On the last day of March 2026, the AI development world woke up to something unprecedented: 512,000 lines of Claude Code source code, fully exposed to the public via npm. What followed was a whirlwind of technical analysis, conspiracy theories, and one very awkward supply chain attack that had nothing to do with Anthropic but made everything worse.

Let’s break down what happened, what we learned, and whether any of this was actually an accident.

The Cascade of Failures

The leak wasn’t a single mistake. It was a chain of three independent configuration failures that aligned perfectly:

1. A missing .npmignore entry — Source map files (.map extension) were not excluded from the published npm package. These source maps contained references back to the original TypeScript source.

2. A public R2 bucket — The cloud storage bucket hosting the referenced source code had no authentication configured. Anyone with the URL could access it.

3. A known Bun runtime bug — Bun issue #28001 caused source maps to be shipped in production builds, despite the documentation explicitly stating they wouldn’t be included.

The result: 1,906 TypeScript files exposed to the world. The package hit 16 million views within hours. Developers, security researchers, and competitors all rushed to examine the internals of one of the most widely-used AI coding tools on the planet.

The Supply Chain Attack (Unrelated, But Terrible Timing)

In a cruel twist of fate, an unrelated supply chain attack hit the npm ecosystem at almost the exact same time. Compromised versions of axios (1.14.1 and 0.30.4) were published containing a Remote Access Trojan.

Anyone who installed Claude Code between 00:21 and 03:29 UTC on March 31 may have pulled in the compromised dependency. If you were one of those users, check your lockfiles for a dependency called plain-crypto-js — and if you find it, treat that machine as compromised.

This had absolutely nothing to do with Anthropic’s leak, but the timing made the chaos exponentially worse.

What the Source Code Revealed

The leaked source was a goldmine of unreleased features and architectural decisions. Here are the highlights:

KAIROS — The Background Agent

Perhaps the most fascinating discovery was KAIROS, a background autonomous agent designed to perform “nightly memory consolidation.” Think of it as Claude Code quietly organizing and optimizing its understanding of your codebase while you sleep. This isn’t the kind of feature you announce in a changelog — it’s the kind that fundamentally changes how persistent AI assistants work.

ULTRAPLAN — Cloud Reasoning Sessions

ULTRAPLAN references pointed to 30-minute remote cloud reasoning sessions. Instead of doing all computation locally or in a single API call, Claude Code could offload complex planning tasks to dedicated cloud infrastructure for extended reasoning. This suggests Anthropic has been building infrastructure for AI “thinking time” that goes far beyond current prompt-response cycles.

BUDDY — The AI Tamagotchi

Yes, you read that right. The source code contained references to BUDDY, a Tamagotchi-style AI companion with 18 species variants. The rollout was apparently planned for April 1-7. Whether this was an internal joke, a morale feature for the team, or an actual planned product… nobody is entirely sure. But the code was there, and it was not trivial.

Coordinator Mode — Multi-Agent Orchestration

References to a Coordinator Mode revealed infrastructure for multi-agent orchestration — the ability for multiple Claude Code instances to work together on a task, dividing work and coordinating results. This aligns with the broader industry trend toward agentic systems but shows Anthropic was further along than publicly known.

Anti-Distillation Mechanisms

Perhaps the most controversial discovery: mechanisms designed to inject decoy tool definitions that would poison competitor model training. If a competitor tried to train on Claude Code’s outputs or tool-use patterns, they’d ingest false information. This is a defensive measure, but it raises questions about the arms race happening behind the scenes in AI development.

The Three-Layer Memory Architecture

Beyond features, the source code revealed a sophisticated memory system that explains why Claude Code handles long sessions so well:

• Layer 1: Lightweight index pointers, always loaded in memory
• Layer 2: Topic-specific files, fetched on-demand when relevant
• Layer 3: Raw conversation transcripts, grep-searched selectively

This design directly addresses what developers call “context entropy” — the degradation of AI performance during long-running sessions as the context window fills with irrelevant information. Instead of keeping everything in context, Claude Code maintains a hierarchical index and only pulls in what it needs.

Was It Really an Accident?

Here’s where it gets interesting. Several factors have fueled speculation that this was deliberate:

The April Fools’ timing. The leak happened on March 31, with BUDDY’s rollout planned for April 1-7. Coincidence?

The sentiment reversal. Anthropic had been receiving significant backlash for legal threats against OpenCode, an open-source alternative. The leak — and the relatively restrained DMCA enforcement that followed — made Anthropic look more transparent and less litigious overnight.

Two leaks in five days. A second “leak” followed shortly after, exposing internal model codenames (Capybara and Mythos). One leak is an accident. Two leaks in a week starts to look like a pattern.

The restrained response. Anthropic has serious legal resources. They could have gone scorched-earth on anyone hosting or discussing the leaked code. They didn’t.

The counterargument is equally compelling: strategic roadmap exposure before an IPO is genuinely dangerous. Revealing unreleased features, competitive defense mechanisms, and infrastructure details could materially impact valuation and competitive positioning. No PR benefit is worth that kind of strategic exposure — unless you’re playing 4D chess.

The Real Lesson

Whether it was an accident, incompetence, or a stroke of PR genius, one thing is clear: your .npmignore is a security boundary. Treat it accordingly.

The modern npm ecosystem moves fast. Bun bugs, misconfigured cloud buckets, and missing ignore rules are the kind of mundane, boring failures that lead to spectacular breaches. No amount of sophisticated security architecture matters if your build pipeline ships source maps to a public registry.

For the rest of us watching from the sidelines, the Claude Code leak has been a fascinating look under the hood of the AI tool many of us use daily. The three-layer memory system is elegant. KAIROS is ambitious. BUDDY is… unexpected. And the anti-distillation mechanisms are a reminder that the AI industry’s competitive dynamics are more intense than what we see on the surface.

One thing is certain: March 31, 2026 will be remembered as the day the AI development world got its biggest unplanned show-and-tell.