Claude Code Leaked. We Rebuilt It.

Security researcher Chaofan Shou ignited a firestorm on March 31, 2026, flagging a critical leak of Anthropic’s Claude Code via an X (formerly Twitter) post. At approximately 08:23 UTC, Shou’s tweet alerted the tech world to the accidental exposure, which quickly went viral, amassing over 28 million views and drawing immediate attention from curious developers like Riley Brown.

The fallout was immediate and widespread. Within hours of Shou’s post, developers worldwide began reconstructing and mirroring the exposed source code on GitHub. One prominent repository rapidly accumulated over 84,000 stars and 82,000 forks, demonstrating the immense interest and rapid dissemination of Anthropic's intellectual property. Anthropic swiftly pulled the problematic version from the npm registry the same day, but the code was already out.

Anthropic had inadvertently published Claude Code v2.1.88 to the npm registry. While the package was minified, it crucially included .map files, also known as sourcemap files. These files are typically used for debugging, providing a direct blueprint to reconstruct the original, unobfuscated source code from its compressed or minified version. This technical oversight effectively handed over the complete internal workings of the AI.

The .map files enabled the complete reconstruction of approximately 512,000 to 513,000 lines of unobfuscated TypeScript across 1,906 files. This comprehensive leak revealed Claude Code to be a sophisticated multi-agent production system, far beyond a simple CLI wrapper. Its architecture included a custom terminal renderer built on a React-like system, CLI subcommands managed via Commander.js, and an advanced agent/orchestration layer designed for multi-agent coordination.

Analysts quickly discerned that the system, in active development since August 2024, was already in use by over 100,000 developers. The exposed code detailed dedicated fast paths for remote control, daemon workers, background sessions, and MCP helpers. Ironically, the leak also unveiled internal dependency names and a system called "Undercover Mode," designed to prevent internal information from leaking – a feature now paradoxically revealed.

Anthropic’s swift response confirmed the incident as "a release packaging issue caused by human error, not a security breach." The company assured the public that no sensitive customer data or credentials were involved or exposed, emphasizing the isolated nature of the technical misstep.

The leaked files exposed an astonishing 512,000 lines of unobfuscated TypeScript, spread across 1,906 distinct files. This massive trove of code, accidentally published via a `.map` file in Anthropic’s npm registry, offered an unprecedented look into the inner workings of Claude Code. It was not merely a simple command-line interface as some speculated, but a deeply layered system.

Instead, the codebase unveiled a sophisticated multi-agent production system, growing since August 2024 and used by over 100,000 developers. Researchers quickly discovered evidence of custom plugin agents and robust multi-agent delegation capabilities, confirming Claude Code's advanced architecture.

OpenAI Codex, used by Riley Brown to analyze the code, specifically identified dedicated fast paths for remote control, daemon workers, background sessions, MCP helpers, and other agent runtime modes. This complexity highlighted the system's role as a comprehensive agent runtime.

An ironic revelation within the code was the existence of "Undercover Mode." This internal system was explicitly designed to prevent sensitive internal information from leaking outside Anthropic’s environment. Its very exposure by the leak underscored the severity of the packaging error, highlighting a critical failure in its own protective design.

Further analysis detailed Claude Code's intricate internal dependencies. The system employs CLI subcommands via Commander.js for its user interface and features a custom terminal renderer built on a React-like system. This bespoke rendering engine allows for a rich, interactive command-line experience, extending far beyond typical terminal interactions.

An extensive agent/orchestration layer, central to Claude Code's design, facilitates complex multi-agent coordination. This core component underpins its ability to manage and direct multiple AI agents.

The sheer volume and clarity of the exposed code offered an unparalleled blueprint of Anthropic’s AI development. It revealed a finely tuned, actively developed platform, far more extensive than a basic tool. The leak provided a rare, granular glimpse into the operational mechanics of a cutting-edge AI agent, demonstrating the depth of its engineering.

Developer Riley Brown immediately recognized the gravity of The Leak. Rather than merely inspect the 512,000 lines of unobfuscated TypeScript, he embarked on an ambitious experiment: using a competing AI to dissect Anthropic's secret. Brown opted for OpenAI's Codex, stating it "would feel weird" to have Claude Code analyze itself.

Brown fed the entire codebase, spanning over 1,900 files, directly into Codex. His directive was simple: "Please tell me what you see in this project. Summarize this agent." This direct approach leveraged Codex's advanced code comprehension capabilities.

Codex swiftly identified the repository as the Claude Code CLI source tree. Its analysis confirmed a sophisticated architecture, highlighting dedicated fast paths for remote control, daemon workers, background sessions, MCP helpers, and various agent runtime modes. The AI also pinpointed built-in custom plugin agents and robust multi-agent delegation.

This unprecedented act of one advanced AI dissecting another carries profound meta-implications for software engineering. It showcased AI's capability not just to generate code, but to reverse-engineer, understand, and then facilitate modification of complex systems built by its peers. This incident underscores a pivotal shift where AI tools become integral not only to creation but also to the analytical and reconstructive processes of development. For more details on the initial leak, including Anthropic's response, see Claude's code: Anthropic leaks source code for AI software engineering tool - The Guardian.

Brown quickly transitioned from analyzing the leaked code to actively experimenting with it. Successfully running the over 512,000 lines of unobfuscated TypeScript locally, he connected the CLI to Anthropic’s cloud services using his personal Anthropic API key. This crucial step allowed the localized code to interact with the underlying Claude model, bringing the powerful agent to life on his own machine.

A vital first modification validated his control: renaming the CLI. What once presented itself as "Claude Code" in the terminal now responded as "RileyCode," a clear and immediate signal that Brown had successfully asserted ownership over the codebase. This simple change, executed within the core files, confirmed his ability to alter the tool's fundamental identity and function.

Such direct source access transcended the limitations of merely interacting with an AI via an API. Brown could dissect and reassemble the agent’s very essence, starting with its operational vocabulary. He identified existing action verbs like "Symbioting" and "working," then promptly replaced them with a custom lexicon designed to inject a unique, humorous personality: - Statusmaxing - Cloutmaxing - Mewing - Aura farming

Beyond custom verbs, Brown completely overhauled the agent's persona. He re-engineered its responses to mimic a "19-year-old intern" – direct, smart, and communicating in rapid, sometimes fragmented, lowercase messages. This intricate personality rewrite, stored in a dedicated `personality.txt` file, demonstrated the profound customization possible when one possesses the complete source code, allowing for deep modifications to an AI's behavioral patterns rather than just its output. This level of granular control remains impossible through standard API integrations.

Riley Brown, having achieved local execution, pivoted to the experiment’s most creative phase: fundamentally altering the agent’s core personality. This went beyond functional adjustments, aiming to imbue the system with an entirely new identity. Direct access to the raw Claude Code enabled deep-seated modifications impossible with a black-box API.

The initial step involved identifying and replacing original operational feedback. Brown pinpointed default Claude Code action verbs, such as "Spelunking" and "Symbioting," which described the AI's internal processes. Leveraging *Codex* by OpenAI, he curated a list of 20 novel, culturally resonant, humorous alternatives. These included modern internet slang like 'Statusmaxing', 'Mewing', and 'Aura farming', injecting a distinct, playful

Moving beyond a command-line interface, Riley Brown transformed his custom agent into a full-fledged desktop application. He leveraged Electron, a framework for building cross-platform apps with web technologies, to encapsulate the `RileyCode` agent. This marked a significant architectural shift from a terminal-based tool to a more accessible graphical environment.

Direct access to the half-million lines of *Claude Code* source proved instrumental for this ambitious undertaking. Unlike interacting with a restricted API, Brown could fundamentally alter the agent's core and build a custom user interface from the ground up, a capability entirely absent in the original *Claude Code* CLI. This level of control allowed for a truly tailored user experience.

The initial desktop application included essential functionalities for interacting with the `RileyCode` agent. Users gained a simple, intuitive UI, integrated chat history for persistent conversations, and direct, enhanced interaction with the personalized AI. Brown also enabled "memory" for the agent, allowing it to recall previous interactions within the app.

This development represented more than just a superficial tweak; it showcased fundamental product creation. Brown wasn't merely modifying an existing tool's output; he was constructing an entirely new application around the powerful AI engine he had re-engineered. This demonstrated the profound implications of having an entire codebase at one's disposal.

Ultimately, this experiment transcended basic modification, illustrating how leaked proprietary code can rapidly accelerate independent development. The ability to build a comprehensive desktop client around the core agent, bypassing the limitations of public APIs, offered a stark reminder of the value of source code, even for companies like Anthropic striving to protect their intellectual property.

Riley Brown’s deep dive into the leaked Claude Code transcended mere cosmetic changes to personality and interface. His most significant and arguably most controversial modification involved a fundamental alteration to the agent's operational security. Brown configured his "RileyCode" clone to operate with the --dangerously-skip-permissions flag enabled by default, fundamentally transforming its interaction model. This singular decision moved the agent decisively towards a state of greater, and potentially perilous, autonomy.

This flag, a crucial safety mechanism in the original Claude Code, typically requires explicit user permission before the AI agent executes shell commands or accesses the local file system. Bypassing this prompt meant RileyCode could perform operations like creating, modifying, or deleting files, running external scripts, and navigating directories without asking for confirmation. It effectively removed a vital human-in-the-loop control, granting the AI unfettered, direct access to the host system.

Enabling `--dangerously-skip-permissions` undeniably streamlines the agent's workflow, allowing it to tackle complex, multi-step tasks with unprecedented fluidity and speed. This unchained autonomy promises a future of highly efficient AI assistants. Yet, this convenience comes at a steep price: a dramatic increase in security risks. An agent operating without these guardrails could inadvertently corrupt system files, exfiltrate sensitive data, or even introduce vulnerabilities through unforeseen execution paths, all without human intervention.

Riley Brown’s deliberate unchaining of the agent directly confronts the escalating industry debate around AI agent autonomy and the critical importance of safety guardrails. As powerful large language models like Claude Code gain sophisticated reasoning and tool-use capabilities, the tension between maximizing their potential and ensuring their safe deployment intensifies. This experiment, born from The Leak of Claude Code, vividly illustrates the tangible and often risky implications of granting AI agents unchecked control over their environment. It forces a reevaluation of default security postures in advanced AI systems.

Riley Brown embarked on a complete UI/UX overhaul for his custom desktop application, transforming the command-line utility into a highly polished coding environment. Drawing inspiration from sleek, modern interfaces, he meticulously redesigned every visual element. The goal was to create an intuitive, aesthetically pleasing workspace that felt both powerful and personal.

A semi-transparent UI became a cornerstone of the new design, offering a contemporary look that allowed for subtle integration with the user's desktop. This visual choice, paired with the ability to implement a custom background, brought an unprecedented level of personalization to the agent's interaction window. The desktop app no longer felt like a generic tool but a tailored extension of the user's workspace.

Message bubbles underwent a significant redesign, adopting a clean, familiar iPhone-like aesthetic. This change enhanced readability and created a more engaging, conversational flow, making interactions with the AI feel natural and less like a programmatic exchange. Brown also refined the overall layout, reorganizing elements for improved navigation and optimizing screen real estate to present information clearly and concisely.

Beyond visual appeal, Brown engineered a crucial functional upgrade: a persistent memory system. This innovation introduced a dedicated 'soul.md' file within the application's directory, designed to store the agent's ongoing context and conversational history. This meant that the AI could now retain information about the user, their projects, and their preferences across multiple sessions, eliminating the need for constant re-explanation.

The 'soul.md' file acted as a cumulative brain for the agent, allowing it to build a deeper understanding of the user's workflow and individual coding style over time. This continuous learning capability fostered a more collaborative and efficient relationship, turning fragmented interactions into a seamless, evolving dialogue. The agent could recall past instructions, completed tasks, and even personal quirks, making each subsequent session more productive.

These comprehensive changes elevated Brown’s RileyCode from a basic, modified CLI tool to a sophisticated, personalized development environment. The transformation from a raw, leaked codebase to a highly refined desktop application demonstrated the profound impact of thoughtful design and user-centric features. What started as an experiment in rebuilding Claude Code ultimately culminated in a unique coder's canvas, designed for maximum efficiency and an unparalleled user experience.

Beyond the immediate embarrassment for Anthropic, the Claude Code leak exposes profound security vulnerabilities and systemic challenges facing the entire AI development ecosystem. This incident fundamentally shifts the paradigm for AI security, moving beyond reactive measures to proactive, deep analysis of internal agent mechanics. The full exposure of a production multi-agent system, used by over 100,000 developers, reveals the critical need for stricter code hygiene.

AI security firm Straiker immediately highlighted the fundamental change in the threat landscape. Attackers, they noted, can now meticulously study the internal pipeline of agents, crafting sophisticated payloads with unprecedented precision. This makes traditional "blind jailbreaking" attempts, which rely on trial-and-error, increasingly obsolete as adversaries gain a literal schematic of the target system.

Anthropic officially attributed the incident to a "plain developer error"—a release packaging issue where minified JavaScript was accidentally accompanied by `.map` files in their npm registry. This wasn't merely an isolated mistake, but underscores the systemic challenges inherent in securing complex, fast-moving software development environments, where even minor oversights can have catastrophic consequences for intellectual property and user trust.

The approximately 512,000 lines of unobfuscated TypeScript, spread across over 1,900 files, provided an invaluable blueprint of Claude Code's inner workings. This deep insight allows malicious actors to identify specific weak points, understand control flows, and develop highly targeted attacks that exploit the very architecture of the AI, including its custom plugin agents and multi-agent delegation system.

This event is not an isolated anomaly. It follows a troubling pattern of emerging security issues in the AI space, from data poisoning to model inversion attacks, underscoring the nascent industry’s struggle with robust security protocols. Developers seeking to understand such intricate code structures or explore AI-assisted analysis tools can find further resources on platforms like Codex - OpenAI Developers, which played a crucial role in Riley Brown’s own experiment. The leak serves as a stark reminder that as AI systems grow in complexity, so too do the vectors for exploitation, demanding a new level of vigilance.

Anthropic's Claude Code leak starkly exposed the fundamental tension between closed, proprietary AI systems and the open-source ethos driving developer innovation. Companies invest heavily in protecting their intellectual property, yet the community actively seeks transparency, often pushing boundaries to understand complex 'black box' technologies. This incident ignited a debate on how AI's future will balance secrecy with progress.

While problematic, the "release packaging issue caused by human error" inadvertently fueled unprecedented community experimentation. Riley Brown's rapid analysis with OpenAI Codex and subsequent reconstruction into "RileyCode" demonstrated this agility. Developers like Brown now possess blueprints for building custom AI agents, showcasing the power of collective ingenuity once secrets are out.

The exposure of approximately 512,000 lines of unobfuscated TypeScript across over 1,900 files offered an unparalleled look inside a sophisticated multi-agent production system. This deep dive revealed Claude Code's architecture, including its custom terminal renderer, Commander.js CLI subcommands, and intricate agent orchestration layer. It demystified internal dependency names and even a system called "Undercover Mode," ironically exposed by the leak itself.

This incident triggers critical questions about the future of AI security and necessary development practices. How can companies prevent such "human error" when deploying highly sensitive AI intellectual property? The ease with which the `.map` files allowed complete source code reconstruction demands a re-evaluation of deployment pipelines and obfuscation strategies for cutting-edge AI.

The "cat is out of the bag," irreversibly influencing the next generation of AI tools. Developers have now seen what’s possible, from altering an agent's core personality to enabling "--dangerously-skip-permissions" by default. This direct exposure to Claude Code's inner workings will inevitably shape future AI design, potentially fostering more modular, transparent, or at least more securely deployed, systems across the industry.

How did the Claude Code source code get leaked?

The leak occurred due to a packaging error where JavaScript sourcemap files (`.map`) were mistakenly included in an npm package release. These files allowed the original TypeScript source code to be fully reconstructed.

What did the leak reveal about Claude Code?

It revealed that Claude Code is a complex, multi-agent production system, not just a simple CLI wrapper. The code showed its internal architecture, custom plugins, multi-agent delegation capabilities, and even a system called 'Undercover Mode'.

Was the Claude Code leak a security breach?

According to Anthropic, it was a 'release packaging issue caused by human error,' not a security breach. They confirmed no sensitive customer data or credentials were exposed.

What is the significance of using OpenAI Codex to analyze the code?

Using a rival AI like OpenAI Codex to deconstruct and modify Claude Code highlights the meta-narrative of AI tools being used to understand and manipulate other AI tools, showcasing a new frontier in software engineering and reverse engineering.