Claude Code Leak: 512,000 Lines of Source Code Exposed on npm
On March 31, 2026, a forgotten debug file in Anthropic's npm package made the complete source code of Claude Code public — 512,000 lines, 1,906 files, the internal architecture of an AI tool generating $2.5B in annualized revenue. Here's what this leak reveals.
William Aklamavo
March 31, 2026
Claude Code Leak: 512,000 Lines of Source Code Exposed on npm
On March 31, 2026, security researcher Chaofan Shou discovered something unusual in the @anthropic-ai/claude-code npm package.
Not a sophisticated hack. Not a cybercriminal group.
A forgotten .map file in the production release.
What Happened
Version 2.1.88 of the @anthropic-ai/claude-code npm package accidentally contained a 59.8 MB source map file. This type of file — a debugging tool — maps compiled code back to the original source. In production, it has no business being there.
This file pointed to an R2 storage bucket containing the original, unobfuscated TypeScript code. Within hours, the code had been downloaded and mirrored on GitHub.
What the leak exposed:
- 512,000 lines of TypeScript across 1,906 files
QueryEngine.ts(46,000 lines),Tool.ts(29,000 lines),commands.ts(25,000 lines)- ~40 agent tools, 85 slash commands
- A three-layer memory system: MEMORY.md
- Unreleased features: KAIROS (daemon mode), autoDream (memory consolidation)
- An easter egg: BUDDY — a digital virtual pet system
- Internal model names: Capybara, Fennec, Numbat
- A controversial feature: Undercover Mode
The Irony of Undercover Mode
Among the discoveries, one stands out:
Anthropic had built a system called "Undercover Mode" — specifically designed to prevent their AI from revealing internal information in public repositories.
They thought of everything. Except the .map file forgotten in the npm package.
This is exactly the type of blind spot I regularly see when auditing projects.
Anthropic's Response
Anthropic responded quickly: removing the source map file, pulling old versions from the npm registry. But the code had already been mirrored. This was also their second leak in five days — the first, on March 26, involved a CMS misconfiguration.
Context: Claude Code generates $2.5 billion in annualized recurring revenue. The strategic value of what was exposed was considerable.
What This Says About Security in 2026
Teams secure what they can see. Never what they forget.
Here are the exposure vectors that keep appearing in the projects I audit:
1. Forgotten Build Files
Source maps, .env.example files with real values, CI/CD artifacts. They end up in production because nobody systematically checks the content of published packages.
Solution: automated validation pipeline before each publish. A pre-publish step that scans for .map, .env, .log extensions in the output bundle.
2. Environment Variables in Repositories
A quick commit, an API key in a comment, credentials in a versioned config file. GitHub has detection tools, but they arrive after publication.
Solution: pre-commit hooks with git-secrets or detect-secrets. Systematic, not optional.
3. No Formal Release Process
Without a formalized release checklist, every deployment is improvised. And improvisation generates oversights.
Solution: automate releases with n8n or GitHub Actions. Every step is documented, every check is traceable.
If Anthropic Can Forget...
Anthropic is a multi-billion dollar company with dedicated security teams and world-class infrastructure. And yet, a debug file nearly compromised everything.
The lesson isn't that this team was incompetent. The lesson is that manual processes always fail, sooner or later.
This isn't a competence problem. It's a systems problem.
What's sleeping in your infrastructure right now?
At BOVO Digital, we build the automations and processes that prevent these mistakes — before they become expensive.
