Anthropic Leaks Claude Code Source via npm Registry

Anthropic confirmed on Tuesday, March 31, 2026, that it accidentally leaked the source code for Claude Code, its popular AI-powered coding assistant, after a debugging file was inadvertently bundled into a routine software update and pushed to the public npm registry, exposing nearly 2,000 files and 500,000 lines of code. The exposure was spotted Tuesday morning by security researcher Chaofan Shou, and within hours, the codebase was mirrored and dissected across GitHub, quickly amassing thousands of stars.

Security alert banner showing leaked API keys and passwords in source code on screen, discovered by researcher Chaofan Shou.

An Anthropic spokesperson stated that no sensitive customer data or credentials were involved or exposed, describing the incident as a release packaging issue caused by human error, not a security breach. The company has begun rolling out measures to prevent similar incidents in the future.

How the Leak Occurred

The leak resulted from a reference to an unobfuscated TypeScript source in a map file included in Claude Code’s npm package, which developers use for debugging bundled code. That reference pointed to a zip archive hosted on Anthropic’s Cloudflare R2 storage bucket that researchers were able to download and decompress.

Software engineer Gabriel Anhaia noted in his analysis that a single misconfigured .npmignore or files field in package.json can expose everything, serving as a reminder for developers to check their build pipelines. Publishing map files is generally frowned upon, as they’re meant for debugging obfuscated or bundled code and aren’t necessary for production.

Extent of the Exposure

The reconstructed source code contains approximately 1,900 files, 500,000 lines of code, and details of several Claude-exclusive features. The leaked material gave outsiders room to study how Claude Code is organized, how parts of the tool interact, and what sort of internal logic sits behind the user experience.

The leaked code contained dozens of feature flags for capabilities that appear fully built but haven’t shipped, including the ability for Claude to review its latest session to improve future performance, a “persistent assistant” running in background mode, and remote capabilities allowing users to control Claude from a phone or another browser.

The leaked code also provided evidence that Anthropic has a new model with the internal name Capybara that the company is actively preparing to launch, with a senior AI security researcher suggesting it may be released in both “fast” and “slow” versions and could be the most advanced model on the market.

Competitive Implications

At least some of Claude Code’s capabilities come from the software “harness” that sits around the underlying AI model and instructs it how to use other software tools, and it is the source code for this agentic harness that has now leaked online. The leak potentially allows a competitor to reverse-engineer how Claude Code’s agentic harness works and use that knowledge to improve their own products.

The leak won’t sink Anthropic, but it gives every competitor a free engineering education on how to build a production-grade AI coding agent and what tools to focus on. Claude Code has seen massive adoption over the last year, with its run-rate revenue swelling to more than $2.5 billion as of February, prompting companies like OpenAI, Google and xAI to pour resources into developing competing offerings.

Takedown Efforts and Permanent Distribution

Thousands of copies of the code were removed from GitHub in response to copyright takedown requests from Anthropic, though snapshots of Claude Code’s source code were quickly backed up in a GitHub repository that has been forked more than 41,500 times so far, disseminating it to the masses.

While the source code has spread online, Anthropic has begun issuing DMCA infringement notifications to take it down where possible. However, the widespread distribution across multiple platforms and mirrors has made complete removal effectively impossible.

Security Concerns and Related Threats

A more pressing concern is the fallout from an Axios supply chain attack, as users who installed or updated Claude Code via npm on March 31, 2026, between 00:21 and 03:29 UTC may have pulled a trojanized version of the HTTP client that contains a cross-platform remote access trojan. Users are advised to immediately downgrade to a safe version and rotate all secrets.

Attackers are already capitalizing on the leak to typosquat internal npm package names in an attempt to target those who may be trying to compile the leaked Claude Code source code and stage dependency confusion attacks.

Second Security Lapse in Days

The leak comes just days after Anthropic had inadvertently made close to 3,000 files publicly available, including a draft blog post that detailed a powerful upcoming model that presents unprecedented cybersecurity risks. The latest data leak is potentially more damaging to Anthropic than the earlier accidental exposure, as it allowed people with technical knowledge to extract additional internal information from the company’s codebase.

The leak deepens questions about operational security at a company that sells itself as the safety-first AI lab, raising concerns about trust and internal review processes before software releases.

Key Facts

The leak exposed approximately 1,900 files and 500,000 lines of Claude Code source code
Security researcher Chaofan Shou spotted the exposure on Tuesday morning, March 31, 2026
Anthropic confirmed no customer data or credentials were exposed, calling it human error rather than a security breach
The leaked code was forked more than 41,500 times on GitHub
Users who installed Claude Code via npm between 00:21 and 03:29 UTC on March 31 may have been affected by a separate supply chain attack
Claude Code’s run-rate revenue reached more than $2.5 billion as of February 2026