Hey!

You know that feeling when someone spends years building something locked-down and secretive — and then accidentally leaves the front door wide open?

That’s exactly what happened to Anthropic on March 31, 2026.

One day before April Fools’ Day, they shipped the entire source code of Claude Code to the public npm registry inside a routine update. By morning, 512,000 lines of proprietary TypeScript were live on GitHub, being forked tens of thousands of times, and analyzed by basically every developer on the internet.

Not a hack. Not a breach. A misconfigured .npmignore file.

And what developers found inside was... a lot. Hidden features nobody knew existed. An internal model roadmap. A subsystem specifically designed to prevent Anthropic’s secrets from leaking — inside a codebase that just leaked.

We went deep on this one. Here’s everything that matters for you.

How It Happened

Claude Code is built with Bun as its JavaScript bundler. Bun generates debug .map files by default unless you explicitly turn that off. Nobody did. So version 2.1.88 shipped with a 59.8MB source map that pointed directly to a complete ZIP of Anthropic’s original TypeScript — sitting in a public Cloudflare R2 bucket with zero access controls.

At 4:23am ET, an intern at Solayer Labs named Chaofan Shou spotted it, posted a download link on X, and the race was on.

Boris Cherny — the creator of Claude Code, who we’ve covered before — confirmed it publicly on X: plain human error. His follow-up:

Anthropic’s official line:

The brutal irony? The leaked code contained a whole subsystem called Undercover Mode — designed specifically to stop Anthropic’s internal information from leaking. They built an AI feature to prevent leaks. Then leaked their own source code through a config file.

The GitHub Chaos (Real Links)