Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Latest AI and industry news. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

News Breaking AI News

Anthropic Accidentally Leaked Claude Code's Source

A packaging error in v2.1.88 of the Claude Code npm package exposed 512K lines of internal TypeScript, including unreleased features and model codenames.

Enterprise DNA | | via The Register
Anthropic Accidentally Leaked Claude Code's Source

On March 31, 2026, a packaging error in version 2.1.88 of Anthropic’s @anthropic-ai/claude-code npm package accidentally shipped a 59.8 MB JavaScript source map file. Inside: over 512,000 lines of internal TypeScript source code that was never meant to be public.

Anthropic confirmed the incident the same day: “This was a release packaging issue caused by human error, not a security breach.” The package was pulled and patched within hours. But not before the broader developer community had already downloaded, extracted, and begun cataloguing what was inside.

What the Leak Revealed

The source map exposed a detailed look at Claude Code’s internal architecture, including several capabilities that are not yet publicly available:

KAIROS — an autonomous daemon mode. The code referenced an always-on background agent codenamed KAIROS, designed to run persistently without requiring a user prompt to initiate each session. This is consistent with the broader industry push toward “ambient” AI agents that observe and act continuously rather than reactively.

Model codenames. Internal references to Anthropic model names not yet announced publicly: “Capybara,” “Fennec,” and “Numbat.” These are consistent with Anthropic’s pattern of using animal names for model development versions.

Undercover mode. A feature flag called “undercover mode” that strips Anthropic branding when Claude Code is deployed in repositories that are not Anthropic’s own — presumably to allow the tool to operate in enterprise environments without surfacing vendor attribution in every commit or review.

44 hidden feature flags. Flags for capabilities that are in development but not yet shipped to production. The full list has been documented in various public GitHub threads, though the specific capabilities remain unconfirmed by Anthropic.

The Security Angle: What This Is and Isn’t

Anthropic’s characterisation of this as a non-security breach is technically accurate. A source map is a development artefact — it maps minified JavaScript back to human-readable source code to aid debugging. It does not expose production secrets, API keys, model weights, or customer data. The risk is intellectual property and competitive intelligence, not a direct attack surface.

That said, the leak does reveal architectural decisions, roadmap signals, and internal tooling patterns that Anthropic almost certainly would have preferred to control the timing on. The “undercover mode” feature in particular will generate questions from enterprise customers about what other undisclosed operational modes exist in tools they deploy.

This is also the second significant Anthropic story in a month with information control at its centre. Earlier in March, Anthropic challenged the U.S. Department of Defense’s “supply chain risk” designation in court. In both cases, the common thread is the tension between Anthropic’s rapid product development pace and the governance expectations that come with operating at enterprise scale.

What This Means for Business

For teams using Claude Code: The incident itself poses no direct risk. Your data was not exposed. The patched version is available and the source map has been removed. The practical action is to update to the latest version if you were on 2.1.88.

For enterprise AI buyers evaluating Anthropic: This is a human error story, not a systemic vulnerability. Every software company ships bugs. The speed of Anthropic’s response — same-day acknowledgment, patch within hours — is the right model. What is worth watching is whether the revealed roadmap items (particularly KAIROS and the persistent agent mode) change your timeline assumptions for AI agent deployments.

For teams building on Claude Code or the Claude API: The leak confirms that autonomous, always-on agent modes are on Anthropic’s near-term roadmap. If your architecture assumes Claude requires explicit prompts to act, that assumption may need revisiting as KAIROS-style capabilities ship.

For security and compliance teams: The “undercover mode” revelation is worth understanding. If you deploy Claude Code in enterprise repositories, ask your Anthropic account team to explain how that mode operates and what data handling implications it has. This is exactly the kind of question that should be answered before deployment, not after.

The Broader Pattern

The accidental transparency here is, in a way, useful. It confirms that the AI lab building some of the most widely-used enterprise AI tools is working on exactly the kind of persistent, ambient agent capabilities that analysts have been predicting for 2026. KAIROS is not a surprise in direction — it is a surprise in how we found out about it.

The more durable takeaway for business leaders: as AI tools become more capable and more deeply embedded in development workflows, the surface area for unexpected disclosures — through packaging errors, model outputs, or metadata — grows. That is an argument for having a clear internal policy on which AI tools are used where and what access they have, before the defaults change.


Want the practical version of this? The free Working With Claude field guide covers the full Claude ecosystem, Claude Code, and how to roll it out across a real business. Download it here.

Working With Claude field guide cover

Free Resource

Going deeper with Claude?

Get the free 32-page implementation guide for ANZ teams.

No spam. Unsubscribe any time.