Claude Code Source Leak: 512K Lines Reveal Kairos and UltraPlan on npm

On March 31, 2026, a misconfigured package.json field in a Claude Code npm release accidentally bundled an unobfuscated TypeScript source map — exposing roughly 512,000 lines of source code, around 1,900 files, and a set of unreleased features that Anthropic had not announced publicly.

The leak came at the worst possible moment. The day before, developers on Pro and Max plans were already publicly venting about a separate issue: Claude Code was burning through 5-hour session windows in under 90 minutes, sometimes in a single prompt. The combination landed Anthropic in two simultaneous news cycles: a rate limit meltdown and a source exposure — both on the same tool, in the same week.

How the Leak Happened: One Line in package.json

The technical cause is mundane but damaging. Claude Code's npm package included a source map file that referenced the unobfuscated TypeScript source. When source maps are published alongside a minified JavaScript bundle without explicitly excluding them via a files array in package.json or a properly configured .npmignore, the entire source tree becomes downloadable by anyone who runs npm pack or inspects the registry.

Security researcher Chaofan Shou (@shoucccc) identified the exposure and published the finding. Within hours, the ~512,000-line TypeScript codebase — written in strict TypeScript, using the Bun runtime and React + Ink for the terminal UI — was mirrored on GitHub and analyzed by thousands of developers.

Anthropic confirmed the incident: "Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach."

The Fortune story covering this noted it was the second disclosure in days, following a separate incident that accidentally revealed details about an internal project codenamed Mythos. This is a pattern, not a one-off.

What KAIROS Is: Persistent, Always-On Claude

The most discussed finding in the leaked source is KAIROS, described in the codebase as an "always-on Claude" mode. Based on what developers extracted from the TypeScript:

KAIROS maintains persistent state across sessions rather than starting fresh each time. It stores memory logs in a private directory, runs a nightly "dreaming" process to consolidate and tidy accumulated context, and can proactively initiate tasks without waiting for a user prompt. Think of it as a background agent that keeps working between explicit requests.

This is architecturally different from the current Claude Code model, where each session is stateless and context resets. KAIROS implies Anthropic is building toward a persistent coding assistant with its own memory and autonomous scheduling — closer to an always-on engineer than a prompt-response tool.

The nightly "dreaming" process (also called autoDream in the codebase) runs as a forked subagent and handles memory consolidation: summarizing logs, pruning redundant context, and preparing state for the next active session. It's a direct parallel to how memory-augmented LLM systems work in research, now apparently productized in the Claude Code pipeline.

UltraPlan: Offloading Planning to 30-Minute Opus Sessions

ULTRAPLAN is a mode for complex planning tasks that would time out or exceed context in a normal interactive session. Based on the source:

When triggered, UltraPlan offloads the planning task to a remote Cloud Container Runtime (CCR) session running Opus 4.6 — Anthropic's most capable model. The remote session gets up to 30 minutes to think through the problem. Results are returned for browser-based approval before any code changes are made.

The practical use case is clear: architectural refactors, migration planning, large codebase analysis where you want deep reasoning without babysitting a terminal. You kick off UltraPlan, do something else for 30 minutes, and come back to a structured plan ready for review.

The CCR infrastructure detail is interesting separately. It means Anthropic is building out a serverless compute layer specifically for Claude Code's extended reasoning tasks — distinct from the interactive API calls the current tool makes.

Agent Swarms, Coordinator Mode, and the Team Architecture

The leaked source includes substantial infrastructure for multi-agent execution under a coordinator model. What developers found:

The system supports two types of agent teammates: in-process teammates using AsyncLocalStorage for context isolation, and process-based teammates running in separate tmux or iTerm2 panes. Both types can be part of a "team" with shared memory synchronization and color assignments for visual distinction in terminal output.

The coordinator system prompt explicitly emphasizes parallelism. Workers communicate via task-notification XML messages (familiar to anyone who has seen how Claude Code already structures its internal output). The coordinator is responsible for decomposing tasks, dispatching to workers, monitoring completion, and synthesizing results.

This is agent swarms for coding — not in the abstract research sense, but as a concrete terminal UI experience where you can watch multiple Claude instances working in parallel panes. The architecture is already partly visible in the current Claude Code (parallel tool calls, sub-agents) but the leaked source suggests a significantly more explicit team UI layer is coming.

The Session Limit Meltdown That Preceded the Leak

The leak landed on top of a developer frustration wave that had been building since March 23. GitHub issue #38335 at anthropics/claude-code documented the core complaint: the 5-hour session window was depleting in 1 to 2 hours instead of the full window, with the same workloads that had worked fine the week before.

The specific mechanics involved three overlapping issues. First, Anthropic adjusted peak-hour limits — during 5 AM to 11 AM PT (1 PM to 7 PM GMT), usage multipliers accelerate how fast the session window depletes. Second, a counter-desync bug was causing some requests to count disproportionately against the limit, documented with users seeing jumps from 21% to 100% on a single agentic prompt. Third, a March 2x off-peak promotional credit expired, removing a buffer that had been partially masking the new peak-hour adjustments.

Max 5x subscribers reported exhausting their window in roughly 90 minutes of standard agentic work. Max 20x subscribers reported hitting limits mid-task in ways that were not happening two weeks earlier. A Pro plan user on the Discord forum noted: "out of 30 days I get to use Claude 12" — the limit resets Saturday but is fully depleted by Monday every week.

Anthropic acknowledged it directly: "people are hitting usage limits in Claude Code way faster than expected. We're actively investigating... it's the top priority for the team." As of April 1, no fix has shipped.

What Anthropic Said and What the Leak Reveals About Their Roadmap

Anthropic's response to the leak was narrow and technically accurate: no customer data, no credentials, no model weights. That framing is correct. This was not a data breach. It was a source exposure — the equivalent of shipping code without minification on a proprietary codebase.

What the leak reveals about the roadmap is more interesting than the security incident itself. KAIROS, UltraPlan, and agent swarms are not prototype experiments. They are feature-gated production code in the Claude Code codebase right now — built, tested, and waiting for a release decision. The infrastructure for persistent memory, remote planning sessions on Opus, and multi-agent coordination is already there.

The timing also matters. Anthropic is operating under heavy demand pressure — the session limit problem is a direct consequence of more users doing more agentic work than the system was sized for. Shipping always-on persistent agents (KAIROS) into that environment would add significantly more sustained compute load. The likely reason these features are gated is infrastructure capacity, not readiness.

Key Takeaways

• 512,000 lines of TypeScript leaked: Claude Code's full source exposed via npm source map on March 31, caused by a misconfigured package.json — no customer data or model weights involved
• KAIROS is an always-on persistent agent: maintains memory across sessions, runs nightly "dreaming" consolidation, can proactively start tasks — a fundamentally different architecture from the current stateless Claude Code
• UltraPlan offloads 30-minute planning sessions to Opus 4.6: remote CCR infrastructure, browser-based approval — designed for complex architectural work that exceeds normal session context
• Agent swarms and coordinator mode are in the codebase: in-process and process-based teammates, tmux/iTerm2 pane integration, team memory sync — multi-agent Claude Code is a feature, not a concept
• Session limits are genuinely broken right now: peak-hour multipliers + a counter-desync bug + the expiry of a March 2x promo credit combine to drain Max plan windows in 90 minutes or less
• Anthropic confirmed both issues: the session limits are "top priority," and the leak was "human error in release packaging" — the second such disclosure in the same week