Claude Code: 512,000 Lines Leaked Reveal Kairos, a 24/7 Permanent AI Agent Anthropic Never Announced
A forgotten source map in an npm publish exposes 512,000 lines of Claude Code TypeScript, revealing Kairos, a permanent AI daemon, and Undercover Mode that erases AI traces.
A routine npm publish. A 59.8 MB source map left in the build. And 512,000 lines of TypeScript revealing that Claude Code hides a permanent 24/7 agent, an AI trace erasure mode, and 44 features never announced. This is Anthropic's second major leak in five days. And the timing couldn't be worse: California had just mandated AI watermarking 24 hours earlier.
One Source Map, 512,000 Lines, 30 Minutes
On March 31, 2026, Anthropic publishes the @anthropic-ai/claude-code package version 2.1.88 on npm — the public JavaScript package registry. Nothing unusual. Except one file should never have been included: cli.js.map, 59.8 MB.
A source map is a debugging tool. It links minified code (unreadable, optimized) to the original source code (readable, commented). The sourcesContent field in this file contained the entirety of Claude Code's TypeScript source. 512,000 lines.
Think of it as publishing a book with all your drafts, annotations, and internal notes attached as an appendix.
An independent researcher spots the file within hours. A GitHub mirror repo appears. Within 30 minutes: 5,000 stars. Anthropic pulls the npm package. Too late. The internet keeps everything.
The context makes it worse: this is Anthropic's second leak in five days. On March 26, a CMS leak revealed Claude Mythos, a model deemed too dangerous to release.
Kairos: The Permanent Agent They Never Told You About
"Autonomous daemon with permanent life."
That's how Anthropic describes Kairos internally, in the source code. A daemon, in computing, is a process that runs in the background without human intervention. Kairos isn't a plugin. It isn't an extension. It's a permanent autonomous agent architecture built into the core of Claude Code.
What the code reveals:
- Background sessions — Kairos runs 24/7 without user interaction
- Continuous memory — The agent retains context between sessions
- Progressive understanding — It learns your project over time
- Autonomous tasks — It executes actions without human intervention
The central question: was Kairos already active for some users? If so, Claude Code could run silently on your machine after you closed your terminal. Anthropic never documented or announced this feature.
The code also reveals a cron scheduling infrastructure — programmed time-based triggers. Combined with Kairos, this forms a persistent, programmable autonomous agent. Again, never announced.
Coordinator Mode: The Claude That Manages Other Claudes
The source code unveils a second major feature: Coordinator Mode. The concept is straightforward. A "master" Claude instance receives your task, breaks it into subtasks, spawns parallel "worker" Claude agents, and synthesizes their results.
This is native multi-agent — an architecture where multiple AI agents collaborate without the user seeing the internal mechanics. The user talks to one Claude. Behind the scenes, five Claudes are working.
This approach mirrors what Meta is exploring with HyperAgents at research scale. The difference: Claude Code was already doing it locally, on your code, without your knowledge.
Undercover Mode: The Most Problematic Feature
This is the leak's most controversial revelation.
Undercover Mode activates automatically when Anthropic employees operate in public repositories. Its action: erase all AI traces in commits. Its distinguishing trait: it cannot be manually disabled.
In plain terms: Anthropic employee contributions to open-source projects may be unidentifiable as AI-generated. No markers. No attribution. No transparency.
The timing is devastating. The day before — March 30, 2026 — Governor Newsom signed an Executive Order mandating AI watermarking in California. Watermarking means marking all AI-generated content in a traceable way. Undercover Mode is the architectural opposite of what this law requires.
Anthropic, headquartered in San Francisco, will need to explain this mode to California regulators.
44 Feature Flags and the Complete System Prompt
Beyond the three major features, the leak reveals 44 feature flags — functionality switches compiled into the code but disabled (false conditions in the public build). Over 20 features are fully built but never shipped to users.
The code also contains Claude Code's complete system prompt. A system prompt is the initial instruction that dictates an AI model's behavior. Claude Code's system prompt reveals how it reasons about tasks: its priority hierarchy, constraints, and internal decision logic.
| Feature | Description | Announced? | Controversy |
|---|---|---|---|
| Kairos | Permanent 24/7 daemon, background agent | ❌ Never | 🔴 Very high |
| Coordinator Mode | Claude orchestrates worker Claudes | ❌ Never | 🟠 High |
| Undercover Mode | Erases AI traces in public repos | ❌ Never | 🔴 Very high |
| 44 feature flags | Fully built features never shipped | ❌ Never | 🟠 High |
| Complete system prompt | Internal reasoning logic | ❌ Never | 🟡 Moderate |
Two Leaks in 5 Days: The "Safety-First" Lab Facing Its Contradictions
The GitGuardian report published the previous week had already added a layer: Claude Code-assisted commits show a secrets leak rate (API keys, tokens) of 3.2% — double the GitHub average. Two CVEs related to API key exfiltration through Claude Code had already been disclosed.
| Date | Leak type | Key revelation | Cause |
|---|---|---|---|
| March 26 | CMS misconfiguration | Claude Mythos (Capybara) | Human error CMS |
| March 31 | npm source map | Kairos + Undercover Mode | Human error npm |
| Ongoing | GitGuardian | 3.2% secrets leak rate in commits | Claude Code architecture |
Anthropic is the most "AI safety"-focused lab in the industry. Its founding mantra: "safety first." In five days: two of the most significant leaks in AI history. Both caused by basic human error.
This isn't a critique. It's a reality: operational security (opsec — protecting internal systems and processes) and AI safety (model alignment) are two different disciplines. Anthropic excels at the latter. This week proved it can fail at the former.
Key Takeaways:
- On March 31, 2026, Anthropic accidentally publishes Claude Code v2.1.88 on npm with its complete source map — 512,000 lines of TypeScript exposed
- Key revelation: Kairos, an "autonomous daemon with permanent life" — a 24/7 background AI agent never publicly announced
- Other hidden features: Coordinator Mode (native multi-agent), Undercover Mode (automatic AI trace erasure for Anthropic employees), 44 unshipped feature flags
- Second Anthropic leak in five days after the March 26 CMS leak revealing Claude Mythos
- Critical timing: Undercover Mode puts Anthropic at odds with the Newsom Executive Order mandating AI watermarking in California, signed just 24 hours earlier
Anthropic built a permanent agent (Kairos), a multi-agent orchestrator (Coordinator Mode), and an AI trace eraser (Undercover Mode) — and told no one. This isn't necessarily malicious. It may be unfinished R&D, active development code, features planned for a future announcement. But in this week's context — Claude Mythos "too dangerous," Newsom watermarking, GitGuardian secrets leaks — every line of this source code is read through a lens of doubt. And Anthropic will have to answer. Not about AI safety. About the safety of Anthropic itself.
Sources: full technical analysis, AI governance implications, 510,000 lines analyzed.
