Claude Code Leak — Always-On Agents Were Already Built

The funniest detail in the Claude Code source leak isn’t that Anthropic shipped 512,000 lines of TypeScript to the npm registry by accident. It’s that buried inside those lines is a complete subsystem called “Undercover Mode” — designed specifically to prevent Claude from leaking internal codenames in commits. It shipped right alongside all the internal codenames it was supposed to hide. Version 2.1.88. A 57 MB .map file. Nobody caught it.

Security researcher Chaofan Shou spotted the source map on March 31. Within hours, the code was archived to GitHub, where it now sits at over 1,100 stars and 1,900 forks. Anthropic has since pulled the file from the registry. The damage — if you want to call it that — is already done.

Everyone writing about this is fixated on the accident. That’s the boring take. The interesting story is what the code actually contains.

TL;DR

• What leaked: Claude Code v2.1.88’s entire source — 1,900 TypeScript files, 512,000 lines — via a forgotten source map in the npm package
• What it reveals: KAIROS (always-on persistent agent), ULTRAPLAN (remote 30-minute planning runtime with an internal model reference that is an implementation detail, not an announced product), and Capybara/Mythos (a single new model tier above current Opus)
• Why it matters: These features map almost exactly to where Cursor is heading with Automations — always-on background agents are not a roadmap item, they are the consensus direction
• The risk: The full permissions model and system prompt are now public; for anyone building exploits or bypasses, this is a blueprint

Why This Matters

The architectural reality inside those 512,000 lines is more revealing than any product announcement Anthropic has made this year.

Start with the tool system. Claude Code runs approximately 40 permission-gated tools — File Read, Bash, Web Fetch, LSP Integration, and more. The base tool definition alone is 29,000 lines of TypeScript. The Query Engine, which handles all LLM API calls, streaming, caching, and orchestration, runs to 46,000 lines and is the single largest module in the codebase. There is a multi-agent orchestration layer via a coordinator/ module that can spawn sub-agents — internally called “swarms” — each running in its own context with specific tool permissions. This is not a chatbot with a code panel. This is an orchestration platform that happens to have a terminal interface.

Now the unreleased features, which are the actual story.

KAIROS is Anthropic’s always-on persistent agent mode. It works across sessions, stores memory logs in a private directory, runs nightly “dreaming” passes to clean up stale context, and can proactively initiate tasks. There is a 15-second blocking budget built in — any proactive action that would interrupt your workflow for longer than that gets deferred. That is a meaningful design choice: the team has already thought through the “helpful vs. intrusive” tension, not just the capability. Compare this directly to Cursor Automations, which is building the same persistent-agent infrastructure from the editor side. Two companies, different starting points, same destination: an agent that works while you sleep.

ULTRAPLAN offloads complex planning to a remote Cloud Container Runtime, with up to 30 minutes of compute time for a single planning task. The leaked source references an internal model designation in the implementation code — this is a comment from the source as it existed at the time of the leak, not a confirmed public product name or the final model that will power ULTRAPLAN at launch. The intent is unambiguous regardless: you submit the problem, it thinks for half an hour, you approve the result from your browser. This is a deliberate architectural and pricing bet — extended cloud compute for deliberate reasoning, for problems worth paying more to solve correctly the first time. It also draws a sharp line between what runs locally and what does not. Some reasoning tasks are simply too large for a context window, and Anthropic is building infrastructure to acknowledge that rather than paper over it.

The model reference in the ULTRAPLAN code appears in internal implementation comments from the leaked source. It reflects the codebase at the time of the leak — not a confirmed public product name or the final model that will power ULTRAPLAN at launch.

Capybara — also referred to internally as Mythos — is a single new model tier, not a family of variants. The leaked source describes it as “a new tier of model: larger and more intelligent than our Opus models — which were, until now, our most powerful.” Internal references note “dramatically higher scores on tests of software coding, academic reasoning, and cybersecurity, among others” compared to Opus. This is not a minor iteration. And it was already partially confirmed: on March 26, five days before the source map leak, Anthropic’s CMS exposed Mythos details in a configuration error that revealed draft blog posts and unpublished assets. That first exposure was dismissed by some as a staging error. The Claude Code leak is the second confirmation in five days. At this point, Capybara/Mythos is as confirmed as an unreleased model gets.

Then there is BUDDY, which deserves more analytical credit than it is getting. BUDDY is a Tamagotchi-style companion that sits next to your input box — Claude generates a name and personality on first hatch, complete with sprite animations, a floating heart effect, and cosmetics with rarity tiers ranging from Common to 1% Legendary. The planned teaser rollout was April 1–7, with a full launch in May starting with Anthropic employees.

The obvious reaction is to laugh. The correct reaction is to recognize a retention mechanic. Cursor has VS Code muscle memory. GitHub Copilot has deep IDE integration. Claude Code needs reasons for developers to stay inside its environment rather than switching tabs. A persistent virtual pet with rarity tiers and unlock progression is a low-cost, high-engagement hook. Absurd, yes. Also strategically coherent.

The full permissions model and system prompt are now public. Anyone building jailbreaks, bypasses, or adversarial inputs for Claude Code now has a blueprint — they know exactly how tool approvals are evaluated and what the base instruction layer looks like. Anthropic will need to treat its internal permission logic as compromised and plan accordingly.

Telemetry deserves a separate note. Claude Code tracks frustration signals — including when users swear at it — and patterns like repeated “continue” prompts. All of it routes through Datadog. The code includes safeguards to prevent the transmission of actual user code or file paths, and telemetry can be disabled via environment variable. That is the responsible version of this setup. But frustration signals being logged and shipped to a third-party analytics platform is the kind of detail that belongs in a privacy disclosure, not a source map.

Claude Code telemetry can be fully disabled via environment variable. If you are running it against a sensitive codebase or in a regulated environment, verify your configuration before assuming default settings have it off.

One more thread worth pulling: this happened on the same day that Axios — 83 million weekly npm downloads — was compromised through a hijacked maintainer account. Two separate npm incidents in a single day. This is not coincidence pointing to a coordinated attack, but it is a sharp signal about the attack surface. I covered the trust implications in depth after the LiteLLM supply chain incident — the Claude Code leak adds a new failure mode to that picture. It is not just malicious actors inserting code; it is also well-resourced teams accidentally shipping their entire internal source. Both paths lead to the same exposure. npm is not a secure distribution channel by default, and the configuration discipline required to keep it safe is clearly not universal even among the best-resourced teams in AI.

The Take

The Undercover Mode irony is genuinely funny, but don’t let it distract from what this leak confirms: Anthropic is building the same always-on, background-agent infrastructure as Cursor, from the opposite direction. Cursor started as an editor and is adding persistent agents. Anthropic started with an LLM and built a full orchestration platform around it. KAIROS and ULTRAPLAN are not experimental sketches — they are substantial, spec’d-out systems with deliberate design tradeoffs already baked in. The 15-second blocking budget in KAIROS. The browser-based approval flow in ULTRAPLAN. These are things that got reviewed and iterated. The code shows it.

The leak is an accident. What it reveals is intentional — and it tells you exactly where the next 12 months of AI coding tools are heading.

The Capybara/Mythos confirmation matters for anyone doing serious agent work. If the current Opus ceiling is being replaced by a single new model tier described internally as delivering dramatically higher scores on coding and cybersecurity benchmarks, every performance baseline you have set this quarter should be treated as provisional. Plan for the capability jump, not against the current state.

What should you actually do with this? Three things. First, if you are evaluating Claude Code for your team, the leaked architecture confirms it is serious infrastructure — not a toy. The tool system, orchestration layer, and permission model are built with the same care you would expect from production software. Second, if you care about your own toolchain’s supply chain exposure, the Axios-and-Claude-Code-same-day coincidence is a prompt to audit what you are pulling from npm and whether your .npmignore is doing what you think it is. Third, watch the Capybara/Mythos launch. When a model tier above Opus ships, the competitive math on AI coding assistants changes again — and this time Anthropic will have the agent infrastructure to back it up.

Related

• Claude Code Tool Profile — The baseline architecture and current feature set, before this leak
• Cursor Automations: Agent Orchestration Platform — KAIROS and Cursor Automations are building the same future from different directions
• LiteLLM Supply Chain Attack: Trust Chain Collapse — The npm attack surface that made this incident possible