The Claude Code Source Leak: How Anthropic Shipped Their Own Crown Jewels via npm

# The Claude Code source leak: how Anthropic shipped their own crown jewels via npm

On March 31, 2026, Anthropic accidentally published the complete source code of Claude Code inside a standard npm release. Not a breach. Not a social engineering op. Not a hacker dropping files on Telegram. A packaging misconfiguration in their build pipeline left a 59.8 MB JavaScript source map bundled in @anthropic-ai/claude-code version 2.1.88. Within hours of a security researcher flagging it on X, the codebase was downloaded, mirrored, forked on GitHub, and dissected by the entire AI engineering community.

This post walks through what happened, why it happened, what was in the leak, and the lesson for every company shipping a Bun, Vite, esbuild, or Webpack build to the public npm registry right now. Because if Anthropic can do this, so can you.

#The timeline

• March 31, 2026 morning: Anthropic publishes @anthropic-ai/claude-code v2.1.88 to npm as part of a routine release.
• March 31 ~14:00 UTC: Security researcher Chaofan Shou (@Fried_rice on X) notices the package ships with a .map source map file at 59.8 MB. Source maps are build artifacts that let debuggers reconstruct original source from minified output. Normally you ship them to your private sentry / datadog setup, not to a public package.
• ~14:30 UTC: The source map is inspected. It contains full, readable, unobfuscated TypeScript for approximately 1,906 files totaling about 513,000 lines of code. Complete Claude Code agent harness, tools, prompts, configuration, feature flags.
• ~15:00 UTC: The file gets downloaded from Anthropic's Cloudflare R2 bucket (which hosted the npm artifact), mirrored to multiple GitHub repos, and starts getting forked.
• ~16:00 UTC: Anthropic publishes a patched release without the source map, removes the vulnerable version.
• ~17:00 UTC: Anthropic spokesperson statement: "This was a release packaging issue caused by human error, not a security breach. No user data was exposed."
• Next 48 hours: Engineering Twitter / Hacker News / Reddit analyze every feature flag, internal codename, unreleased capability, and system prompt visible in the leak. Multiple "I forked Claude Code, here's what's new" posts trend.

The window was roughly three hours between publication and removal. That's enough for tens of thousands of downloads on an npm package with Claude Code's distribution.

#What was in the 513,000 lines

The leaked code was the client-side agent harness — the code that runs on developer machines, coordinates tool calls, manages context, and talks to Anthropic's model APIs. It was not the model weights. It was not backend infrastructure. It was everything the Claude Code CLI does once it's installed.

Concretely the leak exposed:

1. Every prompt template — the system prompts, tool instructions, few-shot examples, meta-prompts used to steer the model for different tasks. For anyone trying to understand how Anthropic actually prompt-engineers a frontier coding agent in production, this was a goldmine.
2. Every tool definition — how Claude Code wraps file read/write, shell execution, web fetch, git operations, editor integration, MCP server coordination. The JSON schemas, argument validation, and edge-case handling for each.
3. Feature flags for unreleased capabilities, including (per public reporting):

- A "session replay" feature letting Claude review what happened in its previous session

- A "persistent assistant" mode for background-running agents

- Multi-agent orchestration (an agent that spawns sub-agents, routes work, combines results)

- Advanced memory management tools not yet in public beta

1. Internal codenames for models and capabilities, including references that aligned with the "Capybara" codename from the Mythos leak five days earlier.
2. Infrastructure pointers — Cloudflare R2 bucket URLs, API endpoint patterns, rate limit tiers, telemetry pipeline endpoints. Not credentials, but architectural details that inform attack surface analysis.
3. Security-sensitive logic — sandbox escape prevention, prompt injection guardrails, and filtering for what the agent will and won't do. Publishing this is basically publishing the test cases your adversary should use.

#Why this happened (the Bun + npmignore gap)

The cause is boring. And exactly the kind of issue Valtik finds on CI/CD audits.

Claude Code is built with Bun, the new JavaScript runtime / bundler. When you run bun build --target=node against a TypeScript codebase, Bun defaults to generating a full, unminified source map alongside the output. This is useful during development because a stack trace in production points back to the original TypeScript line.

In a correctly-configured release pipeline, .map files are excluded from the npm publish step via one of two mechanisms:

• A .npmignore file at the repo root listing *.map
• An explicit "files" array in package.json that whitelists only what should ship

Anthropic had neither. Their .gitignore excluded map files from git, so nobody saw them in the repo. But npm publish doesn't consult .gitignore. It builds from whatever is in the working directory at publish time, including the build output, unless you explicitly tell it not to.

Net result: npm publish ran, the build output included the 59.8 MB map, and up it went to the public registry.

Three lines of defense would have prevented this:

1. .npmignore with *.map excluded
2. package.json "files" array whitelisting just the dist/ JS files
3. A pre-publish CI check that fails the job if any file in the tarball is over 10 MB or has a .map extension

None were in place.

#What Anthropic should do now

If I were on their incident response after this, the standard program is:

1. Rotate every embedded secret or identifier. Any API endpoints, internal DNS names, or infrastructure references in the leak should be reviewed for any that deserve changing. Cloudflare R2 bucket URLs in particular.
2. Prompt injection resistance regression test. The leaked prompts are now attacker-knowable. Every adversarial prompt designed around Claude Code's system prompt gets easier. Anthropic should be running a red team pass against the new public knowledge and patching any prompts that become exploitable.
3. Build pipeline CI gates. Add the pre-publish check. Add .npmignore. Consider signing tarballs so the next accident shows up in audit logs.
4. Incident disclosure to enterprise customers. Claude Code enterprise customers under SOC 2 / ISO 27001 agreements likely have notification obligations in their contracts. Anthropic's customer success team presumably worked through this list over the weekend.
5. Public post-mortem. Anthropic has been consistent about publishing honest post-mortems. Expect one within 4-6 weeks.

#What this means for every other dev tool shipping on npm

Go read your own npm publish tarball. Literally right now. Run:

npm pack
tar tzf <your-package>-<version>.tgz | grep -E '\.map$|\.env|secret|credential'

You will be surprised.

Common leaks we've seen in package audits:

• Source maps shipped to public npm. Exactly like the Anthropic case. Widespread.
• .env files committed. Happens more than it should.
• Internal hostnames in comments. // prod only at internal.foo.com/api/v2
• Hardcoded API tokens in tests. Often dev/sandbox tokens, but sometimes production.
• SSH private keys in fixtures. Yes, really.
• AWS credentials in example code. Yes, really really.
• Full production config JSONs in "sample" directories.

For teams shipping to npm / PyPI / RubyGems / Maven / NuGet, the default policy should be:

1. Default-deny packaging. The files field in package.json explicitly lists what ships. Nothing else gets in.
2. Pre-publish scan. A CI step that inspects the tarball for high-risk file types and aborts on anything that shouldn't be there.
3. Secret scanning in CI. Trufflehog or git-secrets running against the built artifact, not just against the source tree.
4. Tarball diffing. For high-trust packages, a human should review the first few bytes of every file in a new version before it ships.
5. Reproducible builds. If your build output is deterministic, you can spot when something unexpected sneaks in.

#What this means for security teams using Claude Code

If you use Claude Code as a developer tool (legitimate case), you should still upgrade to the latest patched version. The exposed source map is mostly an IP / trade-secret concern for Anthropic. Functionally the agent works the same.

If your organization uses Claude Code to handle sensitive code during security assessments, consider:

• Rate limits on what the agent can read in a single session (scope discipline)
• Audit logging of every tool call the agent makes
• Prompt content that assumes it may be extracted or leaked

The Anthropic leak was a packaging incident, not a breach of user sessions. But the broader lesson — that AI coding agents have a large attack surface and defenders should treat them accordingly — is reinforced.

#The larger pattern

Two major Anthropic incidents in one week (the Mythos datastore leak on March 26, then this on March 31) underline a consistent finding across SaaS security work: AI companies are ship-focused engineering orgs with relatively thin production security operations. Valtik sees this in every SaaS security engagement.

The fix isn't more security theater. It's:

• Default-deny CI pipelines
• Tarball inspection pre-publish
• SaaS misconfiguration scanners watching every content platform (CMS, marketing site, docs system)
• Quarterly red team against the SaaS attack surface specifically
• Content repositories treated with the same discipline as production databases

The Anthropic leaks weren't hacks. They were operational hygiene failures. Which is the most common kind of breach, and the kind Valtik specifically exists to catch before it ships.

#What Valtik can help with

If your organization ships JavaScript to npm, Python to PyPI, mobile apps, or any artifact that gets distributed at scale, the pre-publish review is one of the highest-ROI audits we run. We walk through your CI pipeline, your files / .npmignore configuration, your secret scanning, and your release process. Most audits find one or more shippable files that shouldn't ship.

For AI engineering teams specifically, we also run LLM-application security assessments against the OWASP LLM Top 10, including the prompt-injection and excessive-agency risks the Anthropic source leak has just made public. If you build on Claude, GPT, or any other model provider, the security model your agent harness enforces is now a bigger target than it was a week ago.

#Sources

1. Anthropic Claude Code Leak — Zscaler ThreatLabz
2. Anthropic leaked its own Claude source code — Axios, March 31 2026
3. Claude Code's source code appears to have leaked — VentureBeat
4. Anthropic Accidentally Exposes Claude Code Source via npm — InfoQ
5. Anthropic accidentally exposes Claude Code source code — The Register
6. Anthropic leaks part of Claude Code's internal source code — CNBC
7. Claude Code's leaked source code revealed unreleased features — XDA Developers
8. Full source code for Anthropic's Claude Code leaks — Cybernews
9. Anthropic leaks its own AI coding tool's source code — Fortune, second security breach