The claude code source leak was one of the most significant accidental disclosures in AI tooling history. A 59.8 MB JavaScript source map file shipped inside the @anthropic-ai/claude-code v2.1.88 npm package exposed 512,000 lines of TypeScript across 1,906 source files. The incident revealed the complete internal architecture of Anthropic's proprietary coding agent and directly catalyzed the creation of Claw Code.
發現
On March 31, 2026, security researcher Chaofan Shou (@shoucccc) discovered that the Claude Code npm package contained a .map source map file that fully reconstructed the original TypeScript source. The Bun bundler, used by the Claude Code build pipeline, generates source maps by default unless explicitly disabled — a configuration oversight that left the complete source tree readable.
The irony was not lost on the security community: the exposed codebase contained an "Undercover Mode" system specifically designed to prevent internal information from leaking to end users.
即時後果
Within hours of the disclosure:
- The source code was mirrored to multiple GitHub repositories
- Thousands of developers began analyzing the architecture
- The internal tool system (~40 tools, 29,000 lines of TypeScript) was fully documented
- The query engine (46,000 lines) was reverse-engineered
- Multi-agent swarm orchestration patterns were mapped
- The IDE bridge (using JWT authentication) was exposed
揭示的隱藏功能
The leaked source exposed several undocumented capabilities that were not visible to Claude Code users:
| 功能 | 描述 |
|---|---|
| KAIROS Mode | A proactive assistant mode where Claude Code anticipates user needs and takes initiative without explicit prompting |
| ULTRAPLAN | Remote Opus-level planning that generates comprehensive multi-step execution plans, with sessions lasting up to 30 minutes |
| autoDream | Background memory consolidation system that processes and organizes session context during idle periods |
| Feature Flags | 44 total feature flags discovered, of which 20 were hidden and not exposed in any user-facing configuration |
| Undercover Mode | System designed to prevent internal architecture details from being disclosed to users — made ironic by the source map leak itself |
Claw Code 的誕生
Sigrid Jin (@sigridjineth), previously profiled by the Wall Street Journal on March 21, 2026 as one of the most active Claude Code users with 25 billion tokens consumed, had flown to San Francisco for Claude Code's first birthday party. Upon learning of the leak, Jin began an overnight clean-room Python rewrite.
The rewrite was built using oh-my-codex (OmX) with two specialized modes:
- $team mode — Parallel code review for rapid iteration
- $ralph mode — Persistent execution for continuous development
The resulting repository — instructkr/claw-code — became the fastest repository to reach 30,000 stars on GitHub. As of this writing, it has accumulated 48,000+ stars, 56,000+ forks, and 335 watchers.
供應鏈攻擊
In the chaos surrounding the leak, a supply chain attack was attempted between March 31, 00:21–03:29 UTC. Malicious versions of the axios package (versions 1.14.1 and 0.30.4) were published to npm, containing a Remote Access Trojan (RAT) with a dependency on the suspicious plain-crypto-js package.
In the aftermath, Anthropic shifted Claude Code's distribution away from npm and toward a native installer:
隨後的生態系統
The leak and subsequent clean-room rewrite spawned a broader ecosystem of related projects:
| 專案 | 描述 |
|---|---|
| instructkr/claw-code | The primary clean-room Python/Rust rewrite — 48k+ stars, 56k+ forks |
| Kuberwastaken/claude-code | Source mirror with additional Rust reimplementation work |
| Ringmast4r archive | Preservation archive of the original leaked source |
| raullenchai/claw | tmux-based remote Claude Code controller |
| jamesrochabrun/Claw | Native macOS GUI client for Claude Code |
| GreenSheep01201/claw-empire | Extended claw-code with additional features |
| 0xKarl-dev/claw-codes | Independent Python/Rust agent framework |
揭示的架構秘密
The leaked source provided unprecedented insight into how a production-grade AI coding agent is actually built. Key revelations included:
- Tool System — Approximately 40 tools totaling 29,000 lines of TypeScript, covering file operations, code search, terminal execution, and more
- Query Engine — 46,000 lines handling prompt construction, context management, and response processing
- Multi-Agent Swarms — Proprietary orchestration for spawning and coordinating multiple agent instances
- IDE Bridge — JWT-authenticated communication channel between VS Code/JetBrains and the Claude Code backend
- Multi-Layer Memory — MEMORY.md-based persistence with session compaction and background consolidation
These architectural patterns, observed at arm's length, informed the clean-room design of Claw Code — which reimplemented each subsystem from first principles without copying any proprietary code.