Anthropic’s Claude Code leaks source code again

Anthropic’s AI coding assistant, Claude Code, has leaked its own proprietary source code for the second time in less than 14 months. The leak occurred with version 2.1.88, released on March 31, 2026, exposing 1,906 proprietary source files through an exposed source map in its npm package. This incident follows a similar breach in February 2025, raising concerns about the company’s software development and security practices.

The leak exposed approximately 1,900 TypeScript files comprising over 512,000 lines of code, revealing far more than just the publicly available command-line interface tool. The exposed materials included internal API designs, telemetry systems, encryption tools, and several unreleased features that indicate Anthropic’s ambitious plans for the platform.

Unreleased Features and Internal Systems Exposed

The leaked source code revealed several previously unknown capabilities and features in development. Among the exposed features are KAIROS (an always-on agent mode), ULTRAPLAN, multi-agent coordination systems, and internal prompts. These discoveries suggest that Claude Code’s public-facing functionality represents only a fraction of what Anthropic has been developing behind the scenes.

The leak includes internal API designs, telemetry systems, and encryption tools, providing competitors and security researchers with detailed insights into Anthropic’s technical architecture. Additionally, the exposed code revealed AI agent internals like memory management and undercover modes designed to hide codenames in commits, indicating sophisticated features aimed at enterprise and professional developers.

The exposed materials also hint at planned IDE integrations and voice support capabilities, suggesting Anthropic intends to expand Claude Code beyond its current command-line tool format into a more comprehensive development environment.

Concurrent Performance and Cost Issues

The source code leak coincided with another significant problem affecting Claude Code users. On March 31, 2026, Anthropic confirmed that Claude Code users are hitting usage quotas faster than expected due to high token consumption, with Pro subscribers reporting only 12 usable days per month. This represents a substantial reduction from the expected monthly usage allowance.

Investigation into the quota problems revealed serious technical flaws. A developer reverse-engineered Claude Code’s binary on March 30-31, 2026, uncovering two caching bugs that inflate API costs 10-20x silently. These bugs were affecting the prompt cache system, causing users to consume far more tokens than their actual usage should have required.

The issues were confirmed as a regression and assigned for fixes by Anthropic via GitHub issue #40524. Potential bugs inflating costs by 10-20x via prompt cache issues were identified, and downgrading versions has helped some users as a temporary workaround while Anthropic develops permanent fixes.

Security Implications and Repeat Offense

What makes this incident particularly concerning is that it represents the second time Anthropic has accidentally exposed Claude Code’s source code through the same vulnerability mechanism. The February 2025 leak should have served as a warning that prompted comprehensive security audits and changes to the company’s build and deployment processes.

The exposure of source maps in npm packages is a well-known security risk in the JavaScript and TypeScript development community. Source maps are files that map minified or compiled code back to the original source code, intended to help developers debug production issues. However, when accidentally included in public package distributions, they can expose the entire codebase to anyone who downloads the package.

The leak provides competitors with detailed insights into Anthropic’s technical approaches, feature roadmap, and implementation strategies. For security researchers, the exposed encryption tools and internal API designs could potentially reveal vulnerabilities or attack vectors that could be exploited.

Questions About Development Practices

The repeated nature of this security lapse raises questions about Anthropic’s internal software development practices and quality assurance processes. Industry standard practices typically include automated checks to prevent source maps and other sensitive development artifacts from being included in production releases.

The simultaneous occurrence of the source code leak and the discovery of significant cost-inflating bugs suggests potential gaps in Anthropic’s testing and release procedures. The fact that the caching bugs could silently increase costs by 10 to 20 times indicates insufficient monitoring and validation of the tool’s actual resource consumption in production environments.

Key Facts

• Claude Code v2.1.88 was released on March 31, 2026, leaking 1,906 proprietary source files via an exposed source map
• The leak exposed approximately 1,900 TypeScript files comprising over 512,000 lines of code
• This marks the second source code leak for Claude Code, following a previous incident in February 2025
• Pro subscribers are experiencing only 12 usable days per month due to quota depletion
• Two caching bugs were discovered that inflate API costs by 10-20x silently
• Exposed features include KAIROS (always-on agent mode), ULTRAPLAN, and multi-agent coordination capabilities

Sources

• NDTV: Anthropic’s AI Coding Tool Leaks Its Own Source Code For The Second Time In A Year
• FutureTools: Anthropic’s Claude Code Gets Leaked
• The Register: Anthropic admits Claude Code quotas running out too fast
• MEXC: Claude Code caching bugs increase API costs