The npm packaging error that exposed 512,000 lines of Claude Code source code also revealed something else: Anthropic built a mode designed to make AI commits look human, with explicit instructions to scrub any internal identifiers from public git logs.
image from grok
Anthropic's Claude Code source code leaked via an exposed npm package source map linking to a Cloudflare R2 storage bucket, revealing 1,900 TypeScript files totaling over 512,000 lines. The most significant discovery is an undisclosed 'Undercover Mode' that strips Anthropic identifiers and internal codenames from commit messages, PR titles, and PR bodies when operating in public repositories, along with a persistent agent mode called KAIROS. Anthropic confirmed the leak as a release packaging error rather than a security breach.
Anthropic built a stealth mode into Claude Code. The feature, designed to hide AI authorship in public git repositories, is now visible to anyone with a browser — because the code leaked.
On April 1, cybersecurity researcher Shou Chaofan spotted something odd in the npm package for Claude Code, Anthropic's AI coding tool: a source map pointing to a zip archive hosted on Anthropic's own Cloudflare R2 storage bucket. The archive contained 1,900 TypeScript files spanning more than 512,000 lines of code. Shou posted his findings on X; within 48 hours the post had accumulated 33 million views, according to the South China Morning Post.
The leak laid bare two features Anthropic never publicly disclosed. The first is Undercover Mode — a system prompt baked into Claude Code that instructs the model to scrub any Anthropic identifiers from commit messages, pull request titles, or PR bodies when operating in public open-source repositories. The prompt reads: "You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information," according to The Hacker News. Internal codenames for models are also filtered from appearing in public git logs — including one The Hacker News identified as Capybara.
The second undisclosed feature is KAIROS, described in the leaked code as a persistent background agent mode that allows Claude Code to run continuously rather than per-task, The Hacker News also reported.
Anthropic confirmed the leak was real. "This was a release packaging issue caused by human error, not a security breach," a spokesperson told The Register. "No customer or account data was exposed." The company said it took down the exposed archive within hours of being notified.
The Undercover Mode feature raises a straightforward question: why would Anthropic ship a tool capable of autonomously contributing to open-source projects without telling anyone? Claude Code is not a small product. According to VentureBeat, the tool is generating $2.5 billion in annualized recurring revenue, a figure that has more than doubled since the beginning of 2026. That revenue comes partly from developers using it to write and submit code — including, presumably, open-source contributions. A mode that strips Anthropic identifiers from those contributions would make them indistinguishable from human-authored commits.
That design choice sits awkwardly alongside a different geopolitical pressure Anthropic has applied. In February 2026, Anthropic published a blog post accusing three Chinese AI companies — DeepSeek, Moonshot AI, and MiniMax — of orchestrating a coordinated campaign to extract outputs from Claude via 24,000 fraudulent accounts, generating more than 16 million prompt-response exchanges, according to CNBC. MiniMax drove the majority of that traffic, with over 13 million exchanges. Anthropic CEO Dario Amodei had previously described China as an "enemy nation" in AI development. The apparent tension — accusing Chinese firms of secretly mining Claude's outputs while building a feature to hide Claude's own contributions to their open-source ecosystem — is visible in the code itself.
GitHub users have already forked the leaked repository extensively. The Hacker News reported it has surpassed 84,000 stars and 82,000 forks. The actual contents are now a permanent matter of public record.
Anthropic has not said whether it will publish Undercover Mode as a documented feature, quietly remove it, or treat it as an embarrassing artifact of an internal debate it preferred to keep internal. The debate itself is real: whether AI-generated open-source contributions should carry disclosure is a legitimate policy question the industry has not settled. What the leak shows is that Anthropic had already been running its own answer in production — the company simply had not announced it.
Story entered the newsroom
Research completed — 8 sources registered. Anthropic accidentally leaked 512K+ lines of Claude Code source via npm source map (v2.1.88). The leak reveals Undercover Mode - a feature that hides
Draft (579 words)
Approved for publication
Published (599 words)
Get the best frontier systems analysis delivered weekly. No spam, no fluff.
Artificial Intelligence · 42m ago · 3 min read
Artificial Intelligence · 2h 6m ago · 5 min read
