The most interesting part of the Claude Code leak is not just that source escaped in a package. It is that a packaging mistake exposed the same pressures Anthropic had already been signaling in public: tighter product boundaries, quieter internals, and more operational risk when experiments ride inside distributable builds.

One detail is now confirmed from Anthropic’s own public materials: Claude Code 2.1.89 added /buddy, described in the official changelog as a small creature that watches you code. Other feature names that spread after the leak, such as KAIROS, still sit in the “reported by secondary coverage” bucket rather than the “independently confirmed” bucket.

That distinction matters, but it does not make the secondary writeups useless. Alex Kim’s walkthrough is useful precisely because the reported details it surfaced, such as fake-tool injection, native client attestation, and “undercover mode”, all point in the same direction: Claude Code is not just a model wrapper, but a tightly managed client boundary.

That theme also connects cleanly to two patterns we have already covered here: Anthropic’s OAuth restrictions for third-party tooling and Claude Code’s shift toward quieter, less inspectable output. The leak mattered because it briefly made those boundaries legible.

Caveat: the viral “autopsy” documents circulating on April 1, 2026 are derivative syntheses with uneven sourcing. We are treating them as research aids, not primary evidence. Where this post makes stronger claims, it anchors them to public npm-registry facts or clearly attributed reporting.

The incident window, with dates

The public npm registry gives a clean incident window:

  • 2.1.87 was published on March 29, 2026
  • 2.1.88 was published on March 30, 2026
  • 2.1.89 was published on March 31, 2026

As of April 1, 2026, the package timeline still shows 2.1.88, but the direct npm version endpoint for that release is no longer available. In practical terms: there was a short-lived release in the middle of the sequence, and it is no longer retrievable the normal way.

That is enough to support the narrow version of the story: something went wrong with 2.1.88, and Anthropic moved on quickly.

What is confirmed vs. what is still reported

Two parts of the story now sit on different evidence tiers.

Confirmed from public Anthropic-controlled sources:

  • the 2.1.88 release existed in the public npm timeline on March 30, 2026
  • Anthropic moved the package line forward to 2.1.89 on March 31, 2026
  • Anthropic’s public Claude Code changelog for 2.1.89 includes /buddy

Reported in secondary coverage, but not independently confirmed here:

  • users found an always-on background agent concept called KAIROS
  • users surfaced additional internal instructions, feature experiments, and architecture details
  • Anthropic spokesperson Christopher Nulty described the issue to The Verge as a release packaging problem caused by human error rather than a security breach

That distinction matters. It is the difference between “we can say this happened” and “we can say this was reported after the leak.”

The hidden-feature angle is real, but mixed-evidence

The Verge’s coverage focused on two details that explain why this leak spread so fast: a Tamagotchi-style “pet” and an always-on agent. That framing matters because it shifts the incident from “packaging mistake” to “roadmap exposure.”

For builders, this is the uncomfortable part. When internal feature work leaks, the blast radius is bigger than source visibility:

  • experimental concepts become public expectations
  • unfinished names and codenames become part of the discourse
  • competitors get a rough read on where the product is heading
  • internal experiments get mistaken for committed strategy

That last point matters here. /buddy crossed into the confirmed column because Anthropic exposed it in its own changelog. KAIROS should still be read as a reported post-leak feature, not as an independently confirmed product commitment.

What builders should actually care about

The useful lesson is not the novelty of a hidden pet in a coding tool. The useful lesson is that release engineering mistakes can expose far more than code.

If you read this alongside Anthropic’s 2025–2026 policy and access changes, the connective tissue is straightforward: policy, client enforcement, and packaging discipline are three layers of the same boundary problem.

Three practical takeaways:

1. Package contents are a security boundary

If a public package can include debug artifacts, source maps, or build-time references that reveal internal structure, then your package manifest is part of your security posture. Treat .npmignore, files, and prepublish checks as release controls, not housekeeping.

2. Artifact storage needs the same review as production code

Even limited or indirect exposure of build artifacts can turn a small packaging error into a much larger disclosure event. If artifacts reveal source paths, internal docs, roadmap codenames, or access patterns, the leak is no longer “just” about one file.

3. Shipping roadmap internals has product consequences

The leak discourse moved immediately to hidden features because that is what people actually care about once the code is out. If internal experiments are present in distributable builds, you are not only risking code exposure. You are risking involuntary product announcements.

The sober version of this story

There is a temptation to turn this into a grand autopsy of Anthropic’s engineering culture. That is where a lot of the viral writeups go, often with very specific counts, metrics, and business-impact claims.

We are not making those claims here unless they can be traced cleanly.

What we can say:

  • there was a short-lived 2.1.88 release on March 30, 2026
  • 2.1.88 is no longer available at the direct npm version endpoint as of April 1, 2026
  • the surrounding reporting framed the leak as exposing hidden and in-progress Claude Code features
  • Anthropic’s own 2.1.89 changelog confirms /buddy entered the public surface on March 31, 2026
  • the real lesson for teams shipping AI tools is operational: package hygiene, artifact controls, and release gates

That is already enough to make this incident relevant.

Sources


If Anthropic publishes a primary incident note or postmortem, this post should be updated and re-scored.