By Shekhar - Founder, AgenticMarket. Written April 01, 2026, the day of the leak. I spent several hours reading the source today, so this is based on direct analysis rather than secondhand coverage.

What happened: Anthropic accidentally shipped the full source code of Claude Code in an npm package. A debugging artifact called a source map pointed to a downloadable zip of 512,000 lines of TypeScript. Developers downloaded it, read it, and started posting what they found.

What matters: The most significant thing in those 512,000 lines isn't a bug or a secret. It's the architecture. Claude Code isn't built on top of MCP. It is MCP - every capability, including Computer Use, runs as a tool call. KAIROS, an autonomous background agent mode, is compiled and feature-flagged. The product roadmap is now public.

Why this is relevant to MCP server builders: the internal tools Anthropic built for Claude Code - authenticated, health-monitored, discrete, fast - are exactly the pattern external MCP servers need to follow. The leak is an accidental specification document.

---

What actually leaked

The @anthropic-ai/claude-code npm package version 2.1.88 included a cli.js.map file - a standard debugging artifact that maps minified code to readable source. This one pointed directly to a downloadable zip sitting in Anthropic's public storage. Anyone with the URL could retrieve the full, unobfuscated TypeScript codebase.

Security researcher Chaofan Shou posted four words on X: "Claude Code source code has been leaked." The GitHub mirror crossed 84,000 stars within hours. Anthropic confirmed it - a release packaging error, not a system compromise.

What's inside the 1,906 files:

• The full tool system - approximately 40 discrete tools, each permission-gated, covering file reads, bash execution, web fetch, LSP integration, and IDE bridges
• A three-layer self-healing memory architecture built around MEMORY.md
• Multi-agent orchestration logic where the coordinator manages workers through a system prompt
• 44 feature flags for fully-built but unshipped capabilities
• Internal model codenames: Fennec (Opus 4.6), Capybara (a Claude 4.6 variant), Numbat (still in testing)
• An unreleased autonomous background agent mode called KAIROS
• Computer Use, internally codenamed Chicago, built on @ant/computer-use-mcp

That last line is the most architecturally significant. Computer Use - one of Claude's most capable features - is not a special-cased capability baked into the model layer. It's an MCP server.

⚠ Security alert - separate issue, same day: The leak coincided with an unrelated supply chain attack on the axios npm package. If you installed or updated Claude Code via npm on March 31 between 00:21 and 03:29 UTC, check your lockfiles for axios versions 1.14.1 or 0.30.4, and for any dependency named plain-crypto-js. These are malicious. Anthropic now recommends the native installer over npm for Claude Code installations. See Anthropic's guidance for steps.

---

The tool system: MCP is the whole product

From the outside, Claude Code looks like Claude with a terminal. The leak shows something more structural.

Every Claude Code capability is exposed through a plugin-like tool layer. The base tool definition runs to 29,000 lines. Each tool is discrete, permission-gated, and sandboxed. Before any consequential action - writing a file, running a command, making a network request - the tool system surfaces a trust prompt and waits for explicit user confirmation.

I spent time in the trust prompt logic specifically. The permission gates aren't UI chrome. They're baked into the tool execution path itself. A tool that can't pass its permission check doesn't execute. This is what makes the architecture safe enough to give an AI agent bash execution.

The pattern maps exactly to what the MCP specification describes: tools that AI agents discover via tools/list, call via tools/call, and receive structured results from. Claude Code isn't running MCP on top of something else. The tool architecture is MCP, applied at every layer.

Computer Use existing as @ant/computer-use-mcp makes this concrete. Anthropic didn't build a special-cased Computer Use pipeline. They built an MCP server - with the same interface, the same discovery mechanism, the same permission model as everything else in the tool layer. This is a strong signal about where the architecture is going.

---

KAIROS: what the autonomous future actually looks like

The most significant product reveal in the leak is a mode called KAIROS, sitting behind feature flags in main.tsx.

KAIROS implements an autonomous daemon mode. Claude Code doesn't wait for a prompt. It runs as a persistent background process, performing work while you're idle: indexing, memory consolidation, monitoring the codebase for inconsistencies, preparing context for when you return.

The mechanism the source calls autoDream runs while you're away. It merges disparate observations from previous sessions, removes logical contradictions between them, and converts vague working notes into consolidated facts. When you return to a session, the agent's memory is clean and current rather than stale and contradictory.

Reading the autoDream logic was the clearest moment in the leak for me. This isn't aspirational architecture. It's compiled code behind a flag. The engineering decisions are already made.

The implications for MCP servers are direct. An always-on agent doing background work calls tools continuously - not when a developer types a prompt, but on its own schedule. Usage patterns on MCP servers change completely when the caller is an autonomous agent rather than a human interaction. You'd see consistent low-volume traffic at irregular intervals rather than bursty human-prompted calls. Health monitoring and reliability become critical in a way they weren't before.

---

The memory architecture: solving context entropy

One of the harder problems in long-running AI agents is context degradation - the window fills up, gets stale, and the agent starts making mistakes or contradicting itself. The leaked source shows how Anthropic solved this.

The three-layer memory system:

1. MEMORY.md - a lightweight index file, always loaded into context, storing short pointers (~150 characters per line) to knowledge locations, not the knowledge itself
2. Topic files - actual project knowledge, fetched on demand when a pointer is followed
3. Raw transcripts - never re-read in full, only searched for specific identifiers when needed

The discipline this requires is interesting. The agent must update the index only after a successful write to a topic file. Failed write attempts don't corrupt the pointer index. It's skeptical memory architecture - don't trust what you remember you wrote, verify against what actually exists on disk.

For MCP server builders, this matters in a specific way. Tools that return structured, precise, narrow data on demand are more valuable in this architecture than tools that dump large context blobs. The memory system is built to stay lean. Tools that play against that - returning 50KB when 500 bytes would do - are working against the architecture they're plugging into.

---

What competitors now know

The leak gives everyone building AI coding agents a detailed blueprint for a production-grade implementation.

The orchestration logic is now public. Every competitor building on MCP knows exactly how Anthropic handles tool discovery, permission gates, trust prompts, and execution sandboxing. The patterns that took Anthropic's engineering team months to work out are readable in full.

The security surface is explicit. Because the leak revealed the exact Hooks and MCP server orchestration logic, it's now straightforward to design attacks targeting Claude Code specifically - malicious repositories engineered to trigger background commands or exfiltrate data through trust prompt bypasses before a user sees the confirmation. This isn't theoretical. It's a documented attack pattern now.

The roadmap is exposed. KAIROS, Computer Use via @ant/computer-use-mcp, voice command mode, browser control via Playwright, persistent session memory - these aren't speculative features. They're compiled and flag-gated. Any competitor who reads the source knows what Anthropic is shipping in the next two to four quarters.

---

The MCP security conversation just got louder

One detail that spread quickly through the developer community: the leaked source contains an ANTI_DISTILLATION_CC flag. When enabled, Claude Code injects fake tool definitions into API requests - decoy tools designed to corrupt training data anyone might try to extract from Claude Code's API traffic.

Anthropic built a subsystem to prevent their internal architecture from leaking through model behavior. Then shipped the entire source in a .map file.

The irony is sharp, but the real observation is about MCP server security more broadly.

MCP server supply chain attacks follow the same pattern as the npm ecosystem attacks we've seen for years: publish a useful-looking server, have it do something malicious with the same privilege as legitimate tools. The difference with MCP is the blast radius. An MCP server has the same access level as any trusted tool your agent is using. It can read files, make network requests, and execute actions with the same permissions.

As MCP servers become production infrastructure - not dev tools, but systems that autonomous agents like KAIROS call in the background continuously - authentication, secret validation, health monitoring, and knowing exactly who is calling your tools become non-negotiable. This wasn't urgent when MCP was experimental. It's urgent now.

The leaked source shows Anthropic built all of this into Claude Code's internal tool layer. External MCP servers in the ecosystem need the same primitives - authentication at the infrastructure level, health monitoring, per-call auditability. Platforms like AgenticMarket handle this layer for listed servers: every call is authenticated, credit-validated, and logged before it reaches the server's upstream URL. That's the same pattern Anthropic built internally, available for servers that don't want to implement it themselves.

---

What this means if you're building MCP servers

The Claude Code leak is the clearest public signal yet about where AI agents are going. Three things stand out from what developers have been reading today:

Tool specificity is a compounding advantage. The 40 internal tools in Claude Code are narrow by design. They answer specific questions and do specific things - they don't dump context. Broad tools that return large blobs of data work against the memory architecture agents are being built on. If you're building an MCP server, specificity isn't just good API design. It's alignment with how the best-built agents actually work.

Autonomous agents will call your server without a human prompting. KAIROS is feature-flagged, not released. But it exists. When persistent background agents become the norm, your MCP server won't be called when a developer types a question. It'll be called on the agent's own schedule, continuously, for background work. Usage patterns, SLA requirements, and reliability expectations change substantially under that model.

The engineering bar just got published. The 40 tools inside Claude Code weren't built to be impressive. They were built to make an AI agent reliable in production. The permission gates, the sandboxing, the trust prompt architecture - every decision was made by a team that had to ship something that didn't break, didn't leak, and didn't get exploited. External MCP servers building toward the same production use cases are now working with a blueprint.

Related: If you're installing MCP servers and want to skip JSON config editing, see How to Install MCP Servers Without Editing JSON. If you've built a server and want to list it to earn from calls, see How to Monetize Your MCP Server.

---

Frequently asked questions about the Claude Code leak {#faq}

What was in the Claude Code source code leak?
512,000 lines of TypeScript across 1,906 files - the full internal architecture of Claude Code. The full tool system (~40 tools), the three-layer MEMORY.md architecture, multi-agent orchestration logic, 44 feature flags for unshipped features, internal model codenames, KAIROS (the autonomous agent mode), and Computer Use implemented as an MCP server (@ant/computer-use-mcp).

What is KAIROS?
A heavily feature-flagged autonomous daemon mode. Claude Code running as a persistent background process - indexing, consolidating memory, monitoring for inconsistencies - without waiting for a user prompt. The autoDream logic merges previous session observations and cleans up contradictions while you're away, so context is fresh when you return. It's compiled and feature-flagged, not released.

How did the leak happen?
A standard debugging source map (cli.js.map) was accidentally included in the npm package build. Source maps are normally excluded from production - this one pointed to a full zip of the unobfuscated codebase sitting in Anthropic's public storage. Anthropic confirmed it as a packaging error, not a security breach.

Is this the same as the axios supply chain attack?
No. Two separate events, same day. The Claude Code leak is a packaging accident - no malicious code, no user data exposed. The axios attack (plain-crypto-js in versions 1.14.1 and 0.30.4) is a separate npm supply chain compromise. If you installed Claude Code via npm on March 31 during the affected window, check your lockfiles for those axios versions.

What does this mean for MCP server developers?
The leak confirms MCP is Anthropic's core architecture, not an add-on. Computer Use is literally an MCP server. KAIROS means autonomous agents will call MCP tools continuously in the background. The practical implications: build narrow precise tools (not context dumps), design for continuous API-like usage patterns, and treat auth + health monitoring as infrastructure requirements rather than later concerns.

---

The mirrored repos will get DMCA'd and the news cycle will move on. But the architecture that was visible today - the tool system, KAIROS, the memory design, the security model - isn't speculative anymore. It's a blueprint with 84,000 stars on it.

MCP servers are the interface between AI agents and the world. That was always the intention. The leak just made the engineering behind it readable.

---

All source code remains the intellectual property of Anthropic. The analysis above is based on publicly available coverage, mirrors, and direct reading of content that was briefly in public storage. Written March 31, 2026, the day of the leak. For the axios supply chain attack, see Anthropic's security guidance.

---

What's the most significant thing you found in the source? I keep coming back to Computer Use as an MCP server - it changes how I think about where the protocol is going. Drop what stood out to you in the comments.

I write about MCP tooling and the agentic AI developer ecosystem roughly twice a month. I'll be covering how KAIROS-style autonomous agents change what MCP servers need to look like.