agent coordinator, cron scheduling, full voice mode, browser control via Playwright

The legal battle: clean-room in the AI era

The community response was immediate. The most popular fork, claw-code, was created by @realsigridjin, who cloned the code and rewrote it in Python from scratch using OpenAI's Codex to avoid legal issues. At the time of writing, it has 75,000+ GitHub stars.

The legal theory: an AI-made "clean-room" rewrite can't be touched by DMCA. But nobody has tested it in court. As Gergely Orosz put it: does Anthropic really want the PR battle of suing an open source project for rebuilding their own AI-written product?

Meanwhile, another developer uploaded a stripped version to IPFS with all telemetry removed, security guardrails eliminated, and experimental features unlocked. Whether DMCA can reach content on IPFS is another unanswered question. Anthropic has already sent DMCAs for direct clones, but the rewrites remain standing.

What this means for OpenClaw

The irony of the leak is that KAIROS — Anthropic's most important secret feature in development — describes something OpenClaw already offers as an open source product:

• Periodic heartbeats that evaluate whether there's something to do → OpenClaw has had HEARTBEAT.md since launch

• Persistent memory with daily logs and consolidation → memory/YYYY-MM-DD.md + MEMORY.md

• 24/7 execution without human intervention → this is literally OpenClaw's core

• Push notifications to multiple channels → WhatsApp, Telegram, Discord, Signal, iMessage

• Multi-agent with specialized agents → agents.list with bindings and routing

KAIROS is Anthropic's vision of what a proactive agent should be. OpenClaw is that vision already implemented, open source, and running on people's Mac Minis.

What this leak confirms about the future

The Claude Code leak isn't just a security incident. It's a window into Anthropic's roadmap, and it confirms three trends:

1. Proactive agents are the future. If Anthropic is building it, it's not a fad — it's the industry direction. AI stops being something you use and becomes something that works alongside you.

2. Persistent memory is non-negotiable. Claude Code's 3-layer system (index → topics → transcripts) is almost identical to OpenClaw's approach. Not a coincidence — it's convergence. Without memory, an agent is just an expensive chatbot.

3. Open source wins long-term. Anthropic invests millions keeping Claude Code closed, with anti-distillation, hidden sourcemaps, and DMCA takedowns. A forgotten file in a .npmignore brought it all down. Meanwhile, OpenClaw is open source by design — there are no secrets to protect because the value is in the community, not the code.

Related Content

• 📘 AI Agents in 2026: Complete Guide — Everything about proactive agents, memory, and the complete ecosystem

• 📘 Agentic Engineering: The Complete Framework — The patterns Claude Code uses internally and how to apply them

• 📝 From Vibe Coding to Agentic Engineering — The evolution that led to agents like Claude Code and KAIROS

• 📘 AI Agent Security: A Practical Guide — What this leak teaches about operational security