A packaging blunder turned Anthropic’s flagship developer tool, Claude code, into an involuntary open textbook for Chinese engineers studying next-generation AI agents.
Summary
The npm mistake that exposed Anthropic’s flagship agent
On March 31, 2026, Anthropic shipped an npm update for Claude Code v2.1.88 with a critical packaging error. A 59.8MB debugging source map file was accidentally bundled in the release, pushing internal implementation details directly to the public registry.
The map expanded into 1,906 source files and roughly 512,000 lines of TypeScript, effectively exposing the entire engineering blueprint of Anthropic’s coding agent. Moreover, this mistake handed rivals and independent researchers a rare, end-to-end view of a production-grade AI agent framework.
This was not generic boilerplate. It was the full internal design of what many consider the most advanced AI coding assistant in production, a system that scored 72.7% on SWE-bench, versus Codex at 69.1%. However, the most striking twist was that developers in China—explicitly blocked from using Claude via product policy—were among the first to download and dissect every file.
The discovery in China and the viral reaction
The leak did not come to light through a Western security firm or a big-tech red team. Instead, Chinese-born security researcher and PhD dropout Chaofan Shou spotted the oversized source map sitting openly inside the npm package and realized what it contained.
Within hours, mirrors of the code appeared across Chinese developer ecosystems. GitHub repositories, WeChat groups, and forums such as Juejin (掘金) and Zhihu (知乎) filled with analysis threads. Moreover, tech outlet 36Kr pushed multiple deep-dive pieces within 48 hours, while Sina Finance labeled the incident “AI’s first nuclear leak.”
On Weibo, one phrase encapsulated the community’s mood and quickly went viral: “They locked the front door but left the blueprints on the doorstep.” That said, what really galvanized engineers was not the scandal itself, but the sophistication of the architecture they suddenly had access to.
Inside the six-layer architecture
Much early coverage focused on feature lists rather than system design. By contrast, Chinese developers on Zhihu reconstructed the internal stack and mapped Claude Code into six distinct layers that function more like an operating framework than a simple chatbot wrapper.
The layers are described as follows: Layer 1: Entry (main.tsx); Layer 2: Query Engine (query.ts, ~1,729 lines, forming the core loop); Layer 3: Tool System (tool calls, validation, execution); Layer 4: Permission Control (a 4-tier permission chain); Layer 5: Memory Management (CLAUDE.md plus .claude/memory/); and Layer 6: Multi-Agent Orchestration (Coordinator and sub-agents).
This layout showed that the product is a production-grade agent framework, not a thin UI over an API. Moreover, Chinese commentators emphasized that its engineering depth surpasses many standalone AI products that have far fewer moving parts.
KAIROS and the shift to proactive agents
One of the most discussed revelations is an unreleased feature called KAIROS, referenced more than 150 times in the leaked code. KAIROS turns the system from a purely reactive assistant into an “always-on” agent that acts even when the user is idle.
The core mechanism is a Tick Loop. When the message queue is empty, instead of idling, KAIROS uses setTimeout(0) to inject a <tick> message. That tick prompts the agent to re-check its environment and decide whether to perform maintenance, analysis, or proactive tasks.
The design contrasts a traditional agent—triggered only by user input, operating in passive, session-bound mode—with a KAIROS-style agent driven by heartbeat signals and environment monitoring, running as a persistent background process that maintains state 24/7. Moreover, KAIROS adds a SleepTool for low-power states and a WebSocket bridge that lets the cloud-based claude.ai service send commands into the local instance.
Together, these elements form the architecture for an assistant that can watch a codebase while its owner sleeps. In the middle of the Chinese analyses, many posts explicitly called this “a practical recipe” for building a kairos always on agent equivalent on domestic infrastructure.
autoDream and neuroscience-inspired memory
Another highlight is autoDream, a background memory-consolidation system modeled after human REM sleep. It runs automatically every 24 hours or on demand via the /dream command, organizing long-lived project context without touching application code.
autoDream operates in four phases. First, Pruning deletes outdated, duplicate, or contradictory entries. Second, Merging combines similar fragments and unifies different phrasings of the same idea. Third, Refreshing updates stale information and re-evaluates importance weights. Finally, Synthesis compiles recent learnings into structured memory files with indexes for faster retrieval.
Several constraints keep the system safe: autoDream runs strictly in read-only mode on source code, uses a lockfile mechanism to prevent concurrent executions, and modifies only memory artifacts such as CLAUDE.md and .claude/memory/*.json. Moreover, this is the mechanism that makes the agent appear to “remember” a project across sessions.
Chinese developers quickly began cloning the idea. The open-source project grandamenium/dream-skill on GitHub explicitly reproduces the four-phase flow, presenting it as a faithful reimplementation for generic large language models.
The Buddy System and Anthropic’s product philosophy
Early rumors framed the Buddy System as a dual-agent safety check. The leaked implementation shows something very different: a Tamagotchi-style virtual pet that lives alongside the coding workflow.
According to the code, the system defines 18 species (including ducks, cats, and dogs), organized into 5 rarity tiers from Common up to Legendary, with Legendary pets appearing at a 1% rate. Moreover, there is a separate 1% probability for a “shiny” variant, similar to rare Pokémon skins.
Each pet includes five RPG-style stats, including a “CHAOS” attribute, and is generated deterministically from a hash of the user’s account ID, guaranteeing uniqueness. The entire feature is gated by a BUDDY feature flag in buddy.ts. That said, competitors moved fast: CodePilot has already shipped a gamified AI assistant apparently inspired by this system.
For observers, this detail matters less for its mechanics than for what it reveals about Anthropic’s roadmap: even a safety-first AI lab is experimenting with engagement loops and retention mechanics borrowed from consumer gaming.
Undercover Mode and open-source ethics
Perhaps the most controversial leak is Undercover Mode, exposed through its internal system prompt. The text instructs the agent: “You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository… Do not blow your cover.”
The mode activates when USER_TYPE === ‘ant’ (Anthropic employee) and the target repository is public. In this configuration, the system filters out internal codenames such as Capybara and Tengu, unreleased model version numbers, internal Slack channels and short links like “go/cc,” and even the phrase “Claude Code” itself.
It also strips any hints that an AI authored the change, including removing Co-Authored-By attribution lines. Moreover, this implies that Anthropic engineers have been using internal tools to contribute to open-source projects without consistently disclosing AI involvement.
Critics argue that this practice conflicts with long-standing open-source transparency norms and the Developer Certificate of Origin (DCO), which assumes clear authorship. That said, defenders note that many organizations are still improvising policies for AI-assisted contributions, and Anthropic is not alone in facing these gray areas.
Sub-agent orchestration and the Coordinator pattern
Another central revelation is the multi-agent design. Claude Code uses a Hub-and-Spoke topology where each sub-agent is its own Claude instance with a dedicated system prompt, context window, tool permissions, and lifecycle.
A central Coordinator decomposes complex requests into smaller jobs, dispatches them to specialized sub-agents—such as frontend, backend, or testing experts—runs these tasks in parallel through Promise.all(), and then merges results through a quality-gate pipeline. Moreover, this approach gives the framework a flexible way to scale expertise without retraining the base model.
The open-source ecosystem reacted quickly. The GitHub project VoltAgent/awesome-claude-code-subagents now lists more than 100 specialized agents for frontend, backend, DevOps, AI/ML, code review, and debugging. Many of these are explicitly modeled on the leaked coordinator pattern for multi agent orchestration.
How Chinese engineers reverse-engineered the stack
The Chinese analysis effort went far beyond casual browsing. On Zhihu, engineers published a complete dependency graph across 4,756 source files, confirming the six-layer architecture and mapping key execution paths end-to-end.
Media outlet 36Kr followed up with four major articles in the first week, documenting 8 unreleased features, 26 hidden commands, and a 6-level security architecture. Moreover, developers at Tencent Cloud extracted five core design patterns: segmented prompt caching, Coordinator-plus-sub-agent orchestration, four-tier permission chains, filesystem-based memory, and collaborative workflows across agents.
Meanwhile, Juejin hosted dozens of deep-dive threads where engineers used large language models to assist in reverse-engineering minified segments, effectively cutting weeks of manual reading into hours. One viral Zhihu post—titled “After Reading All 500,000 Lines of Claude Code’s Leaked Code, I Finally Discovered the Secret of Why It’s So Good”—drew millions of views.
Its main conclusion was blunt: the system’s advantage lies not primarily in the underlying model, but in the “Agentic Harness” wrapped around it. Moreover, this framing resonated with many Chinese practitioners who already have access to strong domestic base models.
Chinese companies move from study to implementation
Major Chinese tech firms have already begun integrating ideas from the leak into their own developer tools. Tencent CodeBuddy is building a multi-sub-agent collaboration layer openly inspired by the leaked Coordinator pattern.
Alibaba‘s Tongyi Lingma (通义灵码), which has surpassed 2M downloads and already supports Agent, Ask, and Edit modes, is now studying Claude Code’s memory design for potential integration with its Qwen model family. Moreover, engineers at e-commerce platform Dewu (得物) are applying the multi-agent collaboration concepts to intelligent refactoring of their production system.
Open-source replicas reinforce the trend. Alongside grandamenium/dream-skill, the project Mirza-Samad-Ahmed-Baig/analysis_claude_code offers extensive reverse-engineering documentation, effectively turning the leak into a shared reference manual. That said, many Chinese teams stress that they are adapting patterns rather than copying code line-for-line.
The performance gap is shrinking
Before the leak, industry observers widely believed there was a clear gap between Claude Code and the average Chinese AI coding assistant. Architecture, benchmarks, and memory capabilities all tilted in Anthropic’s favor.
On architecture, Claude Code offered a six-layer stack with sophisticated orchestration, while many Chinese tools were still closer to simple code-generation plus Q&A. On SWE-bench, Claude’s 72.7% performance beat estimated Chinese averages of roughly 60–65%. Moreover, autoDream’s four-phase memory system contrasted with session-bound context handling in many domestic tools.
Sub-agent design was another differentiator: Anthropic’s system shipped with around 8 specialized agents, while some Chinese solutions exposed only one or two basic roles. Tooling followed the same pattern, with Claude using sophisticated serial optimization where rivals often relied on much simpler tool invocation loops.
The leak does not erase these differences overnight. However, it gives Chinese engineers a proven reference architecture to study instead of designing from scratch. Many analysts now argue that the remaining gap is primarily an engineering-execution problem rather than a research deficit.
Anthropic’s containment effort and the Streisand effect
In the days following disclosure, Anthropic tried to contain the spread. The company filed DMCA takedown notices with GitHub, but substantially overreached and targeted roughly 8,100 repositories, including forks of its own open-source projects.
The backlash was immediate. One developer wrote on social media that “Anthropic’s lawyers just woke up and killed my repo,” capturing a broader sense of frustration. Moreover, the takedowns triggered a classic Streisand Effect, accelerating the distribution of mirrors, summaries, and clean-room reimplementations on decentralized platforms.
At the same time, security researchers began combing through the leaked stack. Adversa AI reported critical vulnerabilities in Claude Code only days after the incident became public. That said, observers note that such scrutiny may also help harden future versions of the product, albeit at the cost of a high-profile embarrassment.
Strategic implications for global AI tooling
The claude code incident underscores a basic truth of modern software: once code has been shipped to a public ecosystem like npm, it is effectively impossible to recall completely.
Yet the deeper lesson is about how world-class AI coding agents are actually constructed. The leak shows three necessary ingredients. First, a strong foundation model—something Chinese players such as DeepSeek, Qwen, and GLM already possess. Second, sophisticated systems engineering, now visible in detail thanks to the exposed architecture. Third, relentless iteration, an area where Chinese tech companies have a track record of rapid cycles, with examples of 30 major model updates in 47 days.
Many analysts now frame the core question differently. It is no longer whether Chinese AI coding tools can reach parity with leading Western agents, but how quickly they will do so—and whether the leaked blueprint compresses that timeline from years into mere months.
In summary, Anthropic’s npm error turned a proprietary agent into a live case study for the global AI community, giving Chinese developers in particular a detailed map of how to engineer scalable, memory-rich, multi-agent coding assistants around competitive domestic models.
