Skip to main content
📝 Claude Code

Claude's 512K-Line Leak: What Anthropic Didn't Want You to See

Anthropic's 512,000-line Claude source code leak exposed Mythos, KAIROS, and Autodream. I break down what it means for developers and what's coming next.

20 min

Read time

3,832

Words

Apr 04, 2026

Published

Engr Mejba Ahmed

Written by

Engr Mejba Ahmed

Share Article

Claude's 512K-Line Leak: What Anthropic Didn't Want You to See

Claude's 512K-Line Leak: What Anthropic Didn't Want You to See

A missing .npmignore entry. That's it. That's what separated Anthropic's most closely guarded secrets from every developer with an npm install command.

On March 31st, 2026, at 00:21 UTC, someone on Anthropic's release team pushed Claude Code v2.1.88 to the npm registry. Bun — the JavaScript runtime Anthropic acquired in late 2025 — generates source maps by default. Nobody excluded them from the package. Within three hours, 512,000 lines of unobfuscated TypeScript across roughly 1,900 files were mirrored, forked, and dissected by tens of thousands of developers worldwide. A clean-room rewrite hit 50,000 GitHub stars in two hours — likely the fastest-growing repository in GitHub's history.

Anthropic confirmed the leak's authenticity without denying a single detail. And what those 512,000 lines revealed wasn't just some internal plumbing and debug flags. It was an entirely different vision of what AI-assisted development looks like — one where your coding agent never sleeps, dreams while you're away, and operates at a capability tier so dangerous it can't be released to the public.

I've spent the past five days reading every credible teardown, cross-referencing the leaked code references with Anthropic's confirmed statements, and mapping what this means for developers who build with Claude every day. Here's what I found — and why some of it genuinely unsettled me.

How 512,000 Lines Walked Out the Front Door

The mechanics of this leak deserve attention, because they reveal something important about the state of AI infrastructure in 2026.

Claude Code is built on Bun, which compiles TypeScript into bundled JavaScript for distribution. Standard practice. But Bun generates .map source map files by default — detailed files that map the compiled output back to the original source code. Every variable name, every internal comment, every unreleased feature flag, preserved in full fidelity.

The fix would have been a single line in .npmignore:

*.map

Or a files field in package.json that explicitly whitelisted only the compiled output. Either approach takes about fifteen seconds to implement. Neither was done.

Between 00:21 and 03:29 UTC on March 31st, anyone who installed or updated Claude Code via npm pulled down a 59.8 MB source map containing the entire codebase. The Hacker News reported that a trojanized version of the HTTP client appeared within that window — a cross-platform remote access trojan piggybacking on the chaos. Anthropic yanked the package, but the source was already everywhere.

Here's the part that should make every engineering leader uncomfortable: this is the second major security lapse from Anthropic in a single week. Fortune reported that just days earlier, a misconfigured content management system had leaked a draft blog post about an unreleased model called Mythos. Two leaks. One week. From the company building AI safety into its core identity.

I'm not pointing this out to pile on. I'm pointing it out because the irony is instructive. The company building the most safety-conscious AI models in the industry was undone by .npmignore and a CMS misconfiguration. Infrastructure security isn't about philosophy — it's about checklists. And Anthropic missed the checklist twice.

But what came out of the leak? That's where things get genuinely fascinating.

The Internal Code Names: Fenck, Capra, Tangu, and Numbat

Buried in the source code were internal code names for Claude's model tiers. If you've been following Anthropic's naming conventions, three of these were expected:

  • Opus = Fenck
  • Sonnet = Capra
  • Haiku = Tangu

Standard stuff. Every AI company uses internal code names to decouple product branding from engineering references. What caught everyone's attention was a fourth name: Numbat. It appears in the codebase with no corresponding public model, no documentation, no marketing material. Just references in the code that confirm it exists.

The leaked source also contained version strings for Opus 4.7 and Sonnet 4.8 — neither of which has been announced. These weren't buried in commented-out test files. They appeared in version validation logic and compatibility checks, suggesting they're actively being developed and tested internally.

Prediction markets moved fast on this. Polymarket currently prices the probability of Claude 4.7 shipping before June 30, 2026 at roughly 59%. Given Anthropic's recent cadence — Opus 4.6 dropped February 5th, Sonnet 4.6 followed on February 17th — a mid-2026 release for the next generation isn't speculation. It's the expected trajectory.

But Opus 4.7 and Sonnet 4.8 aren't even the most interesting finding. Not by a long shot.

Mythos and the Capybara Tier: The Model Too Dangerous to Release

The draft blog post that leaked days before the source code dump referenced something Anthropic called Claude Mythos, operating under a new tier called Capybara (internally referenced as "Capiara" in some code paths). This isn't a minor upgrade. Fortune obtained Anthropic's internal description: a model representing a "step change" in capabilities, "larger and more intelligent than our Opus models — which were, until now, our most powerful."

Let that sink in. Anthropic's own internal language describes Capybara as a tier above Opus. Not a replacement — an addition. A fourth tier that sits at the top of the capability stack, designed for compute-intensive tasks that push beyond what even Opus can handle.

The benchmark numbers from the leaked documentation tell the story:

Benchmark Claude Opus 4.6 Claude Mythos (Capybara) Improvement
S.E. Bench Verified 80.8% 87.4% +6.6%
Terminal Bench 2.0 65.4% 78.4% +13.0%
GPQA Diamond Mid-80s (est.) Significant jump

Those Terminal Bench numbers are staggering. A 13-percentage-point improvement on a benchmark that measures real-world terminal command execution and system administration tasks. For context, the gap between GPT-5.4 and Opus 4.6 on S.E. Bench is less than one percentage point (80.0% vs 80.8%). Mythos doesn't close gaps — it creates new ones.

The model reportedly ships with a native 1-million-token context window. Not an extended context bolt-on. Native. Built into the architecture from the ground up.

So why haven't you heard of it until now? Because Anthropic won't release it publicly.

According to multiple sources analyzing the leaked materials, Mythos demonstrated an ability that crossed a line Anthropic wasn't comfortable with: it can discover and exploit software vulnerabilities faster than human security teams can patch them. The model's cybersecurity capabilities were so advanced that Anthropic restricted access to a handful of early-access cyber defense clients — organizations trusted to use offensive AI capabilities for defensive purposes only.

This is a pivotal moment for the AI industry. We've moved from "AI might eventually be dangerous" to "we built something so capable we can't release it." Anthropic made a deliberate business decision to leave money on the table — potentially enormous amounts of money — because the safety implications of widespread Mythos access were too significant.

Whether you trust Anthropic's judgment here depends on your broader views about AI governance. But the fact that a for-profit company voluntarily withheld its most capable product tells you something about what they saw in testing. If you're running any kind of production infrastructure, this is your signal to take your security posture seriously — because the offensive capabilities Mythos represents will eventually proliferate, whether from Anthropic or from a competitor with fewer guardrails. For a deeper dive on Claude's security capabilities in the current model, check out my breakdown on how Claude Code's security upgrades work in practice.

KAIROS: The Agent That Never Sleeps

The source code leak revealed something that, for me personally, was more interesting than Mythos: an unreleased feature called KAIROS.

The name comes from Ancient Greek — kairos means "the opportune moment," as opposed to chronos (sequential time). It's a fitting name for what the code describes: an autonomous daemon mode where Claude Code operates as a persistent background agent.

Here's how KAIROS works based on the leaked implementation:

1. The Heartbeat System KAIROS runs on a tick-based heartbeat, checking in at regular intervals to assess whether it should take action. Think of it like a cron job, but intelligent — it doesn't just execute on a schedule, it evaluates whether action is warranted based on current project state.

2. Proactive Action Budget The agent has a 15-second proactive action window per tick. That's a deliberately tight constraint. Enough time to run a test, check a CI pipeline, or scan for issues — but not enough to go rogue and rewrite your codebase while you're getting coffee.

3. Context-Aware Mode Switching When KAIROS detects that the user has shifted focus (switched to a different window, gone idle, stepped away), it activates autonomous mode. When the user returns, it switches back to collaborative mode — surfacing what it did while you were away and waiting for your input before taking further action.

4. Exclusive Daemon Tools The leaked code references tools that only KAIROS can access: PushNotification (to alert you when something important happens), SubscribePR (to monitor pull request activity), and several others designed for background operation.

If you've been following my writing on Claude Code's agent swarm architecture, KAIROS represents the natural evolution of that pattern. The swarm architecture gave Claude the ability to coordinate multiple sub-agents on complex tasks. KAIROS gives those agents the ability to keep working when you're not watching.

Imagine this: you're working on a feature branch. You push your changes and close your laptop for lunch. While you're gone, KAIROS notices the CI pipeline failed. It reads the error logs, identifies a flaky test, investigates whether the flake is related to your changes or pre-existing, and opens a PR with a fix. When you come back, there's a notification: "Fixed flaky test in auth_middleware_spec.rb — CI passing on your branch now. Want me to merge?"

That's not a hypothetical workflow I'm dreaming up. That's what the leaked code architecture describes. The infrastructure is built. The tools are defined. The mode-switching logic is implemented. It's just not shipped yet.

The implications for solo developers are enormous. KAIROS essentially gives you a junior developer who works while you sleep, eats nothing, and never complains about being assigned to fix flaky tests. For teams, it's a force multiplier that handles the maintenance grunt work that nobody wants to do but everybody needs done.

Autodream: Teaching AI to Sleep

If KAIROS is the agent that never sleeps, Autodream is the system that teaches it to dream.

Anyone who has worked with AI coding agents on long sessions knows the problem: context entropy. The longer a session runs, the more the agent's understanding of your project degrades. It starts forgetting early decisions. It contradicts instructions from twenty minutes ago. Compaction — where the agent summarizes its context to free up tokens — loses important nuance. By hour two, you're basically working with an agent that has amnesia.

Autodream attacks this problem at its root. When the user goes idle, Autodream spawns a forked sub-agent that runs a memory consolidation process. The parallels to human sleep are intentional and surprisingly precise:

Merge Overlapping Observations If the main agent observed the same pattern in three different files across the session, Autodream collapses those into a single, confident observation. "The project uses the repository pattern for all database access" instead of three separate notes about individual files.

Eliminate Contradictions Long sessions accumulate contradictory context. Early in the session, the agent might note "this project uses REST APIs." Later, after working in a different module, it might observe "this project uses GraphQL." Autodream resolves these: "The project uses REST for public APIs and GraphQL for internal service communication."

Convert Vague Assumptions into Firm Facts Raw session context is full of hedged observations: "This file might be the entry point" or "This pattern looks like it could be the auth middleware." Autodream evaluates these against the full codebase and either confirms them as facts or discards them.

The implementation is architecturally elegant. The dream sub-agent receives read-only bash access — it can inspect your code but never modify it. Write access is limited exclusively to memory files. This means Autodream can consolidate and clarify the agent's understanding of your project without any risk of accidentally modifying your source code during a background process.

If you've read my piece on building self-improving AI systems with Claude Code, Autodream is that concept taken to its logical endpoint. Instead of the developer building reflection loops manually, the agent handles its own memory maintenance. The system improves itself by pruning bad context and strengthening good context — autonomously, in the background, while you're doing something else entirely.

This is the feature I'm most excited about from the entire leak. Not because it's the flashiest — Mythos's benchmarks are more impressive on paper — but because context entropy is the single biggest pain point in my daily AI-assisted workflow. A model that consolidates its own memory during downtime solves a problem I fight with every single day.

The 2026 AI Model Landscape: Where Does This Leave Everyone?

The Claude source code leak didn't happen in isolation. It dropped into an AI landscape where three companies are locked in an increasingly tight race. Here's where things stand as of early April 2026:

Model S.E. Bench Verified Key Strength Context Window
Claude Opus 4.6 80.8% UI work, architectural decisions, aesthetic understanding 200K (1M available)
GPT-5.4 80.0% Terminal environments, DevOps, raw execution speed 1M
Gemini 3.1 Pro 80.6% Best price-to-performance ratio 1M native
Claude Mythos (unreleased) 87.4% Everything — particularly cybersecurity 1M native

The gap between the top three publicly available models is razor-thin. Less than one percentage point separates them on the most respected coding benchmark. That's not a race where any single model "wins." It's a race where the best strategy is matching the right model to the right task.

GPT-5.4 excels in terminal-heavy workflows — DevOps, infrastructure automation, system administration tasks where raw command execution speed matters more than code aesthetics. I covered this extensively in my GPT-5.4 first look.

Gemini 3.1 Pro offers the best value proposition. If your bottleneck is API cost rather than raw capability, Google's model delivers 80.6% S.E. Bench performance at a fraction of what Opus costs per token. My Gemini 3.1 Pro review breaks down the specific use cases where it outperforms models twice its price.

Opus 4.6 remains my daily driver for anything involving UI generation, complex architectural decisions, or tasks where the output needs to look and feel polished. Its aesthetic understanding — the ability to generate code that produces visually coherent results — is still unmatched. My hands-on review of Opus 4.6 covers this in detail.

But the trend I'm watching isn't about which model is "best." The trend is intelligence orchestration — using different models for different subtasks within the same project, based on their specific strengths. The KAIROS daemon architecture in the leaked code actually supports this pattern. The background agent could theoretically dispatch different model tiers for different types of background tasks: Haiku for quick lint checks, Sonnet for test analysis, Opus for architectural review.

We're moving from "which AI model should I use?" to "how do I compose an AI system from multiple specialized models?" That's a fundamentally different question, and it requires a fundamentally different skillset.

What the Internal Code Names Tell Us About Anthropic's Roadmap

Let me connect some dots that I haven't seen anyone else lay out clearly.

The leaked code references four model code names: Fenck (Opus), Capra (Sonnet), Tangu (Haiku), and the mysterious Numbat. Plus the Capybara tier for Mythos. That's five internal identifiers for a company that currently ships three public tiers.

Here's what I think is happening.

Anthropic is restructuring its model lineup. The current three-tier system (Haiku / Sonnet / Opus) was designed when models had clear capability tiers. But as the performance gap between tiers narrows — Sonnet 4.6 handles tasks that required Opus 3.5 just a year ago — the tiering logic needs to evolve.

Capybara (Mythos) adds a ceiling above Opus for compute-intensive, high-stakes tasks. Numbat likely fills a gap somewhere in the current lineup — perhaps a tier between Haiku and Sonnet optimized for high-throughput, low-latency tasks where Haiku's too limited but Sonnet's overkill. Think API-heavy workloads where you're making thousands of model calls per minute and need consistent quality without Sonnet-level cost.

The Opus 4.7 and Sonnet 4.8 version strings confirm that Anthropic's development cadence is fast. They're not resting on 4.6. With a 59% prediction market probability of 4.7 shipping before July, the next generation is likely in late-stage testing right now.

For developers building on Claude's API, this means your model selection logic needs to be flexible. Hard-coding claude-opus-4-6-20260205 into your application is going to bite you within months. Build abstraction layers. Use model aliases. Design your systems to swap models without rewriting integration code.

What Should Developers Actually Do With This Information?

I've spent five days deep in this story. Here's what I'm actually changing about my own workflow based on what I've learned.

1. Prepare for Autonomous Agents — They're Coming Faster Than Expected

KAIROS isn't a research prototype. The leaked code shows production-grade implementation with safety constraints, mode switching, and tool permissions. When this ships — and it will ship, likely within 2026 — the developer workflow changes fundamentally. Start thinking about which parts of your workflow could benefit from a background agent: CI monitoring, code review triage, dependency update analysis, security scanning.

If you'd rather have someone build these autonomous agent workflows from scratch, I take on AI integration and automation projects. You can see what I've built at fiverr.com/s/EgxYmWD.

2. Upgrade Your Security Posture — Right Now

Mythos can find vulnerabilities faster than human defenders can patch them. That capability exists today, even if it's restricted. Other labs are building similar capabilities. Offensive AI tools will proliferate. If your application has unpatched dependencies, misconfigured servers, or the kind of sloppy security debt that "nobody has time to fix," the window for fixing it quietly is closing.

Run npm audit on every project. Update your dependencies. Enable automated security scanning in your CI pipeline. These aren't optional anymore — they're survival basics.

3. Learn Intelligence Orchestration

The era of picking one AI model and using it for everything is ending. The developers who'll thrive in 2026 and beyond are the ones who can compose systems from multiple specialized models. Start experimenting with routing different task types to different models. Use Haiku for classification and triage. Use Sonnet for generation and iteration. Use Opus for review and architecture. Build the muscle memory now while the tooling is still maturing.

4. Design for Memory Persistence

Autodream reveals Anthropic's answer to context entropy — and it's a good one. But even before it ships, you can design your workflows around the same principle. Use CLAUDE.md files, memory banks, and session summaries to give your agent persistent context. When Autodream does ship, it'll enhance what you've already built. You're not waiting for the feature — you're building the foundation it'll sit on.

5. Watch the Numbat

Whatever Numbat turns out to be, it represents Anthropic's bet on a capability gap in the current lineup. If it's a high-throughput tier between Haiku and Sonnet, it could dramatically change the economics of AI-heavy applications. Keep an eye on Anthropic's release notes. When Numbat surfaces, early adopters who already have model abstraction layers in place will be able to integrate it immediately.

The Bigger Picture: What Anthropic's Worst Week Reveals About AI's Best Future

Take a step back from the specific features and benchmark numbers. What does this leak actually tell us about where AI development is headed?

Three things stand out.

Autonomous AI isn't a future state — it's an engineering problem being solved right now. KAIROS and Autodream aren't conceptual. They're implemented. The safety constraints are defined. The mode-switching logic works. The only gap between here and deployment is testing, refinement, and Anthropic's risk tolerance. The question isn't "will AI agents work autonomously?" It's "when will the companies feel safe enough to ship it?"

The safety-capability tension is real and getting sharper. Anthropic built a model that outperforms everything on the market by a wide margin, then locked it in a vault because the cybersecurity implications were too serious. That tension — build the most capable thing possible, then decide whether to release it — is going to define the next two years of AI development. Every major lab is facing the same trade-off. How they resolve it will shape the industry more than any benchmark improvement.

The moat isn't model intelligence — it's the system around the model. Mythos's benchmarks are impressive. But the features that would change my daily life aren't about raw intelligence. They're about KAIROS running tests while I sleep. Autodream consolidating my agent's memory while I eat lunch. PushNotification alerting me when my background agent found something important. The model is a component. The system is the product.

That last point is the one I keep coming back to. We've been so focused on which model scores highest on which benchmark that we've missed the real race. The real race is who builds the best system around the model — the autonomous loop, the memory persistence, the intelligent orchestration.

Based on what I saw in those 512,000 lines, Anthropic is further along in that race than I expected. A lot further.

The .npmignore mistake cost Anthropic its competitive surprise. But for developers like you and me, it gave us something valuable: a clear view of the road ahead. And that road leads somewhere specific — toward AI systems that don't just respond when asked, but anticipate, act, and improve while we're not looking.

The question isn't whether you're ready for that future. The question is whether you're building toward it right now — or whether you'll be scrambling to catch up when it arrives.

FAQ

Frequently Asked Questions

Everything you need to know about this topic

On March 31, 2026, 512,000 lines of Claude Code's TypeScript source code were exposed via npm source maps due to a missing .npmignore entry. The leak revealed internal model code names, unreleased features like KAIROS and Autodream, and references to upcoming model versions including Opus 4.7 and Sonnet 4.8. For the full breakdown of each discovery, see the sections above.

Claude Mythos is Anthropic's unreleased ultra-tier model operating under the "Capybara" tier classification, scoring 87.4% on S.E. Bench Verified compared to Opus 4.6's 80.8%. It is currently restricted to select cyber defense clients due to its ability to discover vulnerabilities faster than human teams can patch them. No public release date has been announced.

KAIROS is an unreleased autonomous daemon mode that lets Claude Code operate as a persistent background agent. It uses a heartbeat system with a 15-second proactive action budget, switches between autonomous and collaborative modes based on user presence, and includes exclusive tools like PushNotification and SubscribePR for background operations.

Autodream is a background memory consolidation system that spawns a forked sub-agent during user idle periods. It merges overlapping observations, eliminates contradictions in session context, and converts vague assumptions into confirmed facts — all with read-only code access and write access limited to memory files only.

Opus 4.7 and Sonnet 4.8 appeared in version validation logic within the leaked source code, confirming active internal development. Prediction markets estimate roughly 59% probability of Claude 4.7 shipping before June 30, 2026, though Anthropic has made no official announcement.

Let's Work Together

Looking to build AI systems, automate workflows, or scale your tech infrastructure? I'd love to help.

Coffee cup

Enjoyed this article?

Your support helps me create more in-depth technical content, open-source tools, and free resources for the developer community.

Related Topics

Engr Mejba Ahmed

About the Author

Engr Mejba Ahmed

Engr. Mejba Ahmed builds AI-powered applications and secure cloud systems for businesses worldwide. With 10+ years shipping production software in Laravel, Python, and AWS, he's helped companies automate workflows, reduce infrastructure costs, and scale without security headaches. He writes about practical AI integration, cloud architecture, and developer productivity.

Discussion

Comments

0

No comments yet

Be the first to share your thoughts

Leave a Comment

Your email won't be published

1  +  8  =  ?

Continue Learning

Related Articles

Browse All

Comments

Leave a Comment

Comments are moderated before appearing.

Learning Resources

Expand Your Knowledge

Accelerate your growth with structured courses, verified certificates, interactive flashcards, and production-ready AI agent skills.

Sample Certificate of Completion

Sample certificate — complete any course to earn yours

Engr Mejba Ahmed

Engr Mejba Ahmed

Claude Code Expert · Online

👋

Hey there!

Quick Actions

WhatsApp Instant reply

Chat on WhatsApp

+880 1723 741224 · Instant reply

Popular Questions

Engr Mejba Ahmed is connected
Engr Mejba Ahmed is typing...
Engr Mejba Ahmed avatar

✉ Want me to follow up? Drop your email

Engr Mejba Ahmed avatar

📞 Connect Directly

Choose how you'd like to reach me

WhatsApp

+880 1723 741224

Email

[email protected]

✓ Details sent! I'll get back to you shortly.

Powered by OpenAI

335+

Blog Posts

25

AI Courses

63

Projects

Services & Expertise

Pricing & Process

Learning & Resources

Connect & Support