A Packaging Mistake That Exposed the Full Blueprint of AI Agents

On March 31, 2026, security researcher Chaofan Shou discovered something unusual in Anthropic’s npm registry: version 2.1.88 of the @anthropic-ai/claude-code package shipped with a 59.8 MB source map file (cli.js.map) that exposed the tool’s entire, unobfuscated source code.

This was no minor snippet. The exposed codebase comprised 512,000 lines of TypeScript across 1,906 files, containing 44 hidden feature flags—at least 20 pointing to fully built but unreleased capabilities. Within hours, the code was mirrored to GitHub, accumulating over 84,000 stars and 82,000 forks. Anthropic pulled the package, but the code had already entered the public domain permanently.

Anthropic called it “a release packaging issue caused by human error, not a security breach,” and confirmed no customer data or credentials were involved. But for the broader AI industry, the leak’s significance goes far beyond the security incident itself—it provided an unprecedented window into the next generation of AI coding agent architecture.

KAIROS: An Always-On Autonomous AI Agent

The most striking discovery in the leaked code is KAIROS (from the Ancient Greek word meaning “the opportune moment”), a name appearing over 150 times across the source. KAIROS represents a fundamental shift in how developers interact with AI tools: from reactive command-response to a 24/7 background agent that acts on its own initiative.

How KAIROS Works

  • Daemon Mode: KAIROS is designed as a persistent background service. The system sends heartbeat signals at regular intervals, asking the agent: “Is there anything worth doing right now?”
  • Proactive Intervention: It monitors the development environment continuously. If a server crashes overnight, KAIROS can fix the code and restart the service. When a GitHub PR is updated, it can review changes and report back automatically.
  • Exclusive Tool Set: KAIROS has access to capabilities unavailable in standard mode, including push notifications (alerting developers directly on mobile devices) and PR subscriptions (actively tracking code repository changes).

autoDream: Your AI “Dreams” While You Sleep

Within the KAIROS framework lies autoDream, a memory consolidation mechanism. When the user is idle, the agent runs a background process that merges scattered observations, eliminates logical contradictions, and converts vague insights into verified factual records.

A notable design principle: the agent is instructed to treat its own memory as a “hint” rather than ground truth, requiring verification against the actual codebase before taking action. This “skeptical memory” architecture reveals both the current reliability challenges in AI agents and the strategies being developed to address them.

44 Feature Flags: An Accidentally Published Product Roadmap

The leaked code contained 44 compiled feature flags—features that are fully built but gated behind compile-time switches that evaluate to false in production builds. This is effectively a complete product roadmap laid bare. Key discoveries include:

Unreleased Capabilities

  • Multi-Agent Orchestration: Full logic for multiple AI agents to collaborate on subtasks, with task delegation and result aggregation workflows.
  • Memory MD: A lightweight, self-healing memory architecture. Instead of stuffing all data into the context window, Memory MD stores only lightweight index pointers and retrieves original content on demand via identifiers—dramatically reducing token consumption and operational costs. Its design philosophy aligns closely with enterprise-grade AI platform resource management.
  • Undercover Mode: Approximately 90 lines of code designed to strip all traces of Anthropic internals when Claude Code is used on non-internal repositories—suppressing mentions of internal codenames (“Capybara,” “Tengu”), Slack channels, and repo names.
  • Native Client Attestation: A verification mechanism to prevent third-party tools from impersonating Claude Code to access subscription-tier APIs.

Internal Model Codenames Revealed

The leak also exposed Anthropic’s internal model naming:

  • Capybara = Claude 4.6 variant
  • Fennec = Opus 4.6
  • Numbat = An unreleased model still in testing

Internal comments show Capybara has reached v8, yet still struggles with a 29–30% false claims rate (a regression from v4’s 16.7%). Developers also noted an “assertiveness counterweight” to prevent the model from becoming overly aggressive during code refactoring. These internal benchmarks provide a rare ceiling reference for frontier models, forming an interesting contrast with known limitations of competing models.

The Perfect Storm: A Concurrent axios Supply Chain Attack

Compounding the situation, a separate supply chain attack hit the npm registry on the same day. Between 00:21 and 03:29 UTC on March 31, malicious versions of the widely-used axios HTTP library (1.14.1 and 0.30.4) were published, embedding a Remote Access Trojan (RAT).

Because Claude Code depends on axios, any developer who installed or updated via npm during that window may have pulled in the compromised dependency. Attackers subsequently weaponized the leak as a social engineering lure, creating fake “official leaked” repositories on GitHub that distributed Vidar Stealer and GhostSocks proxy malware. According to Zscaler ThreatLabz’s analysis, these attacks have formed a complete malicious supply chain.

This coincidence underscores a serious industry concern: when an AI tool’s full architecture is exposed, attackers gain the precision needed to design targeted attack vectors that circumvent known security defenses.

Broader Industry Implications: Accelerating the Post-Prompting Era

The leak’s greatest value lies not in the security scandal or competitive intelligence, but in how directly it demonstrated where the ceiling for AI coding tools is being pushed.

From Chat Box to Invisible Infrastructure

KAIROS confirms an industry trajectory: AI is evolving from a “conversational tool” that waits for user input into “invisible infrastructure” that runs continuously in the background. In this Post-Prompting Era, large language models recede behind the scenes, becoming the plumbing of development workflows.

This means developers will transition from “line-by-line code executors” to “curators and decision-makers”—reviewing and steering AI-generated work rather than producing it manually.

Open-Source Acceleration

Multiple developers described the leaked codebase as “the most detailed public documentation of how to build a production-grade AI agent harness that exists.” This will inevitably accelerate open-source replication of similar architectures, narrowing the gap between proprietary tools and community alternatives—much as DeepSeek’s open-source strategy and Gemini 3’s multimodal breakthroughs have already demonstrated.

Enterprise Trust and IPO Timeline

For Anthropic, two leaks in five days (model spec document followed by full source code) challenges its core brand narrative of AI safety and operational rigor. Market analysts suggest this could push its anticipated IPO timeline from late 2026 to 2027—while its biggest rival OpenAI’s own IPO path remains equally turbulent.

Final Thoughts: Are You Ready to Hand Over Control?

The Claude Code leak is, at its core, an accidental dress rehearsal for the future of AI development. KAIROS’s autonomous agent mode, autoDream’s memory consolidation, multi-agent orchestration—these are not proof-of-concept experiments. They are compiled, production-grade features waiting to ship.

When AI transforms from a chat box waiting for your input into an invisible teammate running 24/7 behind the scenes, every developer and technology leader will need to reassess: which parts of the workflow are worth delegating, and which must remain firmly in human hands?

That is the defining question of the Post-Prompting Era.