BLOG

Anthropic Accidentally Leaked Claude Code’s Entire Source Code via npm — Here’s What Was Exposed

M MegaOne AI Apr 2, 2026 3 min read
Engine Score 7/10 — Important
Editorial illustration for: Anthropic Accidentally Leaked Claude Code's Entire Source Code via npm — Here's What Was Exposed

Key Takeaways

  • A 59.8 MB JavaScript source map file shipped in Claude Code‘s npm package exposed 512,000 lines of unobfuscated TypeScript across 1,906 files.
  • Security researcher Chaofan Shou discovered the leak on March 31, 2026, and the codebase was mirrored on GitHub within hours, accumulating over 41,500 forks.
  • Anthropic confirmed no customer data or credentials were exposed and called it “a release packaging issue caused by human error.”
  • The leak revealed Claude Code‘s full internal architecture, including a 40-tool plugin system and a 46,000-line query engine handling all LLM API calls.

What Happened

Anthropic’s flagship AI coding agent, Claude Code, had its complete source code exposed through a misconfigured source map file published to the public npm registry on March 31, 2026. The leak occurred in version 2.1.88 of the @anthropic-ai/claude-code package, which contained a .map file pointing to a zip archive hosted on Anthropic’s Cloudflare R2 storage bucket. Security researcher Chaofan Shou, an intern at Solayer Labs, disclosed the discovery on X at approximately 4:23 AM ET, triggering an immediate viral response.

This marked Anthropic’s second source code exposure in a matter of days. Fortune reported the incident came shortly after a separate lapse involving Anthropic’s internal “Mythos” project, compounding scrutiny of the AI safety company’s own operational security.

Why It Matters

Anthropic has positioned itself as the AI industry’s most safety-focused company, raising over $10 billion on the promise of building reliable and secure AI systems. A packaging error that exposes the company’s core product source code to the public internet directly undermines that positioning. Commentary on DEV Community questioned whether a company asking enterprises to trust it with their codebases can adequately secure its own.

The incident also raises supply-chain security concerns for the broader npm ecosystem. Anthropic acquired the Bun JavaScript runtime in late 2025, and Claude Code is built on top of it. The Register noted that a known Bun bug causes source maps to be included in production builds even when configuration indicates they should not be, suggesting the error was partially toolchain-related rather than purely human.

Technical Details

The leaked archive contained approximately 512,000 lines of TypeScript spread across 1,906 files, totaling 59.8 MB in the source map alone. Analysis of the codebase revealed that Claude Code uses a plugin-like tool architecture with roughly 40 discrete tools. Each capability — file reading, bash execution, web fetching, LSP integration — is implemented as a separate, permission-gated module. The base tool definition alone comprised 29,000 lines of TypeScript.

The Query Engine, responsible for all LLM API calls, streaming, caching, and orchestration, spanned 46,000 lines. VentureBeat’s security analysis identified multiple potential attack paths that enterprise security teams should audit, including how the permission model gates tool execution and how the agent handles context windows.

Snapshots of the code were quickly backed up to a public GitHub repository that surpassed 1,100 stars and 1,900 forks before Anthropic issued DMCA takedown requests. Those takedowns initially affected more repositories than intended, and Anthropic later scaled them back. As of April 2, 2026, the repository has been forked more than 41,500 times across GitHub.

Who’s Affected

Enterprise customers using Claude Code in production environments face the most immediate concern. While Anthropic confirmed that “no sensitive customer data or credentials were involved or exposed,” the exposed architecture gives potential attackers a detailed map of how Claude Code’s permission system works. Cybernews reported this could inform targeted exploits against organizations running unpatched versions. Competitors including OpenAI, Google DeepMind, and open-source agent projects now have a detailed blueprint of Anthropic’s agentic harness design.

Developers in the open-source community have already begun creating alternative implementations based on the leaked code. The project Claurst, a Rust-based reimplementation of Claude Code’s architecture, appeared on GitHub within 48 hours of the leak.

What’s Next

Anthropic has stated it is conducting an internal review of its release packaging pipeline and will implement additional safeguards to prevent similar incidents. Bloomberg reported the company is accelerating plans to overhaul its CI/CD process, including mandatory source map stripping and artifact verification before npm publication.

For enterprise customers, VentureBeat recommends five immediate actions: auditing Claude Code permissions, reviewing network egress rules, checking for exposed API keys in agent logs, updating to the latest patched version, and monitoring for anomalous tool invocations.

Share

Enjoyed this story?

Get articles like this delivered daily. The Engine Room — free AI intelligence newsletter.

Join 500+ AI professionals · No spam · Unsubscribe anytime

Related Articles
M
MegaOne AI Editorial Team

MegaOne AI monitors 200+ sources daily to identify and score the most important AI developments. Our editorial team reviews 200+ sources with rigorous oversight to deliver accurate, scored coverage of the AI industry. Every story is fact-checked, linked to primary sources, and rated using our six-factor Engine Score methodology.

About Us Editorial Policy