Claude Code Source Code Leaked via npm Packaging Error

Claude Code Source Code Leaked via npm Packaging Error

First seen 31 Mar 2026, 17:32 UTC CybersecuritynewsNews.YcombinatorTheregisterVenturebeatSecurityaffairs.Co+13 82% similarity 59.2

Article Content

Browse articles
ThreatCluster

On March 31, 2026, Anthropic inadvertently exposed the entire source code of its AI tool, Claude Code, by including a 59.8 MB source map file in a public npm package. This leak, caused by human error, allowed access to approximately 1,900 TypeScript files and over 500,000 lines of code, which were quickly mirrored and analyzed online. Anthropic confirmed that no sensitive customer data was involved, but the leak poses a significant risk as competitors can now study the architecture and features of Claude Code. The exposed code includes a sophisticated memory architecture and various undocumented features, potentially enabling rivals to replicate or improve upon Anthropic's technology. The company is taking steps to prevent future incidents and has begun issuing DMCA takedown notices for the leaked code. The incident follows a recent pattern of accidental exposures at Anthropic, raising concerns about their internal security practices.

Key Points: • Anthropic leaked the entire source code for Claude Code due to a packaging error. • The leak includes over 500,000 lines of code and critical architectural details. • No sensitive customer data was exposed, but the leak provides competitors with valuable insights.

ThreatCluster AI

Timeline

2026-03-31
Anthropic accidentally publishes Claude Code source map on npm.
2026-03-31
Security researcher Chaofan Shou discovers and reports the leak.
2026-03-31
Anthropic confirms the leak and states no sensitive data was exposed.
2026-03-31
Leaked source code begins to spread widely on GitHub and other platforms.
2026-04-01
Anthropic starts issuing DMCA takedown notices for the leaked code.

Community

Browse all →