Claude Code source code leaked: BUDDY, KAIROS, Undercover Mode and 108 hidden features
Mike Codeur
On March 31, 2026, security researcher Chaofan Shou discovered a 60 MB source map file in the Claude Code npm package. This debug file contained the entire source code: 1,900 TypeScript files, half a million lines, internal API keys, and secret features.
It was Anthropic's 2nd security incident in 5 days, right after the accidental leak of a blog post about their new Mythos model.
How the leak happened
Claude Code is built with Bun, not Node. And Bun generates source maps by default. Someone simply forgot to exclude them from the .npmignore file during the release build.
One missing line in a config file. That's all it took to expose 500,000 lines of proprietary code from a company valued at $300 billion.
The irony is that the Claude Code CLI itself is remarkably well-secured:
- Bash parsing with AST tree-sitter and strict fail-closed
- Multi-layer permission system
- SSRF protection with DNS rebinding handling
High-level defense-in-depth. But one forgotten config file, and everything was exposed.
Hardcoded secrets
The code contains secrets that should never have been hardcoded:
- Datadog token directly in the source code (
src/services/analytics/config.ts). This token could be used to inject fake logs into their monitoring pipeline. - 3 GrowthBook SDK keys (
src/bootstrap/state.ts). GrowthBook manages their feature flags and A/B tests. These keys allow dumping all their ongoing experiments.
These secrets should have been in environment variables, not hardcoded.
BUDDY: the hidden AI pet in your terminal
The most unexpected discovery. Anthropic built a complete virtual companion system for Claude Code, called BUDDY.
18 species: duck, dragon, axolotl, capybara, ghost, mushroom, penguin, owl, robot, cactus...
Each species has a rarity level:
| Rarity | Probability |
|---|---|
| Common | Majority |
| Uncommon | ~20% |
| Rare | ~10% |
| Epic | ~5% |
| Legendary | 1% |
Each buddy has 5 stats: Debugging, Patience, Chaos, Wisdom, and Snark. It lives in a bubble next to your terminal input, with animated ASCII sprites.
The system is deterministic: the species is calculated from a hash of your user ID. You always get the same buddy. Claude writes the name and personality at the first "hatch".
And there are cosmetic hats.
According to internal comments, it was planned for an April 1-7 teaser (April Fools'), with a full launch in May 2026.
KAIROS: the daemon that dreams
KAIROS (from ancient Greek "the opportune moment") is a daemon mode. Claude Code runs permanently in the background, without waiting for you to give it a task.
How it works:
- During the day: it observes what you do and maintains daily append-only logs
- At night: a process called
autoDreamtriggers and consolidates its memory- Merges observations
- Removes contradictions
- Converts vague insights into verified facts
- In the morning: your agent has a clean, relevant, up-to-date context, without you asking for anything
Default configuration: minimum 24 hours between consolidations, and at least 5 accumulated sessions before triggering the "dream".
It's a fundamental shift: from a reactive agent (you give a task, it executes) to a proactive agent (it builds context about your work over time).
Undercover Mode: Anthropic's operational security
The file src/utils/undercover.ts contains a system that activates automatically when an Anthropic employee (USER_TYPE === 'ant') works on a repo not in their internal allowlist.
Its main purpose: prevent leaking internal information in public commits:
- Internal model codenames (like Capybara, Tengu)
- Unreleased version numbers (opus-4-7, sonnet-4-8)
- Internal repo names, Slack channels, internal links
The injected prompt literally says "Do not blow your cover" and asks to write commit messages as a human developer would. Co-Authored-By: Claude lines are removed.
It's operational security more than deliberate deception, but the result is the same: AI attribution disappears from public commits.
108 hidden feature flags
Beyond BUDDY, KAIROS, and Undercover Mode, the code reveals 108 modules gated by feature flags:
- ULTRAPLAN: the planning phase is sent to Claude Opus in the cloud for 30 minutes. You monitor and approve from a browser before execution begins.
- Coordinator Mode: multi-agent orchestration with a mailbox system
- VOICE_MODE: integrated voice mode
- WEB_BROWSER_TOOL: browser built directly into Claude Code
- AGENT_TRIGGERS: automatic agent triggers
None of these features appear in the public version of Claude Code.
Key takeaways
This leak reveals two things:
On security: even Anthropic, the company that positions itself as the most rigorous on AI safety, can make a build configuration error that exposes everything. Check your .npmignore. Check your source maps. Check everything.
On the future of dev: the future of AI-assisted development isn't a chatbot in your terminal. It's an autonomous agent running 24/7, building context about your work, and "dreaming" to consolidate its memory. Anthropic is already building it.