Anthropic’s Accidental Code Leak: What Happened When Claude’s Source Code Went Public

A Packaging Error That Exposed Half a Million Lines of Code

In what can only be described as a developer’s worst nightmare, Anthropic, the artificial intelligence company behind Claude, accidentally published the complete source code for its Claude Code CLI tool to the public npm package repository. This wasn’t a sophisticated cyberattack or a malicious insider—it was a straightforward human error during the software release process. On March 31, 2026, version 2.1.88 of the @anthropic-ai/claude-code package went live containing a massive 59.8 MB JavaScript source map file. For those unfamiliar with development tools, a source map is essentially a translator that connects minified, production-ready code back to its original, human-readable form. In this case, that map pointed directly to a zip archive sitting openly on Anthropic’s Cloudflare R2 storage bucket, containing approximately 512,000 lines of TypeScript code—the entire engineering blueprint for their coding assistant tool. No hacking was required, no passwords needed to be cracked, and no security systems had to be bypassed. The file was simply there, publicly accessible to anyone who noticed it and followed the link.

The discovery came from Chaofan Shou, a security researcher and intern at blockchain security firm Fuzzland, who spotted the vulnerability and posted the direct link to the storage bucket on X (formerly Twitter). What followed was predictable in the open-source community: within hours, developers had created mirror repositories on GitHub, some of which quickly accumulated tens of thousands of stars from curious onlookers and developers eager to examine how one of the leading AI companies builds its products. The community didn’t just passively archive the code—they immediately began modifying it, stripping out telemetry tracking, enabling hidden features that were locked behind internal flags, and even creating clean-room reimplementations in Python and Rust to avoid copyright infringement. Meanwhile, Anthropic’s legal team scrambled to issue DMCA takedown notices to remove the repositories, though by that point, the proverbial cat was already out of the bag.

The Technical Mistake Behind the Leak

Understanding how this happened doesn’t require deep technical knowledge—it’s actually a remarkably simple oversight that many developers could make under pressure or without proper safeguards. Anthropic uses Bun, a modern JavaScript bundler and runtime, for their build process. Bun’s bundler generates source maps by default, which is helpful during development for debugging but can be dangerous if those maps make it into public releases. The problem was that no one in the release pipeline disabled or excluded these debug artifacts before the package was published to npm. A single line in a configuration file—either an entry in .npmignore (which tells npm what files to exclude from the package) or in the “files” field of package.json (which specifies what to include)—would have prevented the entire incident. It’s the software development equivalent of leaving your house keys in the front door lock: not a sophisticated failure, but one with potentially serious consequences.

This simplicity makes the incident more concerning rather than less, particularly because this wasn’t Anthropic’s first rodeo with this exact problem. In February 2025, roughly thirteen months earlier, a nearly identical source map leak occurred with a previous version of Claude Code. That means the company experienced the same packaging error, presumably addressed it, implemented some form of fix or process change, and then somehow allowed it to happen again. For a company that builds tools specifically designed to help developers write better code with fewer errors, having the same mistake occur twice raises legitimate questions about internal quality assurance processes and release management protocols.

What the Leaked Code Revealed

The exposed code wasn’t just a collection of random files—it was a comprehensive look under the hood of a production-grade AI coding assistant. The approximately 1,900 TypeScript files covered nearly every aspect of how Claude Code operates: tool execution logic, permission schemas, memory systems, telemetry collection, system prompts that guide the AI’s behavior, and feature flags that control which capabilities are active. For competitors and researchers, this represented an unprecedented window into Anthropic’s engineering decisions, architectural choices, and product roadmap. It’s worth emphasizing what wasn’t exposed: the leak didn’t include model weights (the actual trained AI that powers Claude), customer data, user conversations, or authentication credentials. The core Claude models remain secure and unaffected.

However, the code did reveal some interesting details about how Anthropic approaches user privacy and tool design. The telemetry system, for instance, scans user prompts for profanity—not for censorship purposes, but as a signal of user frustration. Importantly, the system doesn’t log full user conversations or the actual code users are working on, addressing a common privacy concern with AI coding assistants. One particularly intriguing feature is “undercover mode,” which instructs the AI to remove references to internal Anthropic codenames and project details from git commits and pull requests. This suggests the tool is used internally at Anthropic, and the company wants to prevent accidental leaks of proprietary information—an ironic detail given the circumstances.

Secret Features Hiding Behind Internal Flags

Perhaps the most exciting discoveries for the developer community were the unreleased features sitting behind internal feature flags, giving a glimpse into Anthropic’s vision for the future of AI coding assistants. KAIROS, one of the most ambitious features, is designed as an always-on background daemon that continuously watches files in a project, logs development events, and runs a “dreaming” memory-consolidation process during idle time. This concept, inspired by how human memory works during sleep, suggests Anthropic is exploring ways for AI assistants to learn from observation and organize knowledge in the background rather than only responding to direct commands.

BUDDY takes a completely different approach to user engagement—it’s a virtual terminal pet system featuring 18 different species, including everyone’s favorite internet animal, the capybara. Each BUDDY has stats like DEBUGGING, PATIENCE, and CHAOS, apparently designed to add some personality and perhaps gamification elements to the coding experience. Then there’s COORDINATOR MODE, which represents a significant architectural evolution: instead of a single AI agent handling all tasks, this feature allows one agent to spawn and manage multiple parallel worker agents, each potentially handling different aspects of a complex coding task. ULTRAPLAN takes this even further, scheduling 10- to 30-minute remote multi-agent planning sessions where multiple AI agents collaborate on complex development challenges. These features collectively suggest Anthropic is moving toward more autonomous, collaborative AI systems that work more like a development team than a single assistant.

A Troubling Pattern of Security Lapses

When viewed in isolation, the npm leak might be written off as an unfortunate but understandable mistake in a fast-moving technology company. However, the March 31 incident didn’t occur in a vacuum. Just five days earlier, on March 26, a CMS (Content Management System) misconfiguration at Anthropic exposed approximately 3,000 internal files containing details about an unreleased AI model called “Claude Mythos.” That incident was also attributed to human error rather than malicious action. Two significant accidental disclosures within a single week paints a concerning picture about release hygiene and security culture at a company whose products are actively used by developers to write and ship production code at scale.

The timing was particularly unfortunate because the npm incident coincided with a separate, malicious supply-chain attack on axios, a popular JavaScript package, which was active between 00:21 and 03:29 UTC on the same day. Developers who happened to install or update Claude Code via npm during that specific window potentially exposed themselves to the axios attack alongside Anthropic’s accidental leak. In response, Anthropic now recommends users install Claude Code through its native installer rather than via npm, effectively sidestepping the npm ecosystem’s vulnerability to both packaging errors and supply-chain attacks. The company told Venture Beat that it is “rolling out measures to prevent a repeat,” though the specifics of these measures haven’t been publicly detailed, and given that this is the second occurrence of the same error, skepticism about the effectiveness of previous measures is understandable.

The Lasting Impact and Lessons Learned

Despite Anthropic’s DMCA takedown efforts, the leaked source code remains available in archived and mirrored forms across the internet—a reminder that once information escapes into the digital wild, it’s essentially impossible to fully contain. Anthropic has not published a comprehensive post-mortem or broader public statement beyond its brief comment to Venture Beat confirming the incident and attributing it to human error. This relative silence is notable given the company’s position as a leader in AI safety and responsible development. While no user data was exposed and the core Claude models remain secure, the blueprint for building a competitor to Claude Code is now substantially easier to assemble for anyone with the technical capability and willingness to study or adapt the leaked code.

The incident serves as a valuable reminder that even companies at the forefront of artificial intelligence technology are still vulnerable to very human mistakes in basic software engineering practices. Automated checks in the build pipeline—verifying that source maps and debug artifacts are excluded from production releases, for instance—could easily prevent this type of leak. The repetition of the same error suggests these safeguards either weren’t implemented after the first incident or weren’t comprehensive enough. For the broader technology industry, this incident highlights the importance of defense-in-depth approaches to security: not just preventing errors, but also implementing multiple layers of checks and safeguards so that when human errors inevitably occur, they’re caught before reaching the public. As AI coding assistants become more sophisticated and widely adopted, the companies building them will need to demonstrate that they can maintain the security and release discipline that users should expect from critical development tools. The Claude Code leak will likely become a cautionary tale in software engineering courses and security training for years to come—a reminder that in the age of public package repositories and instant global distribution, a single configuration oversight can expose months or years of proprietary work in seconds.