A Single Misconfigured File Exposed 512,000 Lines of Claude Code. Here Is What Was Inside.
How Anthropic accidentally leaked 512,000 lines of Claude Code & what was inside
Not a Breach. A Packaging Error With Real Consequences.
On March 31, 2026, security researcher Chaofan Shou posted on X that Claude Code's entire source code was sitting in plain sight on the npm registry. The post has since accumulated more than 28.8 million views. Within hours, mirrors of the codebase had spread across GitHub, accumulating more than 84,000 stars and 41,500 forks before the original repository was repurposed by its uploader citing legal concerns.
Anthropic confirmed the incident the same day. Their statement, delivered to multiple outlets, was consistent: "Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We're rolling out measures to prevent this from happening again."
The distinction between a packaging error and a security breach is technically accurate. It is also incomplete as a description of the consequences. A misconfigured npm package accidentally exposed 512,000 lines of production code, internal feature flags, unreleased capabilities, and engineering decisions that Anthropic had not intended to make public. The code is already widely mirrored and being systematically analyzed by developers and competitors.
How It Happened: One File Left in the Wrong Place
The mechanism behind the leak is straightforward and, in hindsight, a familiar class of error in software publishing.
Claude Code version 2.1.88 was published to the npm registry under @anthropic-ai/claude-code. The published package included a 59.8 MB JavaScript source map file, a .map file, that should have been excluded before release. Source map files are debugging artifacts. They map minified or bundled code back to the original, human-readable source files so that developers can debug production builds meaningfully. They are standard development tools and are never intended to ship in public packages.
The source map in this case contained a reference to an unobfuscated TypeScript source, which in turn pointed to a zip archive hosted on Anthropic's Cloudflare R2 storage bucket. That zip archive was publicly accessible. Anyone who followed the reference chain could download and decompress the full Claude Code source. The archive contained approximately 1,900 TypeScript files across 512,000 lines of code.
The technical cause is a missing exclusion in either the .npmignore file or the files field in package.json. As one security researcher noted in their analysis: "A single misconfigured .npmignore or files field in package.json can expose everything." There is also an open bug report (oven-sh/bun#28001, filed March 11) noting that Bun, the runtime Claude Code uses, generates source maps in production mode even though its documentation says they should be disabled. Anthropic acquired Bun at the end of 2025. Whether the open Bun bug contributed to the leak has not been confirmed.
This is also Anthropic's second accidental exposure in under a week. Fortune reported days earlier that the company had inadvertently made approximately 3,000 files publicly accessible, including a draft blog post detailing an upcoming model referred to internally as both Mythos and Capybara.
What the Leaked Code Actually Contains
The leaked codebase is the source code for Claude Code's agentic harness, the software layer that sits around the underlying AI model and governs how it interacts with tools, manages context, executes tasks, and communicates with IDE extensions. It is not the model weights, the training data, or any of the core model architecture.
What was exposed includes the following confirmed components, drawn from analysis published by multiple independent security researchers:
The tools system. The source includes implementations for file reading, bash execution, and other tool integrations that enable Claude Code's agentic capabilities. These are the mechanisms through which Claude Code interacts with the developer's environment.
The query engine. The component handling LLM API calls and orchestration, including how Claude Code structures requests to the underlying model and processes responses.
Multi-agent orchestration. Code for spawning sub-agents to handle parallel or complex tasks, confirming the multi-agent architecture that has been observed in Claude Code's behaviour.
A bidirectional communication layer connecting Claude Code to IDE extensions.
System prompts. The prompts that govern Claude Code's behaviour are included in the distributed CLI package rather than being server-side only. Multiple analysts noted this as architecturally surprising.
44 feature flags covering capabilities that are built and compiled into the codebase but not yet shipped externally, including several that provide a clear picture of Anthropic's near-term product roadmap.
Among the confirmed unreleased features visible in the code:
KAIROS is referenced more than 150 times in the source and represents a background daemon mode that allows Claude Code to operate as an always-on agent, taking action without waiting for user input.
autoDream is a background service that performs memory consolidation while the user is idle, merging observations, removing contradictions, and maintaining persistent context across sessions.
ULTRAPLAN offloads complex planning tasks to a remote Opus 4.6 session for extended deep planning cycles.
An anti-distillation mechanism sends what the code labels fake_tools in API requests when a specific flag is enabled, injecting decoy tool definitions into the system prompt to pollute training data that might be collected by recording API traffic. This feature is gated behind a feature flag and only active for first-party CLI sessions according to the source.
Undercover Mode prevents Claude Code from revealing internal model codenames, including Capybara and Tengu, and from disclosing that the user is an AI when Anthropic employees use Claude Code to contribute to public repositories.
None of these features are officially confirmed by Anthropic as shipping on any specific timeline. Their presence in the codebase confirms they are built and internally active. It does not confirm when or whether they will be released publicly.
What Was Not Exposed
The boundaries of the leak matter as much as what was inside it.
No user data was exposed. No conversation history was accessible. No API credentials or authentication tokens were included. The underlying Claude model weights, the core AI model itself, were not part of the leaked package. What leaked is the software harness around the model, not the model.
Anthropic confirmed this directly and no subsequent analysis has contradicted it.
The Secondary Risk: Typosquatting
Security researcher Clément Dumas identified a concurrent secondary threat following the leak. Attackers have already registered npm package names that closely match internal package names visible in the leaked source code. All were published by a user named pacifier136. At time of reporting they contained empty stubs, but the pattern is consistent with typosquatting attacks that establish namespace presence first and push malicious payloads after sufficient downloads accumulate.
Developers who are attempting to compile or run the leaked Claude Code source and installing dependencies by name are at risk of installing these malicious packages. Anyone working with the leaked source should not install dependencies from npm without verifying them against the original package list.
What Developers Using Claude Code Should Know
For developers using Claude Code as intended through official distribution channels, Anthropic recommends switching to the Native Installer rather than npm as the primary installation method: ``` curl -fsSL https://claude.ai/install.sh | bash ```
The native installer uses a standalone binary that does not rely on the npm dependency chain. This also removes the exposure to the Axios supply chain attack that occurred on the same day, which affected installations that pulled axios@1.14.1 via npm.
For developers who installed or updated Claude Code via npm on March 31, 2026, between 00:21 and 03:29 UTC, the Axios supply chain attack risk applies separately. Check your lockfiles for axios@1.14.1, axios@0.30.4, or plain-crypto-js. If present, treat the machine as compromised and rotate all secrets.
Conclusion
The Claude Code source leak was a packaging error, not a breach. No customer data was compromised. The model itself was not exposed. But 512,000 lines of production code, 44 feature flags, unreleased capabilities, and internal engineering decisions are now publicly available and being systematically analyzed.
The real consequence is not immediate user harm. It is the loss of strategic surprise on a product that has reached $2.5 billion in annualized revenue and is central to Anthropic's enterprise growth strategy. Competitors now have a detailed, accurate view of how the product's agentic harness is built and where it is headed next. That information cannot be revoked.
If you are looking for guidance on building secure software release pipelines, implementing supply chain security controls for npm packages, or designing packaging and distribution processes that prevent this class of accidental exposure, please reach out to MonkDA. We work with engineering teams building production software infrastructure at every stage.
Ready to take your idea to market?
Let's talk about how MonkDA can turn your vision into a powerful digital product.