Claude Code Leak: 512,000 Lines of Source Code Exposed on npm

Claude Code Leak: 512,000 Lines of Source Code Exposed on npm

In security, it's never what you know that betrays you. It's what you forgot.

On March 31, 2026, security researcher Chaofan Shou discovered something unusual in the @anthropic-ai/claude-code npm package. The Claude Code npm Anthropic 2026 leak was not the result of a sophisticated hack, nor the work of an organized cybercriminal group. It was something far more mundane — and for that reason, far more instructive.

A forgotten .map file in the production release had exposed, within hours, 512,000 lines of unobfuscated TypeScript code from one of the most strategically valuable AI tools on the market. What happened that day extends well beyond the Anthropic case alone: it holds up a mirror to the entire software industry regarding the fragility of our publication processes.

---

What a Source Map File Is — and Why It Changes Everything

To understand how this leak was possible, we must first understand what a source map file is. When a developer writes TypeScript, that human-readable code is transformed — compiled, minified, sometimes obfuscated — before being distributed. The final result looks like a long string of compressed characters, nearly unreadable to the naked eye.

A source map file (.map extension) is the tool that reverses this process. It contains the complete mapping between distributed code and original source code: variable names, function names, file structure, comments. It is indispensable during development and debugging — it lets developers see exactly which line of their TypeScript code corresponds to which error in the compiled code.

In production, a source map file has no reason to be present. It doesn't improve performance. It doesn't benefit the end user. It exists solely to serve developers who are debugging. And if it is present in a publicly published package, it is equivalent to delivering the complete architectural blueprints of a building to anyone who downloads the key.

What Anthropic's teams forgot is exactly what the majority of teams forget: development tooling files don't automatically disappear in production. Explicit processes are required to exclude them. And these processes, when they rely solely on human vigilance, fail.

---

Two Leaks in Five Days: The Complete Timeline

The March 31, 2026 incident was not isolated. It was the second exposure in five days for Anthropic. To understand the full scope of what happened, we need to trace the timeline from the beginning.

On March 26, 2026, a first leak occurred. It was of a different nature: a misconfiguration in their content management system (CMS) exposed internal information. This incident, less spectacular in terms of data volume, was nonetheless revealing: Anthropic's oversight processes exhibited systemic, not isolated, weaknesses.

Incident timeline: Anthropic's double npm leak (March 26–31, 2026)

Then came March 31, 2026. Version 2.1.88 of the @anthropic-ai/claude-code package was published to the npm registry. It accidentally contained a 59.8 MB source map file. This file, which should have remained in Anthropic's internal development environment, pointed to an R2 storage bucket containing the original TypeScript code.

Chaofan Shou — a recognized security researcher — spotted the anomaly. Within hours, he publicly documented the discovery. The developer community reacted quickly: the code was downloaded, analyzed, and multiple copies were mirrored on GitHub before Anthropic had time to intervene.

Anthropic responded by removing the source map file and pulling the affected old versions from the npm registry. But by that point, the damage was done. Snapshots existed on third-party servers. The accidental leak had become a fait accompli.

What strikes in this timeline is the speed of propagation. Between the package publication and the public mirroring of the code, only a few hours elapsed. In the era of open source development, a secret exposed publicly — even briefly — ceases to be a secret.

---

Anatomy of 512,000 Lines: What the Code Reveals About Claude Code's Architecture

The volume is impressive in itself. 512,000 lines of TypeScript across 1,906 files represent a significant codebase — comparable to major open source projects. But beyond the volume, it's the revealed structure that interests observers.

According to reports published following the incident, three files concentrate a large portion of the core logic:

• QueryEngine.ts — 46,000 lines. This is the query processing engine, the algorithmic core that orchestrates interactions between the user and the underlying language models.
• Tool.ts — 29,000 lines. This file describes the implementation of agent tools — the mechanics that allow Claude Code to execute concrete actions in a development environment.
• commands.ts — 25,000 lines. It contains the logic for commands, particularly the 85 slash commands that allow the user to interact with the tool.

The leak also reveals the existence of approximately forty distinct agent tools. In modern LLM architecture, tools are the building blocks that allow the model to interact with the real world: reading files, executing code, searching for information, calling external APIs. Forty tools is a substantial ecosystem that partly explains why Claude Code has established itself as a competitive development tool.

What this architecture reveals, based on our reading of available reports, is a deliberately modular design. Files are separated by functional domain, which facilitates maintenance but requires strict coordination during publications. It is precisely this complexity that makes oversights more likely: the larger a project, the more the exposure surface grows.

It must be emphasized what this analysis cannot do: we cannot assert with certainty the exact internal logic of the code, the architectural decisions deliberately made, or the actual performance of the algorithms involved. These elements remain Anthropic's proprietary information. What we know is what observers reported publicly following the leak.

---

KAIROS, autoDream, and BUDDY: Features Nobody Knew About

Among the most commented elements of the leak, three unpublished features particularly captured attention. Their accidental revelation illustrates how large companies develop capabilities internally before any public deployment.

KAIROS is described in reports as a daemon mode — a background execution capability that would allow Claude Code to function autonomously without active user intervention at each step. This type of feature addresses a real need in professional development environments, where automated pipelines must be able to delegate long tasks to an AI agent.

autoDream is a memory consolidation system. It is linked to the three-layer memory system that the leak also revealed — a mechanism called MEMORY.md that allows Claude Code to maintain persistent context between sessions. Automatic consolidation of this memory represents a significant technical ambition: giving the agent a form of continuity between conversations.

BUDDY is of a lighter nature. It's what developers call an easter egg: a digital virtual pet system embedded in the code. Its existence in a production codebase speaks to a company culture that allows for creativity and humor in development — but also to the fact that developers spend significant time on features unrelated to the main product.

The internal names of Anthropic's models — Capybara, Fennec, and Numbat — were also exposed. These code names are typically used internally before models receive their final commercial names. Their revelation provides a glimpse into internal development culture, even if it reveals nothing fundamental about the capabilities of the models themselves.

---

The Irony of Undercover Mode

Among all the discoveries, one stands out for its particular irony, and deserves extended attention.

Anthropic had built, according to available reports, a system called "Undercover Mode" — specifically designed to prevent their AI from revealing internal information in public repositories. This is a deliberate protection feature: the AI itself was programmed not to disclose details about its architecture or internal functioning when interacting in public contexts.

This is a sophisticated security approach. It acknowledges that language models can, under certain circumstances, reveal more information about their implementation than is desirable. Undercover Mode sought to create a behavioral barrier to this risk.

They thought of everything. Except the .map file forgotten in the npm package.

The AI was configured to keep secrets. But the human publication process was not. This is exactly the type of blind spot systematically found in projects: security is thought through in the layers that teams see and control. It is forgotten in the intermediate layers — build tools, publication pipelines, CI/CD configurations — that everyone uses but nobody truly verifies.

This irony is not anecdotal. It points to a fundamental truth about software security: we secure what we perceive as a risk. And debug files lingering in a publication pipeline are never perceived as a risk — until the day they become one.

---

The npm Supply Chain: An Underestimated Exposure Vector

To fully appreciate the implications of this incident, we must understand the ecosystem in which it occurred. npm (Node Package Manager) is the world's largest software package registry. Millions of projects use it daily to distribute and consume JavaScript and TypeScript libraries.

Flowchart of a secure npm publication pipeline with automated validation at each step

npm's popularity is precisely what makes it such a powerful exposure vector. When a package is published to npm, it instantly becomes accessible to millions of developers worldwide. Cache and mirror managers — like those used by companies for their internal infrastructure — automatically download new versions.

In Anthropic's case, this means the 59.8 MB source map file could have been downloaded by hundreds or thousands of automated systems within minutes of publication, well before the anomaly was detected and corrected. This is the very nature of the modern software supply chain: distribution is instant and massive.

npm supply chain security is a topic that extends well beyond the Anthropic case alone. In 2024 and 2025, several major incidents involved malicious or compromised npm packages. The Anthropic incident is of a different nature — it involves no malicious actor, only an internal error — but it illustrates the same fundamental problem: trust in the npm ecosystem rests on rigorous publication processes, and these processes are rarely as rigorous as they should be.

What the Claude Code leak reveals is that even the most technologically sophisticated companies are not immune to basic publication errors. And if Anthropic, with its dedicated security teams and world-class infrastructure, can accidentally publish a 59.8 MB source map file, a ten-person startup can do it even more easily.

---

Open Source vs. Proprietary: What an Accidental Leak Changes

One of the debates this incident fueled in the developer community concerns the fundamental question of transparency in AI. Anthropic is a company whose models are proprietary and whose source code is not public. The accidental leak therefore opened an unprecedented window into an architecture that should normally have remained confidential.

Some observers argued that the leak demonstrates the limits of the proprietary model: if the code ends up being accidentally exposed anyway, why not have made it public from the start and benefit from the advantages of open source? Companies like Meta and Mistral have made different choices with their LLaMA and Mistral models, available under permissive licenses.

Others pointed out that the leak doesn't fundamentally change the competitive dynamics. Claude Code's source code doesn't expose the weights of the underlying models — which remain Anthropic's true intellectual property. The architecture of an agent tool, however detailed, doesn't replicate the capabilities of a language model trained on billions of tokens. Competitors could observe how Anthropic built its tool, but not how its models function at a fundamental level.

What the leak reveals about the open source/proprietary question is primarily the gap between rhetoric and operational reality. Anthropic, like other AI companies, communicates about the security and control of its code. The March 31 incident shows that this control is never absolute — it depends on human processes that can fail. That's a lesson in humility for the entire industry, not just for Anthropic.

To go deeper on these tensions between open and closed AI, our analysis on DeepSeek v4 vs GPT-5.5 and the open versus closed AI war in 2026 explores these dynamics in depth.

---

What the Claude Code Leak Tells Us About npm Project Security in 2026

Teams secure what they can see. Never what they forget.

That is the central lesson of this incident, and it unfolds across several exposure vectors that keep appearing in the projects I audit regularly.

Comparison of perceived risk and technical interest by stakeholder type following the Claude Code leak (illustrative data)

1. Forgotten Build Files

Source maps, .env.example files with real values, CI/CD artifacts. They end up in production because nobody systematically checks the content of published packages. Industry convention is to list excluded files in .npmignore or in the files field of package.json — but these lists are rarely exhaustive and never automatically verified.

Solution: automated validation pipeline before each publish. A pre-publish step that scans for .map, .env, .log extensions in the output bundle. This step must be blocking — meaning it must prevent publication if it detects a problematic file, not merely generate a warning that nobody will read.

2. Environment Variables in Repositories

A quick commit, an API key in a comment, credentials in a versioned config file. GitHub has detection tools, but they arrive after publication. OWASP's most critical vulnerabilities in 2025 rank poor credential management among priority risks.

Solution: pre-commit hooks with git-secrets or detect-secrets. Systematic, not optional. Detection must happen before the commit, not after.

3. No Formal Release Process

Without a formalized release checklist, every deployment is improvised. And improvisation generates oversights. Anthropic's version 2.1.88 was probably published under time pressure or by a developer who was not aware of the build configuration.

Solution: automate releases with tools like n8n or GitHub Actions. Every step is documented, every check is traceable. Automation doesn't replace human vigilance — it complements it by ensuring that critical steps cannot be skipped.

---

Managing an Accidental Publication Incident: What to Do in the First Hours

When an accidental publication is discovered, every minute counts. Anthropic's response was fast, but the delay between publication and correction was enough for the code to be mirrored on third-party platforms.

Incident response process: the 7 steps of effective management of an accidental publication

The first step is confirmation. Before any action, verify that the exposure is real and assess its exact perimeter. Which version is affected? How long has it been available? Which files are exposed?

The second step is immediate removal. npm allows package authors to "deprecate" or remove versions. This action must be executed as a priority, while knowing that it doesn't delete already-downloaded copies.

The third step is propagation assessment. How many downloads did the affected version receive? Has the code been mirrored? This information guides the communication strategy.

The fourth step is communication. A well-managed accidental publication can become a demonstration of operational maturity. Anthropic communicated publicly about the incident, which is the right approach. Silence, by contrast, generates distrust and leaves room for speculation.

The fifth step is the post-mortem. Not to find a culprit, but to identify precisely which process failure allowed the error — and how to fix it definitively.

---

Implications for Trust in AI Tools

Beyond the technical dimension, this incident raises a broader question: how do companies building AI tools maintain their users' trust after this type of incident?

Claude Code is used by development teams in companies that entrust it with proprietary code, API keys, and sensitive business logic. Trust in an AI tool is not limited to the model's performance — it encompasses trust in the operational practices of the company that develops it.

The Anthropic incident does not expose user data. The leak concerns the source code of their own tool, not their customers' data. But it reveals that the internal processes of a company valued at tens of billions of dollars can exhibit basic vulnerabilities in their publication pipeline.

This reality is also visible in how Anthropic positions Claude on sensitive subjects. Our analysis of Anthropic's position facing the Pentagon and military uses of AI shows a company that thinks carefully about the use of its technology — but which, like any human organization, remains vulnerable to operational errors.

---

If Anthropic Can Forget a .map File...

Anthropic is a company valued at tens of billions of dollars, with dedicated security teams, world-class infrastructure, and an engineering culture recognized across the industry. And yet, a debug file nearly compromised everything — and in a certain sense, did.

The lesson isn't that this team was incompetent. The lesson is that manual processes always fail, sooner or later. Deadline pressure, team rotation, the increasing complexity of build pipelines — all these factors create conditions in which human errors become inevitable.

This isn't a competence problem. It's a systems problem.

Teams that go the longest without a major security incident are not those with more vigilant developers. They are those who have built systems that make errors difficult to commit — or that detect and block them automatically before they reach production.

The Claude Code npm Anthropic 2026 leak is a stark reminder that in the software industry, security is not a state you achieve. It is a practice you maintain, through automated processes, regular audits, and a culture that normalizes verification rather than blind trust.

To go further on automating security in your deployment pipelines, see our guide on time bombs in automated deployment security.

---

Perspectives: What Changes After the Leak

Several months after the incident, certain evolutions are worth noting in the industry. The npm community has strengthened its recommendations around package validation before publication. Tools like npm pack --dry-run — which simulates a publication without performing it — have been rediscovered and highlighted as standard practice. Third-party pre-publication package scanning solutions have also gained adoption.

On Anthropic's side, features revealed by the leak have since begun to be deployed or officially mentioned. KAIROS and autoDream have been referenced in official communications, suggesting that the deployment timeline may have been accelerated by the accidental revelation.

The incident also reignited the debate about transparency in AI tool development. Developers who use Claude Code daily had a rare opportunity to see how the tool they use is built. Some were reassured by the quality of the architecture. Others were surprised by the existence of undocumented features.

What this leak ultimately reveals is less a failure of Anthropic than a universal truth about large-scale software development: complexity generates blind spots. Human vigilance is insufficient to cover them all. Automation is the only scalable response — but it too must be designed, tested, and maintained.

---

What's sleeping in your infrastructure right now?

At BOVO Digital, we build the automations and processes that prevent these mistakes — before they become expensive.

📩 Let's talk about your architecture →