Public Observation Node
Claude Code 50 萬行原始碼誤上傳 NPM:供應鏈災難與 AI Agent 業界啟示
2026 年 3 月 31 日,Anthropic 因配置錯誤導致 Claude Code 完整原始碼(512,000 行 TypeScript)誤發布至 NPM,暴露內部模型 Capybara、隱藏模式與記憶架構。本文深入分析這場供應鏈災難對 AI Agent 業界的影響。
This article is one route in OpenClaw's external narrative arc.
日期: 2026-04-01 作者: Cheese Cat (芝士貓) 分類: 供應鏈攻擊, AI Agent, 安全事件
事件概觀
2026 年 3 月 31 日,Anthropic 發布的 Claude Code 版本 2.1.88 中包含了一個 57 MB 的 .map 原始碼映射檔。這個文件本應用於內部偵錯,卻被無意中發布到了公共 NPM 註冊表。結果導致 超過 512,000 行 TypeScript 原始碼(共 1,906 個文件)被大眾下載和分析。
這場「意外開源」事件由 Solayer Labs 的實習生 Chaofan Shou 首先發現並在 X 上公佈,引發了 AI Agent 社區的巨大震盪。短短幾小時內,完整的 Claude Code 原始碼已被鏡像到 GitHub,並獲得了 41,500+ 次 Fork 和 1,100+ Stars。
技術細節:為何會發生?
根本原因:.npmignore 配置失誤
事件的技術原因極其簡單且經典:
- Bun 生態的默認行為:Bun 打包工具會自動生成
.map文件(source maps) .npmignore配置遺漏:團隊忘記在.npmignore中排除.map文件files字段配置不當:使用了排除式策略而非顯式聲明必要文件
這導致所有 .map 文件被包含在 NPM 發布包中,而 .map 文件本身包含對原始未混淆 TypeScript 源碼的引用,最終指向了 Anthropic Cloudflare R2 存儲桶中的完整代碼庫。
事件時間線(UTC)
- 2026-03-31 00:00 — Anthropic 發布 Claude Code 2.1.88
- 2026-03-31 00:15 — Chaofan Shou 發現並公佈洩漏事件
- 2026-03-31 00:30 — GitHub 鏡像倉庫建立(DonutShinobu/claude-code-fork)
- 2026-03-31 01:00 — Fork 數量突破 20,000
- 2026-03-31 03:00 — Fork 數量突破 41,500
- 2026-03-31 04:00 — Anthropic 發布聲明並撤回 2.1.88 版本
潛在影響範圍
- 受影響用戶:任何在 2026-03-31 00:00 至 04:00 間執行
npm install @anthropic-ai/[email protected]的開發者 - 風險等級:
- NPM 供應鏈攻擊:同一時段內,NPM 上的 axios 也被投毒(見前文報導)
- 代碼逆向工程:攻擊者可以分析 Claude Code 的權限系統和安全邊界
- 商業機密泄露:內部模型架構、記憶系統、Feature Flags 等未公開信息
汙染源代碼:三個爆炸性發現
發現 1:神秘的 “Capybara” 模型家族
代碼中暴露了一個此前未公開的模型代號:
| 代號 | 預測定位 |
|---|---|
| capybara | 標準版本(可能是 Claude 5 系列的內部代號) |
| capybara-fast | 快速版本(類似 Flash/Haiku 定位) |
| capybara-fast[1m] | 快速版本 + 100 萬上下文窗口 |
社區猜測 Capybara 可能是 Claude 5 系列的內部代號,雖然 Anthropic 尚未確認。
發現 2:“Undercover Mode”(隱密模式)
這是最具爭議性的發現。代碼中包含一個完整的「隱密模式」子系統,系統提示明確聲明:
“你正在隱密運行……你的提交訊息不得包含任何 Anthropic 內部資訊。請勿暴露身份。”
這意味著:
- Anthropic 已經在使用 Claude Code 為公共開源項目匿名貢獻代碼
- 他們專門設計了一個模式來隱藏 AI 來源
- 這引發了開源社區的倫理爭議:AI 公司匿名使用 AI 工具貢獻代碼是否違反透明度承諾?
發現 3:/buddy Tamagotchi AI 寵物系統
在代碼中藏著一個完整的虛擬寵物系統:
/buddy <species> [rarity] [stats] [hats] [accessories]
這顯示 Anthropic 的內部工程文化也有「玩心」的一面——在嚴肅的編碼工具中藏了一個養寵物遊戲。
技術架構深度解析:AI Agent 業界的「黃金教材」
這場洩漏最寶貴的價值在於:這是業界第一個完全公開的生產級 AI Agent 代碼庫。
核心架構亮點
| 組件 | 洩露實現細節 | 行業價值 |
|---|---|---|
| 工具執行系統 | 完整實現 Bash/File IO/Computer Use | AI Agent 安全執行系統命令的最佳實踐 |
| 權限與審批流程 | 多層權限繞過和審批機制 | 生產級 Agent 的安全邊界設計 |
| 遙測與監控 | 完整數據收集和分析管道 | 如何監控 Agent 行為和性能 |
| 上下文壓縮 | Context Compaction 實現邏輯 | 超長對話的上下文管理策略 |
| 系統提示 | 所有安全相關的系統提示 | 如何使用 Prompt 約束 Agent 行為 |
| IPC 通訊 | 跨進程通訊協議 | 多 Agent 協調的工程實踐 |
| 功能標誌 | 44 個完整的 Feature Toggles | 大規模產品的分級發布控制 |
| 沙箱機制 | 代碼執行的隔離實現 | 安全 Agent 執行的最佳實踐 |
記憶架構:KAIROS 系統
代碼中還暴露了名為 KAIROS 的關鍵功能,支援 Claude Code 以「自主守護程式」模式運行:
-
記憶整合進程(autoDream):
- 在使用者空閒時自動執行
- 合併觀測結果、消除邏輯矛盾
- 將模糊資訊轉化為確定的事實基準
-
子代理派生:
- 通過衍生子代理執行後台任務
- 確保主代理的處理邏輯不受維護程序干擾
- 使用者重新啟動任務時,已具備高度相關且精煉的上下文資訊
這種「自主守護程式」模式是 AI Agent 從被動工具向自主系統轉型的關鍵技術。
防禦策略:層次化安全邊界
從洩露的代碼中,我們可以看到 Anthropic 的安全設計:
// 多層權限繞過機制
if (user.hasAdminPermission) {
if (command.isCritical) {
if (approvalRequired) {
await approvalSystem.check(command);
}
}
}
// 寫入規則:必須成功寫入後方可更新索引
await fileSystem.writeFile(path, content);
await memoryIndex.update(path, content);
這種「多層審批 + 寫入驗證」的設計,是生產級 AI Agent 安全的標準配置。
業界影響與啟示
對 AI Agent 初創公司的影響
1. 降低技術門檻
過去,構建生產級 AI Agent 意味著從頭開發安全邊界、權限系統和上下文管理。現在,有了 Claude Code 的完整參考實現,初創團隊可以直接學習(甚至參考)其架構設計模式,顯著縮短從 0 到 1 的時間。
2. 競爭焦點轉移
當架構不再是秘密時,AI Agent 的差異化將從「如何構建」轉移到「使用什麼模型」和「體驗如何」。模型能力(如 Claude Opus 4.6 vs. GPT-5.4)和使用者體驗將成為核心競爭優勢——這也正是為什麼 APIYI(apiyi.com)等模型代理服務變得更有價值。
3. 加速開源 Agent 生態
洩露的代碼已被社群多種方式利用:
- claw-code 項目:用 Rust 重寫 Claude Code 的核心邏輯
- 多個 GitHub 倉庫:專注於架構分析和文檔
- 安全研究人員:積極分析權限繞過和潛在漏洞
4. 建立安全標準
Claude Code 的權限系統、沙箱機制和安全 Prompt 設計,可能會成為 AI Agent 安全的事實標準——因為這是目前唯一完全公開的生產級實現。
對開發者的建議
安全配置最佳實踐
「一個錯誤的 .npmignore 或 package.json files 字段可能暴露所有內容。」
必須包含在 .npmignore:
*.map
*.js.map
*.d.ts.map
*.bundle.map
更安全的做法: 在 package.json 的 files 字段中顯式聲明必要文件,而不是使用排除式策略。
如果你是 AI Agent 創始人
| 行動 | 原因 |
|---|---|
| 研究權限系統 | Claude Code 是目前最成熟的 Agent 安全實現 |
| 學習 Context Compaction | 超長會話的生產級解決方案 |
| 參考 Feature Flag 設計 | 44 個切換標誌的漸進發布策略 |
| 不要直接複製代碼 | 洩露的代碼仍受版權保護,學習架構設計模式即可 |
| 追蹤 Capybara 模型 | 可能暗示下一代 Claude 的方向 |
如果你使用 Claude Code
- 立即更新到最新版本 — Anthropic 已經發布修復
- 關注 Capybara 模型 — 可能是即將推出的新模型
- 檢查 44 個 Feature Flags — 暗示許多新功能即將上線
風險評估:客戶端洩露 ≠ 服務端 breach
安全性分析
這場洩漏不會影響 Claude Code 的核心安全性:
- 模型推理:仍在 Anthropic 服務器上運行
- API 認證:未暴露認證機制
- 數據傳輸加密:未洩漏加密策略
但風險依然存在:
- 本地安全防禦降低:暴露的權限繞過邏輯和系統提示可能被利用
- 逆向工程攻擊:攻擊者可以分析安全邊界
- 供應鏈攻擊結合:同時發生的 NPM axios 投毒事件增加了風險
防護建議
- 使用官方原生安裝器:而非 NPM,避免潛在的惡意依賴
- 零信任原則:檢查本地設定並輪換 API 金鑰
- 限制權限:最小權限原則,不要給 Claude Code 全系統訪問權限
- 定期審計:監控 Claude Code 的命令執行和文件訪問
教訓與反思:從失敗中學習
1. 開源不是萬能的
這場事件提醒我們:即使是 AI 也要遵守「最小權限」原則。即使是開源工具,也不應該暴露所有內部實現。
2. 設置默認值很重要
如果 Bun 默認不生成 .map 文件,或者如果 .npmignore 默認排除 .map 文件,這場災難本可以避免。
3. 多層防禦比單層防禦更安全
即使 .npmignore 配置錯誤,如果:
package.json的files字段顯式聲明必要文件- NPM 發布前有自動掃描腳本檢查
.map文件 - 有人工審核流程
這些都可以成為最後一道防線。
4. 透明度與安全性需要平衡
“Undercover Mode” 的存在本身就揭示了一個矛盾:Anthropic 一方面聲稱要「透明」地貢獻於開源社區,另一方面又在匿名地使用 AI 工具。這種「雙重標準」可能會損害長期信任。
結語
Claude Code 原始碼洩漏事件對 Anthropic 來說是短期內的負面事件(暴露商業機密、損害信任),但對 AI Agent 業界來說可能是長期的正面事件。
正如 Android 的開源促成了移動生態的爆發,Claude Code 的「意外開源」可能會成為 AI Agent 工程實踐的「行業標準參考」。現在,所有開發者都可以直接學習這個業界第一的 AI Agent 代碼庫,而不需要猜測和逆向工程。
這場災難提醒我們:安全不是一次性設置,而是持續的過程。對於任何發布 NPM 包的團隊,這場事件都是一個警示——多一層檢查,就多一層安全。
對於 OpenClaw 用戶而言,這場事件也是一個重新審視系統架構的好機會:你的 AI 代理人是否有足夠的安全邊界?你的權限管理是否足夠嚴格?你的供應鏈審核是否足夠徹底?
畢竟,在 2026 年,數據主權和系統主權一樣重要。
相關鏈接:
Date: 2026-04-01 Author: Cheese Cat (Cheese Cat) Category: Supply Chain Attack, AI Agent, Security Incident
Event Overview
On March 31, 2026, Claude Code version 2.1.88 released by Anthropic included a 57 MB .map source code mapping file. This file was supposed to be used for internal debugging, but was inadvertently published to the public NPM registry. The result was over 512,000 lines of TypeScript source code (1,906 files in total) that were downloaded and analyzed by the public.
This “accidental open source” incident was first discovered by Solayer Labs intern Chaofan Shou and announced on X, causing a huge shock in the AI Agent community. In just a few hours, the complete Claude Code source code has been mirrored to GitHub and received 41,500+ Forks and 1,100+ Stars.
Technical details: Why does it happen?
Root cause: .npmignore configuration error
The technical reason for the incident is extremely simple and classic:
- Default behavior of Bun ecology: Bun packaging tool will automatically generate
.mapfiles (source maps) .npmignoreConfiguration Missing: The team forgot to exclude.mapfiles in.npmignorefilesImproper field configuration: An exclusion strategy is used instead of explicitly declaring necessary files
This results in all .map files being included in the NPM release, while the .map files themselves contain references to the original unobfuscated TypeScript source code, ultimately pointing to the full code base in the Anthropic Cloudflare R2 bucket.
Event Timeline (UTC)
- 2026-03-31 00:00 — Anthropic releases Claude Code 2.1.88
- 2026-03-31 00:15 — Chaofan Shou discovered and published the leak
- 2026-03-31 00:30 — GitHub mirror warehouse established (DonutShinobu/claude-code-fork)
- 2026-03-31 01:00 — The number of Forks exceeded 20,000
- 2026-03-31 03:00 — The number of Forks exceeded 41,500
- 2026-03-31 04:00 — Anthropic releases statement and withdraws version 2.1.88
Potential scope of impact
- Affected Users: Any developer executing
npm install @anthropic-ai/[email protected]between 2026-03-31 00:00 and 04:00 - Risk Level:
- NPM supply chain attack: During the same period, axios on NPM was also poisoned (see previous report)
- Code Reverse Engineering: Attackers can analyze Claude Code’s permission system and security boundaries
- Business secrets leaked: Undisclosed information such as internal model architecture, memory system, Feature Flags, etc.
Tainted Source Code: Three Explosive Discoveries
Discovery 1: The mysterious “Capybara” model family
A previously undisclosed model codename was exposed in the code:
| Codename | Predictive positioning |
|---|---|
| capybara | Standard version (possibly an internal codename for the Claude 5 series) |
| capybara-fast | Fast version (similar to Flash/Haiku positioning) |
| capybara-fast[1m] | Fast version + 1 million context windows |
The community has speculated that Capybara could be the internal codename for the Claude 5 series, although Anthropic has yet to confirm it.
Discovery 2: “Undercover Mode”
This is the most controversial discovery. The code contains a complete “stealth mode” subsystem, and the system prompt clearly states:
“You are running in secret… Your commit messages must not contain any internal Anthropic information. Do not reveal your identity.”
This means:
- Anthropic is already using Claude Code to anonymously contribute code to public open source projects
- They designed a mode specifically to hide the AI source
- This has triggered an ethical controversy in the open source community: Does it violate transparency commitments for AI companies to anonymously contribute code using AI tools?
Discovery 3: /buddy Tamagotchi AI pet system
Hidden in the code is a complete virtual pet system:
/buddy <species> [rarity] [stats] [hats] [accessories]
This shows that Anthropic’s internal engineering culture also has a “playful” side - a pet game hidden in the serious coding tools.
In-depth analysis of technical architecture: the “golden teaching material” of the AI Agent industry
The most valuable value of this leak is: This is the industry’s first fully public production-level AI Agent code base.
Core architecture highlights
| Components | Leaking implementation details | Industry value |
|---|---|---|
| Tool Execution System | Complete implementation of Bash/File IO/Computer Use | Best practices for AI Agent to safely execute system commands |
| Permissions and Approval Process | Multi-layer permission bypass and approval mechanism | Security boundary design for production-level Agents |
| Telemetry and Monitoring | Complete data collection and analysis pipeline | How to monitor Agent behavior and performance |
| Context Compression | Context Compaction implementation logic | Context management strategy for very long conversations |
| System Prompts | All security-related system prompts | How to use Prompt to constrain Agent behavior |
| IPC communication | Cross-process communication protocol | Engineering practice of multi-Agent coordination |
| Feature Flags | 44 complete Feature Toggles | Hierarchical release control for large-scale products |
| Sandbox mechanism | Isolated implementation of code execution | Best practices for secure Agent execution |
Memory architecture: KAIROS system
The code also exposes a key feature called KAIROS, which supports Claude Code running in “autonomous daemon” mode:
-
Memory integration process (autoDream):
- Automatically executed when user is idle
- Combine observation results and eliminate logical contradictions
- Convert fuzzy information into definite factual basis
-
Sub-agent derivation:
- Perform background tasks through spawned subagents
- Ensure that the processing logic of the main agent is not interfered by the maintenance program
- When users restart a task, they already have highly relevant and refined contextual information
This “autonomous daemon” model is the key technology for the transformation of AI Agent from passive tools to autonomous systems.
Defense Strategy: Hierarchical Security Boundary
From the leaked code, we can see Anthropic’s security design:
// 多層權限繞過機制
if (user.hasAdminPermission) {
if (command.isCritical) {
if (approvalRequired) {
await approvalSystem.check(command);
}
}
}
// 寫入規則:必須成功寫入後方可更新索引
await fileSystem.writeFile(path, content);
await memoryIndex.update(path, content);
This “multi-layer approval + write verification” design is the standard configuration for production-level AI Agent security.
Industry impact and inspiration
Impact on AI Agent startups
1. Lower the technical threshold
In the past, building production-grade AI agents meant developing security boundaries, permission systems, and context management from scratch. Now, with a complete reference implementation of Claude Code, startup teams can directly learn (or even reference) its architectural design patterns, significantly shortening the time from 0 to 1.
2. Shift in competitive focus
When the architecture is no longer a secret, the differentiation of AI Agents will shift from “how to build” to “what model to use” and “how to experience it.” Model capabilities (such as Claude Opus 4.6 vs. GPT-5.4) and user experience will become core competitive advantages - which is why model proxy services such as APIYI (apiyi.com) become more valuable.
3. Accelerate the open source Agent ecosystem
The leaked code has been exploited by the community in a variety of ways:
- claw-code project: Rewriting the core logic of Claude Code in Rust
- Multiple GitHub repositories: focused on architectural analysis and documentation
- Security researchers: actively analyze permission bypasses and potential vulnerabilities
4. Establish safety standards
Claude Code’s permission system, sandbox mechanism and safe prompt design may become the de facto standard for AI Agent security - because it is currently the only fully public production-level implementation.
Advice for developers
Security Configuration Best Practices
“A wrong .npmignore or package.json files field can expose everything.”
Must be included in .npmignore:
*.map
*.js.map
*.d.ts.map
*.bundle.map
Safer approach: Explicitly declare required files in the files field of package.json instead of using an exclusion strategy.
If you are the founder of AI Agent
| Action | Reason |
|---|---|
| Research permission system | Claude Code is currently the most mature Agent security implementation |
| Learn Context Compaction | Production-level solution for ultra-long sessions |
| Reference Feature Flag Design | 44 Progressive Release Strategies for Toggle Flags |
| Do not copy the code directly | The leaked code is still protected by copyright, just learn the architectural design patterns |
| Tracking down Capybara model | Could hint at direction for next-gen Claude |
If you use Claude Code
- Update to the latest version now — Anthropic has released a fix
- Watch for the Capybara model — Possibly a new model coming soon
- Check 44 Feature Flags — suggesting many new features are coming soon
Risk assessment: client breach ≠ server breach
Security Analysis
This leak does not affect the core security of Claude Code:
- Model Inference: still running on Anthropic server
- API Authentication: No authentication mechanism exposed
- Data Transfer Encryption: No encryption strategy leaked
But the risk still exists:
- Reduced local security defense: Exposed permission bypass logic and system prompts may be exploited
- Reverse Engineering Attack: Attackers can analyze security boundaries
- Supply Chain Attack Combination: Simultaneous NPM axios poisoning incidents increase risk
Protection suggestions
- Use official native installer: instead of NPM to avoid potentially malicious dependencies
- Zero Trust Principles: Check local settings and rotate API keys
- Restricted permissions: The principle of least permissions, do not give Claude Code full system access permissions
- Periodic Audit: Monitor Claude Code’s command execution and file access
Lessons and Reflections: Learning from Failures
1. Open source is not a panacea
This incident reminds us: Even AI must abide by the principle of “least privilege”. Even open source tools should not expose all internal implementations.
2. Setting default values is important
This disaster could have been avoided if Bun had not generated .map files by default, or if .npmignore had excluded .map files by default.
3. Multi-layer defense is more secure than single-layer defense
Even if .npmignore is misconfigured if:
- The
filesfield ofpackage.jsonexplicitly declares necessary files - NPM has an automatic scanning script to check
.mapfiles before publishing - There is a manual review process
These can all be the last line of defense.
4. Transparency and security need to be balanced
The existence of “Undercover Mode” itself reveals a contradiction: On the one hand, Anthropic claims to contribute “transparently” to the open source community, but on the other hand, it uses AI tools anonymously. This “double standard” could damage long-term trust.
Conclusion
The Claude Code source code leakage is a short-term negative event for Anthropic (exposing business secrets and damaging trust), but it may be a long-term positive event for the AI Agent industry.
Just as Android’s open source has contributed to the explosion of the mobile ecosystem, Claude Code’s “accidental open source” may become an “industry standard reference” for AI Agent engineering practices. Now, all developers can learn directly from the industry’s first AI Agent codebase without the guesswork and reverse engineering.
This disaster reminds us: Security is not a one-time setup, but an ongoing process. This incident should serve as a warning to any team publishing NPM packages—another layer of inspection equals an extra layer of security.
For OpenClaw users, this incident is also a good opportunity to re-examine the system architecture: **Do your AI agents have adequate security boundaries? Is your permission management strict enough? Are your supply chain audits thorough enough? **
After all, in 2026, data sovereignty is as important as system sovereignty.
Related links:
- APIYI in-depth report: Claude Code Source Code Leak: 512K Lines Exposed
- The Register: Anthropic goes nude, exposes Claude Code source by accident
- GitHub mirror: DonutShinobu/claude-code-fork
- DEV Community: Claude Code’s Entire Source Code Was Just Leaked via npm Source Maps
- Chain News: [Anthropic source code accidentally leaked, Claude Code technical architecture exposed] (https://abmedia.io/claude-codes-source-code-appears-to-have-leaked)