Claude Code's Source Leak: 44 Unshipped Features Exposed
Claude Code, Anthropic's AI-powered coding assistant, accidentally leaked its entire internal source code on March 31, 2026 — and what the 512,000 lines of TypeScript revealed changes how we understand the near-term future of AI development tools.
The leak happened when Anthropic included a 59.8 MB source map file (cli.js.map) in version 2.1.88 of its npm package. Source maps link compiled JavaScript to original source files — and this one embedded the full contents of nearly 2,000 internal files. Security researcher Chaofan Shou spotted it first and posted publicly on X. Within hours, the code had spread across GitHub, Anthropic was issuing DMCA takedown notices, and developers everywhere were cataloging what they'd found.
Anthropic confirmed the incident was "a release packaging issue caused by human error, not a security breach," and stated that no sensitive customer data or credentials were exposed. The source map was available for roughly three hours — from approximately 00:21 to 03:29 UTC — before the package was pulled.
What's inside is remarkable.
44 Hidden Features: What the Leaked Code Reveals
The source revealed 44 hidden feature flags and approximately 50 unreleased commands. Here's what developers found:
Persistent Background Agents — "Proactive mode" enables Claude Code to run autonomously 24/7, working while you're away. A companion "Dream mode" lets Claude continuously think in the background, develop ideas, and tackle problems between your sessions. These aren't mockups — they're fully implemented and feature-flagged.
Multi-Agent Orchestration — The source contains architecture for "worker Claudes" — sub-agents operating under a coordinating Claude Code instance. Native multi-agent development assistance, with coordination, state management, and task delegation built in.
Native Browser Control — Integration with Microsoft's Playwright framework for automated browser interaction was found in the source. This enables Claude Code to handle UI testing, web research, and browser-based workflows without leaving your terminal.
Cron Scheduling with Webhooks — Agents can be scheduled on timers with external webhook callbacks, enabling Claude Code to trigger pipeline jobs, integrate with CI/CD systems, and push notifications to external services automatically.
Voice Command Mode — A full voice CLI was found in the source, enabling verbal control of Claude Code. Combined with persistent background agents, this points toward ambient AI presence in the development environment.
Cross-Project Session Memory — Architecture for persistent memory spanning multiple projects and sessions — allowing Claude Code to remember context, decisions, and patterns across different codebases over time.
"Buddy" — The AI Pet — The most unexpected discovery: a fully implemented Tamagotchi-style companion pet system. Buddy comes with 18 species, rarity tiers from common to legendary (1% chance for "shiny" variants), and procedurally generated stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, and SNARK. Claude Code generates a unique name and "soul description" at first hatch. The source referenced an April 1–7 "teaser window" with a full launch in May 2026 — suggesting a deliberate April Fools rollout, or simply very convenient timing.
Internal Model Codenames Exposed
Beyond features, the leak revealed internal naming conventions for unreleased models:
- Capybara — A Claude 4.6 variant. Internal comments showed iteration on Capybara v8, with a false claims rate of 29–30% (compared to 16.7% in an earlier version), indicating active accuracy work.
- Fennec — Maps to Claude Opus 4.6.
- Numbat — An unreleased model still under testing, not yet publicly announced.
This is the clearest public view into Anthropic's model development pipeline to date. According to analysis cited by VentureBeat and BleepingComputer on March 31, 2026, the Capybara accuracy metrics show Anthropic is actively tackling false-claims reduction — a known limitation of current-generation Claude models.
Context on Scale: Revenue and Adoption
Anthropic's annualized revenue reached approximately $14 billion as of February 2026, according to SaaStr, with projected growth to $18 billion for 2026. Claude Code has been a significant driver since its public launch in May 2025.
The scope of what's built and waiting to ship — persistent agents, multi-agent orchestration, voice control, cron scheduling, cross-project memory — isn't a collection of experiments. These are production-ready features behind feature flags. The question isn't whether they're coming; it's when Anthropic chooses to release them.
Security Implications for Developers
For developers who updated Claude Code between midnight and 3:29 AM UTC on March 31, 2026, here's what to know:
Anthropic confirmed no credentials were in the source map. The risk was competitive IP exposure, not user security. However, security researchers highlighted two concerns:
1. Concurrent npm supply chain attack. Within hours of the Claude Code leak, a separate attack compromised the axios npm package (versions 1.14.1 and 0.30.4). A hidden malicious dependency installed a cross-platform RAT capable of stealing cloud credentials and database passwords before self-deleting. This was unrelated to Anthropic — but the timing created real confusion. Any developer running automated npm install during that window should audit their environment.
2. Competitive IP exposure. The leaked source code is a detailed blueprint of Claude Code's architecture, orchestration logic, and internal prompt engineering. While most public mirrors have been removed via DMCA, a three-hour window on the open internet means the code is permanently in circulation. Competitors have detailed knowledge of the implementation.
What you should do: Confirm you're on the current version (not 2.1.88), review build logs from March 31, and verify no unexpected npm dependencies were introduced.
Our Take at Context Studios
At Context Studios, we use Claude Code every day in production — it's the tool we rely on to build this website, our MCP server, and most client infrastructure. We went through the source ourselves.
Three unshipped features that matter most to us:
1. Persistent background agents. The biggest bottleneck in our workflow isn't capability — it's that Claude Code stops when we stop. Background agents that keep working during a PR review or between sessions change the cost structure of complex projects entirely. A four-hour refactor becomes an overnight job.
2. Cross-project session memory. We build interconnected services across this platform. Every context switch between the MCP server, website, and blog pipeline loses conversational context. Persistent memory across projects means Claude Code could finally understand component relationships without manual re-briefing.
3. Multi-agent orchestration. We already implement multi-agent patterns manually — spawning isolated sub-agents for parallel tasks. Native orchestration built into Claude Code would make this faster and more reliable. The "worker Claudes" architecture suggests Anthropic is taking this seriously as a first-class workflow feature.
As for Buddy the pet — we'd name ours something embarrassing and never admit it.
This ties into a broader shift we've been tracking in our work: see 3 Tools That Changed How We Code With AI Agents for more on how tools like Claude Code fit into a modern AI development stack.
FAQ
Is the Claude Code source leak verified?
Yes. Anthropic officially confirmed the leak on March 31, 2026, stating it was "a release packaging issue caused by human error." The source map was in @anthropic-ai/claude-code v2.1.88 and exposed approximately 512,000 lines of TypeScript across nearly 2,000 files. Sources: BleepingComputer and The Register.
Which Claude Code features will ship first? Based on code analysis, persistent background agents and Proactive mode appear most implementation-complete. The April 1–7 teaser window referenced in the source for the Buddy feature suggests Anthropic had planned near-term reveals regardless of the leak. The full launch referenced internally points to May 2026.
Should developers be concerned about Anthropic's security practices? The response was appropriate: fast mitigation, honest disclosure, and aggressive DMCA enforcement. No user credentials or customer data were exposed. The incident was an IP exposure event, not a user security breach. For comparison, the concurrent axios supply chain attack was far more dangerous to individual developers.
What internal model codenames were found in the leak? Three internal codenames were identified: Capybara (a Claude 4.6 variant being iterated on with active accuracy work), Fennec (Claude Opus 4.6), and Numbat (an unreleased model under testing). Capybara v8 showed a 29–30% false claims rate in internal testing versus 16.7% in an earlier version.
Is Claude Code safe to use after the leak? Yes. The current package version doesn't include the source map. If you're on a cached or pinned version, update to the latest. The only meaningful security concern for most users was indirect: the concurrent axios npm attack, not Claude Code itself.
What This Signals
Claude Code's accidental source leak is one of the most revealing unintentional roadmap disclosures in recent AI tooling history. The gap between what's shipped and what's ready to ship is enormous — and what's waiting is ambitious.
Persistent agents, multi-agent orchestration, voice control, cron scheduling, cross-project memory: these aren't research prototypes. They're built, tested, and feature-flagged. For developers building AI-native workflows today, this is a credible preview of where Claude Code heads in 2026.
If you're thinking about how to architect your systems to take advantage of persistent agents and multi-model orchestration when they ship, we'd like to talk.
Sources: BleepingComputer (March 31, 2026) | The Register (March 31, 2026) | VentureBeat (March 31, 2026) | SaaStr (February 2026)