Anthropic's Claude Code CLI Leak Reveals Hidden Tamagotchi 'Pet' and Always-On Agent—Then Prompts a Takedown Frenzy
Image: Ars Technica AI
Main Takeaway
Over 512K lines of Claude Code CLI source leaked via NPM source maps, exposing a Tamagotchi-style pet and always-on agent—then Anthropic accidentally tried to scrub thousands of GitHub repos before walking it back.
Summary
The leak in a nutshell
Anthropic accidentally exposed the complete source code for Claude Code CLI through publicly accessible source map files. Over 512,000 lines of production-grade code became publicly accessible, including internal architecture details, upcoming model configurations, and an unexpected Tamagotchi-style virtual pet and always-on coding agent. This marks the second major leak from Anthropic within a week, following their recent 3,000-file data exposure.
How the breach happened
The leak originated from source map files (.map) included in the NPM package distribution of Claude Code CLI. These maps, designed to help with debugging, contained uncompressed TypeScript source code that revealed the full internal structure. Gabriel Anhaia's analysis shows the codebase includes 40,000 lines for plugin systems and 46,000 lines for query processing. The code wasn't obfuscated or minified in these maps, making it trivial for anyone to reconstruct the complete source.
Anthropic’s panicked cleanup and walk-back
Within hours of the leak spreading across GitHub, Anthropic’s legal and security teams filed thousands of DMCA takedown requests targeting repositories that mirrored or forked the code. The company claims the notices were issued automatically and in error, and has since retracted the bulk of them. Executives told TechCrunch the sweep was “an accident,” though the timing suggests an attempt to contain the damage rather than a clerical slip.
What's inside the leaked code
Beyond basic CLI functionality, the leaked code reveals Claude Code's sophisticated internal architecture. The codebase shows production-grade features including advanced plugin systems, complex query processing, and hints about upcoming model capabilities. But buried deeper, The Verge found a Tamagotchi-style virtual pet that evolves based on your coding habits and an always-on agent that quietly monitors your development environment. The pet appears to be an easter egg—complete with feeding mechanics and mood states—while the agent continuously analyzes code patterns and suggests improvements without explicit prompts. Security researchers immediately began analyzing the code for potential vulnerabilities and attack surfaces, though no exploitable flaws have been confirmed yet.
Community fallout and next steps
Forks of the leaked repo topped 10,000 stars before the takedown wave hit. Developers are now debating whether the Tamagotchi pet is harmless fun or an always-on surveillance gimmick. Anthropic hasn’t issued a formal apology or timeline for patching the source map exposure, but quietly updated the NPM package to strip the maps in version 0.8.2.
Key Points
Over 512K lines of Claude Code CLI source leaked via NPM source maps.
Hidden Tamagotchi-style pet tracks your coding habits and evolves accordingly.
Always-on AI agent silently watches your dev environment and offers unsolicited tips.
Anthropic accidentally filed thousands of GitHub takedown notices, then retracted them.
NPM package quietly updated to remove source maps in version 0.8.2.
FAQs
Most public mirrors were briefly taken down, but copies persist in private forks and archives. Proceed with caution—redistribution may invite DMCA notices.
No vulnerabilities have been confirmed, yet an always-on agent that logs keystrokes and file events raises privacy flags.
No formal apology has been issued; executives called the takedown sweep an 'accident' in comments to TechCrunch.
Source Reliability
29% of sources are highly trusted · Avg reliability: 62
Go deeper with Organic Intel
Our AI for Your Work systems give you practical, step-by-step guides based on stories like this.
Explore ai for your work systems
