For the second time, Anthropic shipped Claude Code to npm with an unminified 59.8MB source map file fully intact. The cause was identical to the first incident on launch day in February 2025: a missing *.map entry in .npmignore. Version 2.1.88 exposed the complete internal codebase, and developer Sabrina Ramonov published a detailed analysis of what's inside.
The findings range from fascinating to concerning.
KAIROS: Claude Code's Autonomous Daemon
The most significant discovery is KAIROS, an unreleased feature that turns Claude Code into an autonomous agent running in the background. It works via GitHub webhooks and 5-minute cron cycles, meaning Claude could monitor repos and take action without a human in the loop.
KAIROS includes a /dream command for background memory consolidation (letting the model organize and process information between sessions) and exclusive tools like SendUserFileTool and PushNotificationTool. This looks like Anthropic's answer to the "agentic coding" race - a mode where Claude Code doesn't just respond to prompts but continuously works on tasks while you do other things.
A second unreleased feature, ULTRAPLAN, offloads complex planning to remote Opus model sessions that can run for up to 30 minutes, polling for results every 3 seconds.
The Undercover Mode
Perhaps the most discussed finding is undercover.ts, a system that automatically activates when Anthropic employees contribute to external repositories. The system prompt instructs the AI to never mention internal model codenames (animal names like Capybara and Tengu), never reference "Claude Code," and never reveal it's an AI.
The notable detail: employees cannot disable this mode. If an Anthropic engineer wants to transparently disclose they're using AI assistance on a public open-source project, the system prevents it. That's a policy choice that's going to draw scrutiny, especially as the industry debates AI transparency in code contributions.
Engineering Warts
The source also revealed some operational issues. A silent compaction routine failure was causing roughly 250,000 wasted API calls daily - the routine would fail and retry thousands of times per session without surfacing errors. There's also a documented but unpatched bash security parser differential where carriage returns create potential command injection vectors (the older parser treats \r as a word separator, but bash doesn't).
On the lighter side, the codebase contains a hidden Tamagotchi-style pet system called "Buddy" with 18 species, gacha mechanics (randomized collection), and shiny variants. Species names were hex-encoded to avoid triggering internal security scanners. It appears to be an April Fools' feature.
Same Mistake Twice
The real story here isn't any single finding - it's that this is the exact same packaging error happening a second time. Source maps are a standard part of JavaScript development, and excluding them from published packages is a one-line fix. For a company building safety-focused AI, shipping your full internal source code to a public registry twice suggests the CI/CD pipeline needs the same careful attention as the model alignment work.
Anthropic hasn't publicly commented on the leak as of publication.