All articles
Threat IntelligenceApril 2026·9 min read

Anthropic Leaked 512,000 Lines of Claude Code via a Misconfigured npm Package

A single debug file shipped to the public registry. The entire source followed. This was the second time.

Anthropic Claude Code source code leaked via misconfigured npm source map, 512000 lines exposed

AI-generated image. No copyright claimed or implied.

Incident at a Glance

512K

lines of source code

1,906

TypeScript files

59.8 MB

source map file

2nd

time this happened

On March 31, 2026, security researcher Chaofan Shou noticed something odd inside the @anthropic-ai/claude-code npm package. There was a 59.8 MB debug file that pointed to a zip archive sitting in a public storage bucket owned by Anthropic. That archive contained the full Claude Code source code. 1,906 TypeScript files. 512,000 lines. Every tool, every slash command, and all the internal systems that make Claude Code work.

Anthropic confirmed it the same day. They called it “a release packaging issue caused by human error, not a security breach.” No customer data was exposed, no credentials, no model weights. But Claude Code's entire internal architecture was now public, including a system built specifically to stop exactly this kind of leak from happening. The GitHub mirror hit 41,500 forks before the end of the day.

“A single misconfigured .npmignore or files field in package.json can expose everything.” , Gabriel Anhaia, engineer

What makes this harder to swallow: it already happened once before. The same type of source map leak hit an earlier version of Claude Code in February 2025. Same mistake, same vector, thirteen months later.

How a Debug File Exposed an Entire Codebase

Source maps are debug helpers. When you compile and minify TypeScript for a release, source maps link the messy output back to your original code so you can read stack traces properly. They are useful during development. They should never ship to a public package.

In version 2.1.88 of @anthropic-ai/claude-code, a .map file was accidentally included in the npm tarball. That file had a URL pointing to a zip archive on Anthropic's Cloudflare R2 storage, which was publicly readable. So anyone who installed the package and opened the .map file could just download the whole source. No hack required.

How the Leak Chain Worked
  1. Anthropic builds Claude Code. The TypeScript compiler generates a .map debug file alongside the compiled output.
  2. The .map file is uploaded to a Cloudflare R2 bucket, with public read access, as part of the build process.
  3. The .npmignore file (or files field in package.json) fails to exclude the .map file from the published package.
  4. npm publish ships the .map file to the public registry alongside the production bundle.
  5. Any developer who installs @anthropic-ai/claude-code@2.1.88 now has a pointer directly to 512,000 lines of unobfuscated source.

No credentials were needed. Nothing was hacked. The source was just sitting there, openly accessible to anyone willing to peek inside a debug file.

What Was Inside

Once people had access, they found out Claude Code is built on Bun (not Node.js), uses React with Ink for the terminal UI, and has a multi-agent system internally called “swarms.” The four most significant things that became public:

Exposed Systems

Query Engine (~46,000 lines)

The largest module. Handles all LLM API calls, streaming, response caching, and multi-agent orchestration. Exposes how Claude Code routes prompts, manages context windows, and coordinates parallel agent tasks.

Tool Architecture (~29,000 lines for base tool definition alone)

A plugin-style architecture covering ~40 built-in tools: file operations, bash execution, LSP integration, browser control, and more. The full interface contract for every tool Claude Code can invoke.

~50 Slash Commands

Complete implementation of every built-in slash command, including internal ones not documented publicly.

“Undercover Mode”

An internal system specifically designed to prevent Anthropic's internal information from appearing in Claude Code outputs or leaking through the tool. Its full implementation is now public.

No passwords leaked. No user data. But having the full source changes things for attackers. If you know exactly how Claude Code routes prompts, which tools it exposes, and what interface contracts those tools use, it is much easier to build targeted prompt injection attacks or find tool-abuse paths that were not obvious before.

Why This Still Matters

Think of it like a burglar getting the floor plan of a building before a break-in. They still have to find a way in, but now they know exactly where the valuables are and where the weak points are. The source leak gives attackers a detailed map of how Claude Code works internally, which makes every future attack attempt better informed.

The Same Mistake, Twice

The February 2025 version of this incident barely made the news. This one did, because Claude Code is now a lot bigger and March 2026 was already a bad month for the developer toolchain. The security community was already watching closely after the LiteLLM PyPI supply chain attack, the axios npm RAT deployment, and the Qihoo 360 SSL key exposure.

March 2026 was a rough month for the developer toolchain. Three supply chain attacks, and then this. The difference is that the others were malicious. The Claude Code leak was just a mistake, by the company that arguably should be the most careful about this.

March 2026 Supply Chain Incidents

DateIncidentVector
Mar 16Qihoo 360 SSL key in installerHardcoded secret in artifact
Mar 24LiteLLM PyPI RAT (97M downloads)Malicious dependency, postinstall
Mar 31axios npm RAT (100M downloads)Maintainer hijack, postinstall
Mar 31Claude Code full source (512K lines)Misconfigured .npmignore

Why This Keeps Happening

This is not really a carelessness problem. It is a process gap. Most engineering teams have no automated check that looks at what is actually inside a package before it ships.

A typical npm publish flow goes: write code, pass tests, bump version, publish. Done. At no point does anything automatically ask “does this package contain something it should not?” Source maps, API keys, private certs, internal config, debug output. All of these have shipped to public registries by good engineers at good companies. Not because they were careless, but because the check was never there.

What Has Been Shipped to npm by Accident
  • Source maps pointing to private source repositories or cloud storage (this incident, Feb 2025)
  • Private SSL keys bundled as build artifacts (Qihoo 360, March 2026)
  • Hardcoded API keys and tokens left in config files or test fixtures
  • Internal documentation and architecture diagrams included in build output
  • Malicious dependencies added by compromised maintainers (LiteLLM, axios)

How ReleaseGuard Would Have Caught This

Helixar ReleaseGuard is a free, open-source tool that scans a release artifact before it goes to the registry and flags anything that should not be there. It is built for exactly this type of problem. The Claude Code incident had three signals it would have caught before npm publish ever ran:

What ReleaseGuard Detects in This Incident

  • Source map files in production packages. ReleaseGuard's artifact policy engine flags .map files in npm tarballs as a high-confidence anomaly for production releases. A policy rule as simple as “fail if any *.map file is present in the published tarball” would have blocked this publish entirely.
  • Unexpected package size delta. ReleaseGuard diffs the package size and file count against previous releases. A 59.8 MB source map file appearing in a package that previously contained only compiled JavaScript would have triggered an immediate size anomaly alert, with a diff showing the new file.
  • External URL references in artifact files. Source map files contain sourceRoot or sourceMappingURLfields that may reference external URLs. ReleaseGuard scans artifact file contents for external URL references pointing outside the package, flagging potential data exfiltration paths or, in this case, public cloud storage references.
  • SBOM diff against previous release. ReleaseGuard generates a Software Bill of Materials for every release and diffs it against the prior version. Any file appearing in the SBOM that was not in the previous release requires an explicit acknowledgement before the publish proceeds.

ReleaseGuard plugs into your CI pipeline and runs these checks on every release candidate automatically. The engineer publishing does not need to remember to check. The gate is just always there.

Manual Check Every Team Should Run Today

Before your next npm publish, run a dry pack and inspect what would be included:

# See exactly what npm would publish
npm pack --dry-run

# Check for .map files specifically
npm pack --dry-run 2>&1 | grep -E '\.map$'

# Or unpack the tarball and inspect
npm pack && tar tzf your-package-*.tgz | grep -E '\.map$|\.env|credentials'

If any .map file appears in the output, exclude it in .npmignore or via the files field in package.json before publishing. ReleaseGuard automates this check and enforces it as a blocking gate.

What This Means for AI Tool Security

AI coding tools are different from regular software in one important way: they actively participate in writing code. Claude Code, Cursor, and GitHub Copilot are not just installed on a developer's machine. They read files, write files, run commands, and make decisions. That makes their internals more valuable to an attacker than the internals of most software.

When you know how Claude Code routes prompts and what tool interfaces it exposes, you can build attacks that are specifically designed to work against it. The tool has not been hacked. But the information advantage that made it harder to attack is gone.

We looked at the broader supply chain risk around AI development tools in Your Developer's AI Copilot Is the New Attack Surface. The Claude Code leak adds a new angle: it is not just outside attackers you need to worry about. The teams building these tools also need to treat their release pipelines as a security boundary.

What Needs to Change

Anthropic moved fast. They confirmed it the same day, were honest about what happened, and said they are putting in controls to stop it happening again. That is the right response. But “we will add preventive measures” after it happens a second time needs a concrete answer: what is the specific gate, and when does it run?

Release Security Baseline for AI Tool Publishers

  • Explicit allowlist for published files. Use the files field in package.json to define an allowlist of exactly what should be published. Anything not on the list is excluded by default. This is more robust than .npmignore denylist maintenance.
  • Automated artifact scanning in CI. Run a tool like ReleaseGuard on every release candidate. Fail the build if any .map file, hardcoded secret, or unexpected large binary is present.
  • Package size and file count diffing. Alert when a new release is significantly larger or contains more files than the previous one. A 59.8 MB source map file is not subtle. Automated diffing would have flagged it immediately.
  • Separate build environments from source storage. Source archives on public cloud storage are a configuration error waiting to happen. Build artifacts that reference source should point to internal, authenticated storage only.
  • Treat the release pipeline as a security boundary. The same threat modelling applied to API security and data handling should apply to every npm publish. What could this release expose? Who could access what it references?

Open Source

ReleaseGuard by Helixar Labs

Artifact scanning, SBOM generation, and release policy enforcement for npm, PyPI, and more. Catches source maps, hardcoded secrets, unexpected files, and anomalous package size changes, before publish. Free, MIT-licensed. Integrates into CI in minutes.

github.com/Helixar-AI/ReleaseGuard →ReleaseGuard product page →

References

  1. The Register. (2026, March 31). Anthropic accidentally exposes Claude Code source code. theregister.com
  2. Anhaia, G. (2026, March 31). Claude Code's Entire Source Code Was Just Leaked via npm Source Maps. DEV Community. dev.to
  3. The Hacker News. (2026, April 1). Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms. thehackernews.com
  4. VentureBeat. (2026, March 31). Claude Code's source code appears to have leaked: here's what we know. venturebeat.com
  5. CNBC. (2026, March 31). Anthropic leaks part of Claude Code's internal source code. cnbc.com
  6. TechRadar. (2026, March 31). Anthropic confirms it leaked 512,000 lines of Claude Code source code. techradar.com
  7. npm. (2024). Excluding files from your package. npm documentation. docs.npmjs.com
  8. OWASP. (2023). OWASP Top 10 CI/CD Security Risks. owasp.org
  9. Helixar Research Team. (2026, March 25). LiteLLM Supply Chain Attack: Malware Found in 97-Million-Download AI Library. helixar.ai
  10. Helixar Research Team. (2026, March 31). Axios npm Compromised: 100M-Download Library Used to Deploy RAT via Maintainer Account Hijack. helixar.ai
  11. Helixar Research Team. (2026, March). Your Developer's AI Copilot Is the New Attack Surface. helixar.ai

Note on scope: This article reflects publicly available information at the time of writing (April 2, 2026). Anthropic has confirmed the incident and stated it is implementing preventive measures; details of those measures were not public at time of writing. ReleaseGuard detection capabilities described here reflect the tool's current open source implementation.

Free pilots: Helixar is currently accepting free pilot applications. ReleaseGuard is free and open source under the MIT licence.

Questions or corrections: press@helixar.ai

Continue reading

Threat Intelligence

Axios npm Compromised: 100M-Download Library Used to Deploy RAT

Threat Intelligence

LiteLLM Supply Chain Attack: Malware in a 97M-Download AI Library

Threat Intelligence

Your Developer's AI Copilot Is the New Attack Surface

Back to Press

Your next npm publish could ship your source code. Or worse.

ReleaseGuard scans every release artifact before it goes live. Source maps, secrets, unexpected files. Free, open source, five-minute CI integration.

Get ReleaseGuard