Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

Summary

Anthropic confirmed that internal source code for Claude Code was inadvertently released in npm package v2.1.88 due to human error, exposing ~2,000 TypeScript files and 512,000+ lines of code. The leak, which included architectural details and hidden features like KAIROS persistent agent mode and Undercover Mode for stealth contributions, has been forked 82,000+ times on GitHub. Attackers are now typosquatting internal npm package names and exploiting the exposure; users who updated Claude Code on March 31, 2026 may have also pulled a trojanized HTTP client via the Axios supply chain attack.

Full text

Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms Ravie LakshmananApr 01, 2026Data Breach / Artificial Intelligence Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error. "No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson said in a statement shared with CNBC News. "This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again." The discovery came after the AI upstart released version 2.1.88 of the Claude Code npm package, with users spotting that it contained a source map file that could be used to access Claude Code's source code – comprising nearly 2,000 TypeScript files and more than 512,000 lines of code. The version is no longer available for download from npm. Security researcher Chaofan Shou was the first to publicly flag it on X, stating "Claude code source code has been leaked via a map file in their npm registry!" The X post has since amassed more than 28.8 million views. The leaked codebase remains accessible via a public GitHub repository, where it has surpassed 84,000 stars and 82,000 forks. A source code leak of this kind is significant, as it gives software developers and Anthropic's competitors a blueprint for how the popular coding tool works. Users who have dug into the code have published details of its self-healing memory architecture to overcome the model's fixed context window constraints, as well as other internal components. These include a tools system to facilitate various capabilities like file read or bash execution, a query engine to handle LLM API calls and orchestration, multi-agent orchestration to spawn "sub-agents" or swarms to carry out complex tasks, and a bidirectional communication layer that connects IDE extensions to Claude Code CLI. The leak has also shed light on a feature called KAIROS that allows Claude Code to operate as a persistent, background agent that can periodically fix errors or run tasks on its own without waiting for human input, and even send push notifications to users. Complementing this proactive mode is a new "dream" mode that will allow Claude to constantly think in the background to develop ideas and iterate existing ones. Perhaps the most intriguing detail is the tool's Undercover Mode for making "stealth" contributions to open-source repositories. "You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover," reads the system prompt. Another fascinating finding involves Anthropic's attempts to covertly fight model distillation attacks. The system has controls in place that inject fake tool definitions into API requests to poison training data if competitors attempt to scrape Claude Code's outputs. Typosquat npm Packages Pushed to Registry With Claude Code's internals now laid bare, the development risks provide bad actors with ammunition to bypass guardrails and trick the system into performing unintended actions, such as running malicious commands or exfiltrating data. "Instead of brute-forcing jailbreaks and prompt injections, attackers can now study and fuzz exactly how data flows through Claude Code's four-stage context management pipeline and craft payloads designed to survive compaction, effectively persisting a backdoor across an arbitrarily long session," AI security company Straiker said. The more pressing concern is the fallout from the Axios supply chain attack, as users who installed or updated Claude Code via npm on March 31, 2026, between 00:21 and 03:29 UTC may have pulled with it a trojanized version of the HTTP client that contains a cross-platform remote access trojan. Users are advised to immediately downgrade to a safe version and rotate all secrets. What's more, attackers are already capitalizing on the leak to typosquat internal npm package names in an attempt to target those who may be trying to compile the leaked Claude Code source code and stage dependency confusion attacks. The names of the packages, all published by a user named "pacifier136," are listed below - audio-capture-napi color-diff-napi image-processor-napi modifiers-napi url-handler-napi "Right now they're empty stubs (`module.exports = {}`), but that's how these attacks work – squat the name, wait for downloads, then push a malicious update that hits everyone who installed it," security researcher Clément Dumas said in a post on X. The incident is the second major blunder for Anthropic within a week. Details about the company's upcoming AI model, along with other internal data, were left accessible via the company's content management system (CMS) last week. Anthropic subsequently acknowledged it's been testing the model with early access customers, stating it's "most capable we've built to date," per Fortune. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  artificial intelligence, cybersecurity, data breach, npm Registry, Open Source, software development, source code, supply chain attack Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• malware — Trojanized HTTP client (Axios supply chain attack)