Anthropic’s Claude Code Source-Map Leak Exposes 512K Lines

Anthropic’s Claude Code CLI tool suffered a significant security breach on March 31, 2026, when a packaging error exposed over 512,000 lines of its TypeScript source code to the public. Security researcher Chaofan Shou discovered that version 2.1.88 of the @anthropic-ai/claude-code package shipped with a source map file that should never have been included. The leaked codebase was archived to GitHub within hours, where it has garnered widespread attention from developers and security researchers alike.

GitHub repository displaying leaked Claude codebase archive with sensitive map file and restricted area data exposed.

The Packaging Error

Anthropic called it a packaging error caused by human error. A 59.8 MB JavaScript source map file (.map), intended for internal debugging, was inadvertently included in version 2.1.88 of the @anthropic-ai/claude-code package on the public npm registry. Source map files bridge minified production code with original source code, allowing developers to debug applications, but are typically excluded from public releases.

Notably, this is reportedly not the first time Anthropic has shipped source maps in its npm packages. Earlier versions in 2025 also included full source maps before being pulled from the registry. Shou posted the finding on X, where it attracted millions of views, and the X post has since amassed more than 28.8 million views.

What the Leak Revealed

The leak revealed unreleased features, internal model codenames, and multi-agent orchestration architecture. The exposed codebase contains nearly 2,000 TypeScript files detailing sophisticated systems that go far beyond the simple CLI tool visible to end users.

Unreleased Features

Among the most significant discoveries is KAIROS, an unreleased feature mentioned extensively throughout the codebase. The leak has also shed light on a feature called KAIROS that allows Claude Code to operate as a persistent, background agent that can periodically fix errors or run tasks on its own without waiting for human input, and even send push notifications to users. Complementing this proactive mode is a new “dream” mode that will allow Claude to constantly think in the background to develop ideas and iterate existing ones.

The codebase also revealed an “Undercover Mode” designed for stealth contributions to open-source repositories. “You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover,” reads the system prompt.

Anti-Distillation Mechanisms

The leak exposed Anthropic’s defensive measures against competitors attempting to train models on Claude Code’s outputs. When enabled, Claude Code sends anti_distillation: [‘fake_tools’] in its API requests. This tells the server to silently inject decoy tool definitions into the system prompt. The idea: if someone is recording Claude Code’s API traffic to train a competing model, the fake tools pollute that training data.

Security Implications and Concurrent Threats

The timing of the leak coincided with a separate supply chain attack that compounded the security concerns. A separate and unrelated supply-chain attack hit the axios npm package on the same day, first reported by StepSecurity. Between 00:21 and 03:29 UTC on March 31, malicious versions of axios (1.14.1 and 0.30.4) containing a Remote Access Trojan were published to npm. Because Claude Code depends on axios, anyone who installed or updated it during that window may have pulled in the compromised dependency.

Security researchers warn that the exposed architecture creates new risks. A Reddit commenter highlighted the security implications of the leaked orchestration logic: If you know where and how prompt injection defenses are applied, you can more easily find a bypass. If you know the system prompts, an attacker doesn’t have to guess the preamble anymore to craft content that uses the right language to subvert the model.

Criminals have already begun exploiting the leak as a social engineering lure. A malicious GitHub repository published by idbzoomh uses the Claude Code exposure as a lure to trick people into downloading malware, including Vidar, an infostealer that snarfs account credentials, credit card data, and browser history; and GhostSocks, which is used to proxy network traffic. Attackers are already capitalizing on the leak to typosquat internal npm package names in an attempt to target those who may be trying to compile the leaked Claude Code source code and stage dependency confusion attacks.

Scope and Impact

It is worth noting that this is the Claude Code CLI tool, not the claude.ai web application or the LLM models themselves. The leak does not expose user data or the underlying AI models, but it does provide competitors and developers with detailed insights into Anthropic’s agent architecture and engineering approach.

The leaked codebase remains accessible via a public GitHub repository, where it has surpassed 84,000 stars and 82,000 forks. The version is no longer available for download from npm, though Anthropic cannot fully retract code that has already been widely distributed.

Recommended Actions for Developers

Security experts recommend several immediate steps for developers who may have been affected:

Developers should check their lockfiles for these specific versions or the dependency plain-crypto-js
Anthropic has designated the Native Installer (curl -fsSL https://claude.ai/install.sh | bash) as the recommended method because it uses a standalone binary that does not rely on the volatile npm dependency chain
Rotate your Anthropic API keys via the developer console and monitor your usage for any anomalies

Key Facts

Leak discovered March 31, 2026, by security researcher Chaofan Shou
Over 512,000 lines of TypeScript code exposed via source map file in npm package version 2.1.88
Leaked codebase has received over 84,000 stars and 82,000 forks on GitHub
Concurrent axios supply chain attack affected installations between 00:21 and 03:29 UTC on March 31
Leak revealed unreleased features including KAIROS autonomous mode and anti-distillation mechanisms
Criminals are actively exploiting the leak to distribute malware via fake repositories