- Security researcher Chaofan Shou discovered that Anthropic’s Claude Code had its entire TypeScript source code exposed through a source map file published to the npm registry on March 31, 2026.
- The leak revealed approximately 1,900 TypeScript files totaling over 512,000 lines of code, including 44 unshipped feature flags and an autonomous background agent system called KAIROS.
- Anthropic confirmed it was “a release packaging issue caused by human error, not a security breach” and said no customer data or credentials were exposed.
- The source code was mirrored on GitHub within hours, accumulating over 84,000 stars and 82,000 forks before the original uploader removed it.
What Happened
On March 31, 2026, security researcher Chaofan Shou discovered that Anthropic had inadvertently published the complete source code for Claude Code, its terminal-based AI coding agent, through the npm package registry. Shou disclosed the finding publicly via X/Twitter on Tuesday morning, triggering a rapid community response.
The root cause was a source map file (.map) included in version 2.1.88 of the @anthropic-ai/claude-code npm package. The 59.8 MB map file, intended for internal debugging, referenced unobfuscated TypeScript source code and pointed to a zip archive hosted on Anthropic’s Cloudflare R2 storage bucket, which was publicly accessible.
Why It Matters
The leak exposed the internal architecture of one of the most widely used AI coding tools. Within hours, the roughly 512,000-line TypeScript codebase was mirrored across GitHub. A repository called “claude-code-fork” accumulated over 41,500 forks before the uploader replaced it with a Python feature port due to legal liability concerns. Another mirror surpassed 84,000 stars and 82,000 forks, making it one of the fastest-growing repositories in GitHub’s history.
Software engineer Gabriel Anhaia noted the ease of such an exposure: “A single misconfigured .npmignore or files field in package.json can expose everything.” The incident highlights how standard JavaScript packaging tools can create unintended disclosure risks for proprietary code, even for well-resourced companies with dedicated security teams.
Technical Details
The leaked codebase contained approximately 1,900 TypeScript files with the full libraries of slash commands and built-in tools that power Claude Code. Analysis revealed 44 feature flags covering capabilities that were fully built but not yet shipped, compiled to false in external builds.
Among the unreleased features, researchers identified a system called KAIROS that would allow Claude Code to operate as a persistent background agent, periodically fixing errors or running tasks without waiting for human input. The code also contained an “Undercover Mode” for making contributions to open-source repositories, with system prompts instructing the agent: “Do not blow your cover.”
A separate security concern emerged when researchers found that users who installed or updated Claude Code via npm on March 31, 2026, between 00:21 and 03:29 UTC, may have pulled a malicious version of the axios dependency (versions 1.14.1 or 0.30.4) containing a Remote Access Trojan.
Who’s Affected
Developers who use Claude Code through npm are the most directly affected. Anthropic confirmed that no customer data or credentials were included in the leak. However, users who installed or updated during the narrow three-hour window on March 31 between 00:21 and 03:29 UTC should audit their axios dependency versions for potential RAT contamination from malicious versions 1.14.1 or 0.30.4.
Competing AI coding tools now have unprecedented visibility into Claude Code’s architecture, feature roadmap, and internal prompting strategies. The exposed feature flags reveal Anthropic’s near-term product plans in detail, including the KAIROS background agent system and the Undercover Mode for open-source contributions.
Open-source developers who examined the leak noted that the full libraries of slash commands and built-in tools were visible, providing a detailed map of how Claude Code processes user instructions and manages its tool-calling workflow internally.
What’s Next
An Anthropic spokesperson stated: “This was a release packaging issue caused by human error, not a security breach.” The company said it was implementing preventive measures to ensure source maps and internal debugging artifacts are excluded from future npm releases.
The leaked source remains accessible through multiple GitHub mirrors despite the original repository’s removal, making full containment unlikely. The incident may accelerate Anthropic’s timeline for officially shipping features like KAIROS, since their existence and implementation details are now public knowledge. It also serves as a cautionary example for any company distributing proprietary tools through public package registries without rigorous build pipeline audits.
