Claude Code Leak 2026: Which Hidden Features Are Real?

Claude Code’s leaked source did reveal real signals about Anthropic’s product direction, but the viral “full hidden-features list” framing is too blunt. Based on the available evidence, the stronger interpretation is that the leak exposed part of Claude Code’s agent harness and roadmap, while several features now being described as “secret” were already visible in Anthropic’s public documentation or product announcements.

That distinction matters for anyone trying to understand what actually changed on March 31, 2026. The leak is useful as a roadmap signal. It is not proof that every rumored feature is shipped, that Claude Code is now open source, or that Anthropic’s model weights were exposed.

Quick verdict: Treat Kairos, Undercover, Bridge, Coordinator, UltraPlan, and Buddy as meaningful clues about Anthropic’s direction, not as a confirmed release list. Treat memory, subagents, and cloud or web execution as public capabilities that the leak helps contextualize rather than newly discovered “hidden features.”

What actually happened in the Claude Code leak

On March 31, 2026, Anthropic accidentally shipped version 2.1.88 of @anthropic-ai/claude-code with a 59.8 MB JavaScript source map file that allowed observers to reconstruct a large readable TypeScript codebase. Public reporting consistently describes the incident as a packaging error caused by human error rather than a hack. Anthropic’s public statement, as quoted by multiple outlets, said no sensitive customer data or credentials were involved or exposed.

The code spread quickly through mirrors and forks, and Anthropic then used copyright takedown requests to slow redistribution on GitHub. That response is one of the clearest reasons the incident should not be mistaken for an open-source release: source exposure and open-source licensing are not the same thing.

A better way to read the hidden-features list

The most useful way to read the leak is with a three-tier model. Tier 1 includes capabilities that are already public or clearly adjacent to public docs. Tier 2 includes leak-only features that look like serious roadmap clues. Tier 3 includes the most viral items, but also the ones that require the most caution because they may be inactive, partial, or highly contextual.

Tier 1: already public or clearly adjacent to public docs

Claude Code memory is not a leak-only surprise. Anthropic’s public memory documentation already describes a four-level memory hierarchy and explains that Claude Code can remember preferences across sessions, with project and user memory files that persist instructions over time. The leak may have revealed more about internal implementation ideas, but persistent memory as a product capability was already public.

Subagents are also already public. Anthropic’s docs say Claude Code can delegate work to specialized subagents with separate context windows, custom prompts, and restricted tool permissions. That means the broad idea of multi-agent delegation was visible before the leak, even if specific internal orchestration features such as Coordinator were not.

Claude Code beyond the terminal was public too. Anthropic announced Claude Code on the web in October 2025 as a research preview that could run multiple coding sessions in parallel on Anthropic-managed infrastructure, and Anthropic’s help documentation also describes unified access across Claude surfaces for eligible plans. That makes “remote or cloud-mediated coding sessions” a public product direction, even if Bridge-style remote control details were not.

Tier 2: strong roadmap clues from the leak

Kairos is the most important leak-only feature to take seriously. Ars Technica’s review of the source describes it as a persistent daemon that could keep operating in the background, using periodic prompts and a memory system intended to preserve collaboration context across sessions. Ars also notes that Kairos did not appear fully implemented, which is exactly why it should be written as a roadmap clue rather than a shipped feature.

AutoDream belongs in the same bucket. The leaked prompts described a reflective memory-consolidation process that would scan transcripts, extract durable information, remove contradictions, and prune outdated memories. That matters because it suggests Anthropic is thinking past “session chat” and toward long-lived agent behavior, but there is still no public documentation showing AutoDream as a released feature.

Ars also reported references to UltraPlan, Voice Mode, Bridge, and Coordinator. Read carefully, those features point toward longer planning runs, voice interaction, remotely controllable sessions, and parallel worker orchestration. Read carelessly, they become a fake launch list. The public record supports the first interpretation, not the second.

Tier 3: high-interest, high-context, or low-confidence items

Undercover Mode is one of the most controversial items because it touches attribution, not just product design. Ars reported inactive prompt text telling the system not to mention Claude Code or disclose that it was an AI when making public open-source contributions. That is important as an ethical signal, but it is still best described as an inactive or unreleased internal prompt, not as a publicly documented product behavior.

Buddy is the opposite case. It is memorable, quotable, and highly shareable because it appears as an ASCII-art sidekick concept with multiple creature forms and launch-window references. It is also far less important than Kairos, memory, orchestration, or cloud execution if your goal is to understand where Claude Code is actually headed.

The honest full list, grouped by confidence

If you still want a “full list,” the most honest version is a graded one.

• Public or clearly adjacent to public docs: memory, subagents, cloud or web execution, multi-surface Claude Code access.
• Plausible roadmap clues from the leak: Kairos, AutoDream, UltraPlan, Voice Mode, Bridge, Coordinator.
• Experimental or context-heavy items that should be treated cautiously: Undercover Mode and Buddy.

That framing is less sensational than “44 hidden features exposed,” but it is much more useful. It tells the reader what is already public, what is worth watching, and what should not be overclaimed yet.

What developers should actually take away from this leak

The most practical conclusion is that the harness may matter more than the leak’s raw feature count. Reporting around the incident says Anthropic did not expose its AI models, but the leak did expose how a coding agent is wrapped in memory systems, tool orchestration, permissions, cloud execution, and interface logic. That is the part competitors, developers, and researchers can learn from.

Anthropic’s public materials already pointed in that direction before the leak. The docs describe persistent memory and specialized subagents, the web product announcement shows cloud-run parallel sessions, and Anthropic’s sandboxing write-up argues for more autonomous operation within tighter filesystem and network boundaries. Put together, those signals suggest a transition from a terminal assistant toward a more persistent, multi-surface, and more autonomous coding system.

Anthropic’s recent public push into computer control strengthens that reading. Ars reported in March 2026 that Claude Code could now control parts of a local computer in a research preview, which fits the broader pattern: not just answering in a shell, but acting across interfaces and environments.

What the leak does not mean

The leak does not mean Claude Code is open source. Anthropic’s effort to remove mirrors through copyright takedowns points in the opposite direction: the code was exposed without permission, and Anthropic treated redistribution as infringement, not as community use.

The leak also does not mean Claude’s model weights were exposed. Public reporting says Anthropic stated the incident did not impact its AI models, and the company separately said no sensitive customer data or credentials were exposed. The leak matters because it exposed the product layer around the model, not because it dumped the model itself.

It also does not mean mirrored builds are safe to test. TechRadar reported that attackers used the leak as bait for malicious GitHub repositories advertising “unlocked enterprise features,” with payloads that installed Vidar and GhostSocks. For most readers, that is the most actionable takeaway in the entire story: do not go hunting for leaked binaries.

FAQ

Did the Claude Code leak expose model weights?

No public reporting indicates that Claude’s model weights were exposed. Reporting instead says Anthropic stated the incident did not impact its AI models and did not expose customer data or credentials.

Is Claude Code open source now?

No. Anthropic’s response was to pursue takedowns of mirrored copies, which is the opposite of an intentional open-source release. Source exposure, copied artifacts, and open-source licensing are different things.

Which “hidden features” were already public in official docs?

Memory, subagents, and cloud or web-based Claude Code workflows were already public in Anthropic documentation or product announcements. The leak made those directions easier to interpret, but it did not invent them.

Which leak-only features seem most important?

Kairos looks most important because it points toward persistent background agency and long-lived collaboration state. Bridge, Coordinator, UltraPlan, and AutoDream also matter as roadmap clues, while Buddy is memorable but strategically less important.

Is it safe to try mirrored builds?

No. Recent security reporting says attackers used fake Claude Code mirror repositories to distribute infostealer malware. Even if the leak is real, that does not make third-party binaries trustworthy.