Anthropic Built an Operating System for Code. Then Shipped the Blueprints to npm.

Anthropic built an entire subsystem called "Undercover Mode." The job is specific: stop Claude from accidentally dropping internal codenames into git commits, mentioning unreleased models in PR descriptions, or outing itself as an AI when working on public code. The system prompt tells Claude, in plain English, "Do not blow your cover."

On March 31, Anthropic blew its own cover. Version 2.1.88 of Claude Code shipped to the npm registry with a 59.8 MB source map file attached, the kind of debugging artifact that maps minified JavaScript back to the original source. That file contained readable TypeScript for the entire product. All 512,000 lines. All 1,900 files. Every internal constant, every system prompt, every feature flag.

Within hours, the codebase was mirrored across GitHub and analyzed by thousands of developers. By Tuesday afternoon, a single post on X linking to the source sat at 21 million views. The link dropped at 4:23 a.m. Eastern. Nobody at Anthropic's San Francisco headquarters was awake to watch it travel.

This happened before. In February 2025, the same mistake. Source map, npm, full exposure. Anthropic patched it then. Thirteen months later, the identical failure. Same vector, same root cause, same product.

The code itself is not the story. What the code contains is.

What users see is a fraction of what exists

Claude Code looks like a polished terminal assistant. You type, it responds, it edits files and runs commands. Simple premise.

The source tells a different story. Claude Code carries 44 compile-time feature flags that gate capabilities invisible to external users. Most compile to false in public builds, stripped out entirely by Bun's dead-code elimination. Anthropic releases them on its own schedule, a handful at a time. The restraint is the point.

KAIROS is the one that should make you pause. Named after the Greek concept of "the opportune moment," it transforms Claude Code from a reactive tool into an autonomous daemon. It watches your open files. It logs observations. It acts proactively on things it notices, without being asked. A 15-second blocking budget keeps it from disrupting your workflow, but make no mistake. This is a background agent sitting inside your development environment, operating on its own judgment about what deserves attention.

Then there is autoDream. While you are away, a forked subagent consolidates the day's observations into long-term memory. It resolves contradictions, converts vague notes into verified facts, prunes stale information. The system prompt calls it what it is: "a dream, a reflective pass over your memory files." Three gates control when it fires. Twenty-four hours since last run. Five sessions minimum. A lock to prevent concurrent dreams.

ULTRAPLAN offloads complex planning to a remote container running Opus 4.6, with a 30-minute thinking budget. A browser UI lets you watch the reasoning happen in real time. When approved, a sentinel value "teleports" the result back to your terminal.

And there is Buddy. A Tamagotchi-style companion pet with 18 species, shiny variants, five procedurally generated stats (DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK), and a soul description written by Claude on first hatch. The code references an April teaser window with a full launch gated for May.

This is not a CLI. This is an operating system for software development, and the public release is a carefully managed storefront window.

The ghost contributions nobody asked about

The leak confirmed what some developers suspected but could not prove. Anthropic employees use Claude Code to contribute to public open-source repositories, and the tool scrubs any trace of AI involvement from the output.

Here is the Undercover Mode system prompt, verbatim. "You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover."

No model codenames in commits. No mention of Claude Code. Co-Authored-By attribution lines get stripped. To anyone reviewing the pull request, it looks like a human wrote it.

If you maintain an open-source project, you may have already reviewed and merged Claude-generated pull requests without knowing it. The engineering might be solid. But open-source communities operate on trust and attribution. Undisclosed AI contributions corrode both, and the reaction from maintainers has been defensive for good reason.

Anthropic would argue this is standard dogfooding. That is reasonable. But "do not blow your cover" goes beyond testing your own tools. It is a framework for concealment, and the leaked code hands every enterprise customer the exact template to replicate it.

The $2.5 billion blueprint, handed to competitors

The financial exposure is what should make Anthropic anxious. Claude Code generates an estimated $2.5 billion in annualized recurring revenue, a figure that doubled since January. Enterprise customers account for 80% of that number. The company is preparing for an IPO later this year. Exposing the internals of your highest-growth product right before public-market scrutiny is the kind of timing no one would choose.

Now every competitor has the architecture. The three-layer memory system centered on a lightweight index file. The multi-agent coordinator with scratchpad-based knowledge sharing. The permission engine with ML-based auto-approval. The bash validation logic spanning thousands of lines. CryptoBriefing reported that developers began rewriting components under the name "Claw Code" within hours of the leak, with a Rust rewrite already underway. No waiting for a clean-room analysis. No guessing at implementation details. Just download, read, and build.

But the competitive threat splits into two categories with very different dynamics.

The Western competitors: constrained but accelerated

The day before the leak, OpenAI shipped a Codex plugin that runs inside Claude Code. Read that again. OpenAI built a plugin for a competitor's product. The repository collected 3,700 GitHub stars in a single day. According to a Wall Street Journal report, Fidji Simo, OpenAI's CEO of Applications, called Anthropic's success with Claude Code and Cowork an internal "wake-up call." OpenAI plans to refocus resources on coding tools and enterprise customers, merge Codex and ChatGPT into a single desktop application, and build out a plugin marketplace with governance controls pitched at CIOs.

The strategy is telling. Rather than wait for developers to switch, OpenAI is embedding its model directly into the workflow developers already chose. That is what conceding market dominance looks like while trying to maintain a foothold.

The leaked source code compresses OpenAI's R&D timeline on specific subsystems. How Anthropic solved context entropy. How the permission engine classifies risk. How agents coordinate without corrupting each other's state. Those are hard engineering problems, and the solutions are now readable TypeScript. Cursor, GitHub Copilot, and a dozen well-funded startups get the same advantage.

But Western competitors face two constraints. First, clean-room implementation. They can study architectural patterns, but copying code directly carries trade-secret liability, especially against a company heading into public markets with every incentive to litigate. Second, the code is the harness, not the engine. Claude 4.6 Opus's reasoning quality is not in the TypeScript. Competitors still need their own models to be competitive on raw capability.

The bigger gift is the roadmap. KAIROS, autoDream, ULTRAPLAN. Western competitors now know what is coming and can prioritize matching those features before Anthropic ships them. Strategic surprise, once lost, cannot be recovered.

The Chinese labs: unconstrained and already in motion

For Chinese AI companies, the leak fills a gap that years of systematic effort could not close through other means.

In February 2026, Anthropic revealed that three Chinese laboratories had run industrial-scale extraction campaigns against Claude. DeepSeek targeted reasoning and evaluation tasks, effectively using Claude as a reward model for reinforcement learning. Moonshot AI focused on agentic reasoning and tool use. MiniMax ran the largest operation, generating over 13 million exchanges through approximately 24,000 fraudulent accounts. MiniMax's specific focus: agentic coding and tool use.

A legal analysis published by Just Security documented the operational playbook. Commercial proxy services managing 20,000 simultaneous fraudulent accounts. Deliberate mixing of distillation traffic with unrelated requests to evade detection. When Anthropic banned accounts, replacements appeared within hours.

Those campaigns extracted model behaviors, reasoning patterns, chain-of-thought processes. What they could not extract was the orchestration layer. How to manage permissions across 40 tools. How to coordinate multiple agents without state corruption. How to compress context across sessions that span hours. How to build a production-grade harness that turns a capable model into a $2.5 billion product. That engineering does not leak through API responses.

The source code leak provides exactly that missing layer. The three-layer memory architecture. The multi-agent coordinator with scratchpad-based knowledge sharing. The feature flag system. The anti-distillation mechanisms, now exposed and therefore bypassable.

Chinese labs that already have competitive base models, DeepSeek and Alibaba's Qwen among them, can now wrap those models in production-grade agentic infrastructure studied from the market leader. The combination of distilled model capabilities and leaked harness architecture creates a faster path to parity than either alone. DeepSeek is actively hiring Agent Deep Learning researchers and Agent Infrastructure Engineers. The demand for this architecture is immediate.

The legal exposure is asymmetric. Anthropic can sue U.S. competitors for trade-secret misappropriation. It has no practical enforcement mechanism against laboratories operating outside U.S. jurisdiction, the same laboratories that already demonstrated willingness to run fraudulent accounts at industrial scale.

The internal performance data makes it worse. The source reveals that Capybara, Anthropic's internal codename for a Claude 4.6 variant, carries a 29-30% false claims rate in its eighth iteration, a regression from 16.7% in version four. Competitors did not just get the blueprints. They got the test results showing where the building leaks.

A pattern that should worry enterprise buyers

Five days before the npm leak, Fortune reported that Anthropic's content management system left approximately 3,000 unpublished assets publicly accessible. Among them: a draft blog post for an unreleased model the company confirmed as "a step change and the most capable we've built to date." Details of an invite-only CEO retreat in the U.K. were also exposed. The spokesperson attributed it to "human error" in its CMS configuration.

Human error again. Different system, same explanation. That is the tell.

Anthropic's brand rests on safety. White papers about existential risk. Voluntary commitments to responsible deployment. Enterprise buyers pay a premium for that reputation, and regulators cite Anthropic as the company doing things right. Then you learn they cannot configure .npmignore. The gap between the safety pitch and the operational reality gets harder to explain away with every incident.

The concurrent axios supply chain attack compounds the damage. On the same morning as the leak, malicious versions of the axios npm package (1.14.1 and 0.30.4) distributed a remote access trojan. Anyone who installed or updated Claude Code between 00:21 and 03:29 UTC on March 31 may have pulled the compromised dependency. Anthropic now recommends its native installer over npm entirely. Read that again. The company walked away from its own distribution channel on the same day it leaked its own source code through it.

Twenty-one million views and a promise of measures

Anthropic confirmed the leak to CNBC on Tuesday, roughly twelve hours after the code started circulating. One new sentence appeared in the company's response: "We're rolling out measures to prevent this from happening again."

Rolling out measures. For a failure mode the company already identified and patched thirteen months ago. The phrasing sidesteps the question it should answer first: what happened to the measures from last time?

CNBC called it Anthropic's second major data exposure in under a week, following the Fortune report on roughly 3,000 unpublished assets sitting in a publicly accessible content management cache. Two distinct systems failed basic access controls within five days. Same company. Same one-word explanation both times: human error.

The competitive response did not wait for Anthropic's statement. Google, xAI, and OpenAI are all accelerating their own coding agent investments, CNBC reported, chasing the developer adoption that pushed Claude Code past $2.5 billion in annualized revenue by February. Those three companies can now study the architectural decisions behind the product they are racing to replicate. Anthropic's answer: a promise of future measures, no timeline attached, no specifics offered, for a vector that already failed them once.

The cost of shipping blueprints

Anthropic's statement called this "a release packaging issue caused by human error, not a security breach." No customer data leaked. No model weights escaped. No credentials were exposed.

Call it a packaging issue if you want. What actually shipped to a public registry was the source code for a $2.5 billion product. Forty-four feature flags. Internal model codenames. Performance benchmarks competitors would have paid millions to see. The exact orchestration logic needed to build a clone. All of it, for the second time in thirteen months.

OpenAI is embedding Codex inside Claude Code because it cannot yet convince developers to leave. Chinese laboratories that ran 16 million fraudulent API exchanges to extract Claude's reasoning now have the production harness those exchanges could never reach. The Western competitors are constrained by clean-room requirements and litigation risk. The Chinese laboratories are not. That asymmetry is the actual cost of a misconfigured .npmignore file.

If you are an enterprise customer evaluating AI coding agents, the question is direct. The company that built Undercover Mode to prevent this kind of exposure could not prevent this kind of exposure. Twice. And a company that has publicly promoted its own AI agents for software development still shipped a .map file that a junior engineer's pre-publish checklist would have caught.

Undercover Mode works perfectly. The build pipeline does not. And when version 2.1.89 ships, the test is simple: does the .map file come with it? If Anthropic cannot pass that check after two identical failures, the "responsible AI lab" label stops being a brand promise and starts being a liability.

Anthropic's Cowork Strips the Developer Costume Off Claude Code

Simon Willison has been saying it for months. Claude Code, the terminal-based agent that Anthropic marketed to programmers, was never really a coding tool. It was a general-purpose agent that happened

The Implicator

Your browser already runs hostile code. Could it sandbox AI agents too?

Google developer Paul Kinlan spent his holiday break building projects with Claude Code, the AI coding assistant that can create, modify, and execute files on your machine. The experience left him bot

The Implicator

OpenAI Launches Codex Desktop App for macOS With Multi-Agent Workflows and Doubled Rate Limits

OpenAI released a macOS desktop app for Codex today, turning its AI coding agent into a standalone application that can run multiple agents across different projects at the same time. The company also

The Implicator

Maria Garcia

Los Angeles

Bilingual tech journalist slicing through AI noise at implicator.ai. Decodes digital culture with a ruthless Gen Z lens—fast, sharp, relentlessly curious. Bridges Silicon Valley's marble boardrooms, hunting who tech really serves.