The most interesting part of the Claude Code leak is not just that source escaped in a package. It is that a packaging mistake exposed the same pressures Anthropic had already been signaling in public: tighter product boundaries, quieter internals, and more operational risk when experiments ride inside distributable builds.
One detail is now confirmed from Anthropic’s own public materials: Claude Code 2.1.89 added /buddy, described in the official changelog as a small creature that watches you code. Other feature names that spread after the leak, such as KAIROS, still sit in the “reported by secondary coverage” bucket rather than the “independently confirmed” bucket.
That distinction matters, but it does not make the secondary writeups useless. Alex Kim’s walkthrough is useful precisely because the reported details it surfaced, such as fake-tool injection, native client attestation, and “undercover mode”, all point in the same direction: Claude Code is not just a model wrapper, but a tightly managed client boundary.
That theme also connects cleanly to two patterns we have already covered here: Anthropic’s OAuth restrictions for third-party tooling and Claude Code’s shift toward quieter, less inspectable output. The leak mattered because it briefly made those boundaries legible.
Caveat: the viral “autopsy” documents circulating on April 1, 2026 are derivative syntheses with uneven sourcing. We are treating them as research aids, not primary evidence. Where this post makes stronger claims, it anchors them to public npm-registry facts or clearly attributed reporting.
The incident window, with dates
The public npm registry gives a clean incident window:
2.1.87was published on March 29, 20262.1.88was published on March 30, 20262.1.89was published on March 31, 2026
As of April 1, 2026, the package timeline still shows 2.1.88, but the direct npm version endpoint for that release is no longer available. In practical terms: there was a short-lived release in the middle of the sequence, and it is no longer retrievable the normal way.
That is enough to support the narrow version of the story: something went wrong with 2.1.88, and Anthropic moved on quickly.
What is confirmed vs. what is still reported
Two parts of the story now sit on different evidence tiers.
Confirmed from public Anthropic-controlled sources:
- the
2.1.88release existed in the public npm timeline on March 30, 2026 - Anthropic moved the package line forward to
2.1.89on March 31, 2026 - Anthropic’s public Claude Code changelog for
2.1.89includes/buddy
Reported in secondary coverage, but not independently confirmed here:
- users found an always-on background agent concept called
KAIROS - users surfaced additional internal instructions, feature experiments, and architecture details
- Anthropic spokesperson Christopher Nulty described the issue to The Verge as a release packaging problem caused by human error rather than a security breach
That distinction matters. It is the difference between “we can say this happened” and “we can say this was reported after the leak.”
The hidden-feature angle is real, but mixed-evidence
The Verge’s coverage focused on two details that explain why this leak spread so fast: a Tamagotchi-style “pet” and an always-on agent. That framing matters because it shifts the incident from “packaging mistake” to “roadmap exposure.”
For builders, this is the uncomfortable part. When internal feature work leaks, the blast radius is bigger than source visibility:
- experimental concepts become public expectations
- unfinished names and codenames become part of the discourse
- competitors get a rough read on where the product is heading
- internal experiments get mistaken for committed strategy
That last point matters here. /buddy crossed into the confirmed column because Anthropic exposed it in its own changelog. KAIROS should still be read as a reported post-leak feature, not as an independently confirmed product commitment.
What builders should actually care about
The useful lesson is not the novelty of a hidden pet in a coding tool. The useful lesson is that release engineering mistakes can expose far more than code.
If you read this alongside Anthropic’s 2025–2026 policy and access changes, the connective tissue is straightforward: policy, client enforcement, and packaging discipline are three layers of the same boundary problem.
Three practical takeaways:
1. Package contents are a security boundary
If a public package can include debug artifacts, source maps, or build-time references that reveal internal structure, then your package manifest is part of your security posture. Treat .npmignore, files, and prepublish checks as release controls, not housekeeping.
2. Artifact storage needs the same review as production code
Even limited or indirect exposure of build artifacts can turn a small packaging error into a much larger disclosure event. If artifacts reveal source paths, internal docs, roadmap codenames, or access patterns, the leak is no longer “just” about one file.
3. Shipping roadmap internals has product consequences
The leak discourse moved immediately to hidden features because that is what people actually care about once the code is out. If internal experiments are present in distributable builds, you are not only risking code exposure. You are risking involuntary product announcements.
The sober version of this story
There is a temptation to turn this into a grand autopsy of Anthropic’s engineering culture. That is where a lot of the viral writeups go, often with very specific counts, metrics, and business-impact claims.
We are not making those claims here unless they can be traced cleanly.
What we can say:
- there was a short-lived
2.1.88release on March 30, 2026 2.1.88is no longer available at the direct npm version endpoint as of April 1, 2026- the surrounding reporting framed the leak as exposing hidden and in-progress Claude Code features
- Anthropic’s own
2.1.89changelog confirms/buddyentered the public surface on March 31, 2026 - the real lesson for teams shipping AI tools is operational: package hygiene, artifact controls, and release gates
That is already enough to make this incident relevant.
Related links
- Anthropic’s OAuth Policy, Now in Writing
- Anthropic’s 2025–2026 Policy & Access Changes
- UltraThink → UltraQuiet: Why Devs Want Receipts
- Claude Code Terms Snapshot (2026)
Sources
- npm registry package timeline for
@anthropic-ai/claude-code - Anthropic Claude Code changelog
- The Verge: Claude Code leak exposes a Tamagotchi-style “pet” and an always-on agent
- Alex Kim: The Claude Code Source Leak: fake tools, frustration regexes, undercover mode, and more
If Anthropic publishes a primary incident note or postmortem, this post should be updated and re-scored.