On March 31, Anthropic accidentally shipped the full source code for Claude Code to the public npm registry.
A 59.8MB debug file that was never meant to be public got bundled into a routine version update. And a researcher spotted it within hours. Within a day, the 512,000-line TypeScript codebase had been mirrored and analyzed across GitHub by thousands of developers.
Anthropic confirmed it. "This was a release packaging issue caused by human error, not a security breach," a spokesperson told CNBC. No customer data or credentials were exposed. The company is rolling out measures to prevent a recurrence.
The code is out there now. Here's what it actually shows.
Inside the Leak
While much of the coverage has focused on the embarrassment. The more useful angle is what the code itself reveals about where Anthropic is building.
Buried in the source were references to a feature called Kairos, mentioned over 150 times. The code describes an autonomous daemon mode: an always-on background agent that keeps working while the user is idle, consolidating memory, resolving contradictions, and running what the code calls "autoDream" sessions.
Also in the code: There were references to Capybara, the internal name for a Claude 4.6 variant, with Fennec mapping to Opus 4.6 and an unreleased model called Numbat still in testing. Internal comments note a 29-30% false claims rate in the current version, a regression from earlier iterations that Anthropic is actively working to address.
And there's Undercover Mode, a feature built specifically to prevent internal codenames from leaking through AI-generated content. They built leak prevention into the product. Then a human misconfigured a release and shipped the source code anyway.
Kairos is the more significant disclosure. The current agent debate is mostly about episodic use: you invoke an agent, it runs a task, and it stops. Kairos is built for continuous operation — background sessions, persistent memory, proactive work while you're away. That's a different architecture than anything currently shipping. It's also a different governance problem. An agent that runs while you're asleep has a fundamentally different security surface than one you invoke and watch.
The roadmap is now public. The leaked code contained dozens of fully-built feature flags for capabilities that haven't shipped. Longer autonomous task horizons, deeper memory, and multi-agent coordination. Anthropic confirmed this to Axios. Competitors now have a detailed engineering reference for how to build a production-grade AI coding agent, and a clear picture of what Anthropic is releasing next.
The Cline attack is worth understanding alongside this. Weeks before the leak, a security researcher demonstrated a prompt injection attack against Cline's GitHub repository. A malicious issue title tricked an AI triager running Claude Code into executing arbitrary code across the CI/CD pipeline. The attack chain was text input to code execution. No sophisticated exploit required. When an agent has broad tool permissions, the threat model shifts to the inputs the agent is reading, not just the systems it can access.
Agent source code is a security artifact. System prompts, tool definitions, and permission logic are effectively an agent's operating policy. When they're exposed, attackers get the full decision-making blueprint (what the agent will and won't do, what it can access, and where the boundaries are). For any organization deploying agents in production, this is the practical implication: treat your agent's configuration and permission logic with the same controls you'd apply to API keys.
What This Means For You:
The leak won't sink Anthropic. Claude Code is generating $2.5 billion in annualized revenue, and enterprise adoption is still accelerating.
What it does is put the next 12 months of Anthropic's roadmap in public view, and sharpen a question that most organizations haven't fully answered yet: if your agent's configuration leaked tomorrow, what would it reveal?
Not just the code. The permissions it holds, the systems it can access, and the logic it uses to decide what to do autonomously. That's the real security surface for AI agents in production. Most governance frameworks being built right now are designed around episodic usage. Kairos, and everything it represents, is a signal that continuous operation is coming. Designing for that now is worth the time.
Clutch. Just launched.
OpenClaw made it easy to get an agent running. Clutch makes it safe to run that agent at work.
Secure multi-agent deployment, built for teams that need more than a single-machine setup. We just launched.
OpenAI killed Sora. Disney found out less than an hour before the announcement.
The app shuts down April 26, the API September 24. Sora peaked at one million users, collapsed to under 500,000, and was burning $1 million a day to run. Disney had committed $1 billion and licensed 200+ characters. No money ever changed hands.Zapier published its V2 AI Fluency Rubric, one year after requiring it from every new hire
AI adoption across Zapier has hit 100%. The update adds accountability as a fourth signal alongside mindset, strategy, and building. The framing: you can delegate work to AI, but not the accountability for it. Worth reading if you're thinking about what AI readiness actually looks like in hiring.Perplexity AI was sued in federal court for allegedly sharing user conversations with Meta and Google
A class-action filed April 1 alleges trackers embedded at login transmit complete conversation transcripts, including health and financial queries, for ad targeting and data resale. The tracking reportedly operates even in Incognito mode. Your conversations are not inherently private because you're talking to an AI.
The Kairos discovery is interesting to me less as a competitive intelligence story and more as a signal about where the design center of AI agents is moving.
The current generation is episodic. You invoke it, it runs, it stops. The governance questions are manageable: what can it access, what does it log, and who reviews the output.
Kairos describes something different. An agent that runs while you're not watching, consolidates what it learned, and comes back with a cleaner picture of the codebase. That's genuinely useful. It's also a deployment architecture that most enterprise security teams haven't evaluated yet.
The companies that will navigate this well are going to build the governance layer for it now, before the always-on agent arrives.
Haroon
P.S. If the governance question is one you're actively working through, that's the core of what Clutch is built for.