Hidden KAIROS AI Agent Revealed In Anthropic Accidental Code Leak
On March 31, 2026, a misplaced debug file in a routine npm update exposed 512,000 lines of Claude Code's internal source, handing competitors a detailed product roadmap just as the company prepares for an IPO.
On the morning of March 31, 2026, a single misplaced debug file inside a routine software update handed the entire developer community a complete look at Anthropic’s most valuable product.
Security researcher Chaofan Shou, an intern at Solayer Labs, found that version 2.1.88 of the @anthropic-ai/claude-code npm package included a 59.8 MB JavaScript source map, which converts compressed code back into readable TypeScript.
Reports noted that the file was linked to a zip archive stored on the company’s Cloudflare R2 bucket, accessible to anyone with the link. Nobody had to hack anything. The file was just there.
How Claude Code’s npm Package Exposed Itself
The leak exposed 512,000 lines of TypeScript across about 1,900 files. This revealed the full internal architecture of Claude Code, including its LLM API workflow-control mechanism, multi-agent coordination, OAuth 2.0 authentication flows, permission systems, and tool-execution pipeline.
CNBC confirmed Anthropic’s response: the release included internal source code, but no customer data or credentials were exposed, and the issue was caused by human error, not a breach.
Reports noted that the cause was a common developer mistake; a source map file that is normally kept internal for debugging was accidentally bundled into the public release.
Chaofan Shou shared the download link on X, where it quickly spread, reaching millions of views on the social platform. By the time the package was removed, the code had already been copied across GitHub, with over 41,500 forks, and archived on platforms resistant to DMCA takedowns.
What KAIROS and 44 Feature Flags Revealed
The Verge reported that beyond the exposed architecture, developers uncovered something even more significant: a complete forward-looking product roadmap. The code included 44 feature flags for capabilities that are fully built but not yet publicly released.
The most prominent, referenced over 150 times, is KAIROS, an always-on background system that keeps Claude Code running when a user is idle, helping it remember past work, resolve conflicts, and turn unclear details into reliable facts.
The leak revealed several hidden features not yet public, including COORDINATOR MODE, which runs multiple worker agents simultaneously, and ULTRAPLAN, which supports 30-minute remote project planning sessions.
It also includes VOICE MODE, letting users interact via speech. BUDDY is a companion pet system with 18 species, each with stats like DEBUGGING, PATIENCE, and CHAOS.
Developers also found “Undercover Mode,” which instructs Claude to remove references to internal Anthropic model names and AI attribution from public git commits, keeping codenames out of open logs.
Why This Is Anthropic’s Worst Month
The Claude Code leak is not an isolated incident, but it’s Anthropic’s second major data exposure in five days.
Just before this leak, Fortune reported that nearly 3,000 internal files were accidentally left public, including a draft blog post about an upcoming AI model known internally as “Mythos” and “Capybara,” which Anthropic has not yet announced.
The first leak occurred shortly after Anthropic gained a brief win over Pentagon, highlighting the timing of these exposures. These back-to-back incidents come as the company prepares for an IPO, when operational credibility and IP security are under close investor scrutiny.
Adding to the pressure,VentureBeat reported a concurrent, unrelated supply chain attack on the axios npm package between 00:21 and 03:29 UTC on March 31, which introduced a Remote Access Trojan into installations during that window.
Developers who updated Claude Code via npm at that time are advised to check the Axios versions 1.14.1 or 0.30.4 and rotate credentials immediately.
Who This Actually Affects And Why It Cannot Be Undone
As Axios reported, the leak gives every competitor, from OpenAI’s Codex to Cursor to Google’s coding tools powered by Gemini, a detailed blueprint for building a production-grade AI coding agent.
Claude Code generates an estimated $2.5 billion in annual recurring revenue, with 80% from enterprise clients who pay partly for the belief that the technology is proprietary and secure. That trust was shaken on Tuesday morning.
Reports noted Anthropic has ‘once again’ shipped source maps in a Claude Code npm release, with similar incidents in February 2025, showing a recurring failure in Anthropic’s build pipeline.
DMCA takedowns can remove files on regular platforms, but one copy has already been uploaded to a decentralized git platform where it cannot be removed.
What’s Next For Anthropic’s Code Security
Anthropic confirmed it is rolling out measures to prevent the leak from happening again, though it has not specified what those measures are or when they will take effect.
As TechCrunch noted, the company has simultaneously been aggressively protecting Claude Code’s IP in other contexts, issuing legal threats to third-party developers who reverse-engineered the tool and blocking unauthorized Claude implementations.
This makes the irony of accidentally publishing the full source to the public npm registry even sharper. The code can be rewritten or secured. The strategic advantage, however, cannot be taken back.
