Security Breaches

Anthropic Accidentally Leaked Its Entire Claude Code Source Code — All 512,000 Lines of It

· 7 min read
Source code leaking from a broken lock on a computer server

Anthropic's Claude Code source code leaked via npm

It took a company worth billions, preparing for a $380 billion IPO, and telling Congress about existential AI risk exactly one missing configuration line to accidentally publish the complete source code of its flagship AI coding assistant to the entire internet.

On March 31, 2026, Anthropic shipped 512,000 lines of TypeScript — the entire Claude Code codebase — to the public npm registry. Not to a private repository. Not to a trusted partner. To everyone who ran npm install. Including you.

“The leak was caused by human error, not a security breach.”

— Anthropic, making a distinction that doesn’t actually help

The One Line That Cost a Billion

Here is the most embarrassing part of this entire story: the root cause was a missing line in a config file. A .npmignore file — the same kind any junior developer learns about in their first week on the job.

When you publish a Node.js package to npm, your build tool optionally generates .map files (source maps). Their purpose is debugging: they translate your minified production code back to readable TypeScript. Source maps are strictly for internal debugging. They should never ship publicly.

Anthropic’s .npmignore apparently had no entry to exclude .map files:

# What it should have had:
*.map
dist/*.map

# What it actually had:
# (nothing)

That’s it. That’s the entire disaster.

But it gets better. The source map didn’t just contain the source code directly — it referenced a .zip file hosted on Anthropic’s own Cloudflare R2 storage bucket. Publicly accessible. No authentication. Anyone with the map (which anyone installing the package now had) could download the complete codebase.

So the chain was:

  1. npm install @anthropic-ai/claude-code
  2. Package downloads a 59.8 MB source map file
  3. Map points to a public URL with src.zip
  4. src.zip contains 1,906 TypeScript files, 44 hidden feature flags, internal architecture docs, and — because this is apparently what passes for quality control at a company advising governments on regulation — a Tamagotchi pet

By the Numbers (Because They’re Painful)

MetricValue
Lines of code exposed512,000+
TypeScript files1,906
Source map file size59.8 MB
GitHub forks (peak hours)41,500+
Stars on fastest repo50,000 in 2 hours
Hidden feature flags44
Claude Code ARR$2.5 billion
Anthropic total valuation$380 billion (pre-IPO)
Views on the original tweet16 million+

The Timeline of an Embarrassment

00:21 UTC — Malicious versions of the axios HTTP library appear on npm with an embedded RAT. Unrelated to Anthropic, but catastrophically bad timing.

~04:00 UTC — Claude Code v2.1.88 is pushed to npm. The source map ships with it. The R2 bucket is live and publicly accessible.

04:23 UTC — Chaofan Shou (@Fried_rice), an intern at Solayer Labs, tweets the discovery with a direct download link. Sixteen million people descend on the thread.

Next 2 hours — The fastest GitHub repository in history to hit 50,000 stars. 41,500+ forks. DMCA takedown requests begin.

~08:00 UTC — Anthropic pulls the npm package. Issues statements to VentureBeat, The Register, CNBC, Fortune, Axios, and others: “human error, not a security breach.”

Same day — A Python clean-room rewrite appears, legally DMCA-proof. An Anthropic researcher notes: “A Python version is immune to the npm DMCA — it isn’t derived from our code.” A decentralized mirror on Gitlawb goes live with the message “Will never be taken down.” The code is now permanently in the wild.

The Bun Backfire

Here’s the part that makes the irony complete: Anthropic acquired the Bun JavaScript runtime at the end of 2025. Claude Code is built on top of it. A known Bun bug (filed March 11, 2026 — 20 days before this happened) reports that Bun serves source maps in production builds even when the documentation says it shouldn’t.

Anthropic’s own acquired toolchain helped expose Anthropic’s own product. The dog didn’t just eat the homework — it published it to npm.

What Was in the Leaked Code

Beyond just the raw codebase, researchers and developers who downloaded it found:

  • 44 hidden feature flags — capabilities Anthropic was building but hadn’t announced
  • Complete internal architecture for the most hyped AI coding agent of 2026
  • Agent orchestration patterns, plugin systems, and tool hooks
  • Internal API routing and command handling logic
  • A Tamagotchi pet implementation — yes. Really.

For context, the company whose code this is has spent the last year telling policymakers that AI safety and security should be regulated — and that Anthropic’s own security-conscious culture makes them the responsible stewards of the most powerful AI technology in history.

The Internet Reaction Was Merciless

The internet is having the time of its life:

“This is the same company that told Congress AI is an existential threat… the same company that spent $8 billion building ‘the most safety-focused lab on earth’… and they got exposed by a config file that any mid-level engineer would’ve caught in a code review.”

“The big deal is that Anthropic is a company that prides itself in the level of security and controls they have in place… and then they ship a map file in their npm.”

One user compared it to installing a million-dollar security system with cameras, guards, and biometric locks — then accidentally leaving a detailed blueprint of your house layout on a publicly accessible website.

The Bonus Horror Story: The Axios RAT

As if the main event wasn’t enough, researchers noticed something else. On the same day — March 31 — between 00:21 and 03:29 UTC, malicious versions of the axios library (versions 1.14.1 and 0.30.4) were published to npm containing a Remote Access Trojan.

If you ran npm install or updated any project during that window — including Claude Code itself — you might have installed it.

# If you installed anything that morning, check now:
grep -r "1.14.1\|0.30.4\|plain-crypto-js" package-lock.json
grep -r "1.14.1\|0.30.4\|plain-crypto-js" yarn.lock

It’s unrelated to the Anthropic leak — just spectacularly bad timing. The universe apparently decided March 31 was the day to remind developers that npm’s supply chain security is held together by hope and a community of unpaid volunteers.

What This Means for the AI Industry

This isn’t just a funny story about a tech company having a bad day. There are real implications:

  • Claude Code generates $2.5 billion in ARR. Competitors now have the complete source code. Every rival coding agent on earth just got a free architecture review of their biggest competitor.

  • Anthropic’s $380 billion IPO was reportedly in the pipeline. Source code leaks don’t exactly scream “investor confidence.”

  • The code is permanently in the wild now. Even if Anthropic gets every repo on GitHub taken down (they won’t — the Python clone kills the DMCA), the source exists in too many places to ever recall.

  • The trust problem: Anthropic sells itself on safety and security. When your flagship product — an AI coding assistant — leaks its own code because of a missing .npmignore line, it’s tough to keep a straight face while telling Congress to trust you with existential technology.

Lessons for the Rest of Us

  • .npmignore matters. If you publish packages, check your exclusion lists. Every single time.

  • Public cloud buckets should not be public. Anthropic’s R2 bucket was publicly readable. One IAM policy change and the chain breaks.

  • Your build toolchain will betray you. The Bun bug was known for 20 days. Nobody connected the dots. Known issues in your own acquired tools are just as dangerous as zero-days.

  • The gap between AI safety messaging and basic operational security is getting wider, not narrower. If the company spending $8 billion on “the most safety-focused lab on earth” can’t get a config file right, what hope does the startup using claude-code --auto in production have?

Sources: