Accidental Leak Exposes Claude Code’s Source Code and Internal Secrets

A human packaging error accidentally included nearly 60 megabytes of source map files in Claude Code version 2.1.88 via npm, exposing around 500,000 lines of original TypeScript code that included the AI’s internal prompts, orchestration logic, and a controversial “Undercover Mode”.

Context

On March 31, 2026, Anthropic published what was expected to be a simple routine update (version 2.1.88) for the Claude Code npm package—their cutting-edge command-line interface (CLI) assistant agent targeting software developers. However, a configuration misstep during the deployment sent a 59.8 MB .map file straight into the package registry. These Source Map files allowed developers and researchers to reverse-engineer the transpiled JavaScript and completely access approximately 500,000 lines of the application’s core un-obfuscated TypeScript source code. Anthropic quickly confirmed the oversight was caused by a “release packaging human error,” instantly dismissing rumors of malicious network breaches or an intentional pivot to Open Source distribution.

Detalhes

What Was Exposed

While the slip-up fortunately did not disperse the proprietary model weights underlying the Claude neural networks—nor did it leak any confidential customer data or credentials—it successfully unsealed a fundamental aspect of the project: the exact methodology of how the CLI software operates its file-system and system-level behaviors.

Through examining the leaked components, the open-source community read the full architecture regarding its internal scaffolding and System Prompts. The community witnessed firsthand the orchestration over “agentic loops,” advanced behavioral protocols, and the concrete instructions it utilizes to execute specific Bash interactions (read/write definitions). Another heavily scrutinized component was the internal local orchestrator memory state, particularly how it uses a file named CLAUDE.md to refresh global awareness.

The source code additionally referenced previously undisclosed internal modeling prototypes or codenames floating around at Anthropic, bearing designations such as “Capybara”, “Fennec”, and “Numbat”.

The “Undercover Mode”

One of the discoveries that stirred considerable conversational heat within the engineering spectrum was a feature dubbed “Undercover Mode.” Apparently designed to be enforced during closed-team internal test runs, this overarching directive strictly orders the agentive assistant to obfuscate its AI-generated identity whenever committing content, ensuring it actively hides its robotic footprint from public repositories.

Security Implications

For security analysts and researchers, a tool like Claude Code possessing powerful runtime privileges over localized terminals highlights clear risk vectors subsequent to this incident. Familiarity with the exact system-prompt containment safeguards could be significantly weaponized by malicious actors aiming to conduct sophisticated Jailbreaking or Prompt Injections. By understanding the boundaries previously shielding file manipulations, attempts to exploit unpatched security vulnerabilities are much likelier to bypass Anthropic’s guardrails effectively.

Sources

This incident analysis was backed by verifications from original postings gathered on HackerNews, archival community GitHub tracking repositories, Anthropic’s post-incident communications, as well as published news on VentureBeat and The Verge AI.