Anthropic's Claude Code AI coding assistant source code was accidentally exposed through an npm packaging error, revealing internal architecture and raising security concerns about potential exploitation.
Anthropic confirmed that internal code for its popular AI coding assistant, Claude Code, was inadvertently released due to a human error in the npm packaging process. The incident occurred when version 2.1.88 of the Claude Code npm package was published with a source map file that exposed nearly 2,000 TypeScript files and over 512,000 lines of code.
The Leak and Its Discovery
The discovery came after users noticed the source map file in the npm package, which could be used to access Claude Code's source code. Security researcher Chaofan Shou was the first to publicly flag the issue on X, stating "Claude code source code has been leaked via a map file in their npm registry!" The post has since amassed more than 28.8 million views.
Anthropic spokesperson stated: "No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We're rolling out measures to prevent this from happening again." The affected version is no longer available for download from npm.
What the Leaked Code Reveals
The leaked codebase provides unprecedented insight into Claude Code's internal architecture, including:
- Self-healing memory architecture that overcomes the model's fixed context window constraints
- Tools system for file read, bash execution, and other capabilities
- Query engine to handle LLM API calls and orchestration
- Multi-agent orchestration to spawn "sub-agents" or swarms for complex tasks
- Bidirectional communication layer connecting IDE extensions to Claude Code CLI
Perhaps most notably, the leak revealed two advanced features:
KAIROS - Allows Claude Code to operate as a persistent, background agent that can periodically fix errors or run tasks without waiting for human input, and even send push notifications to users.
"Dream" mode - Enables Claude to constantly think in the background to develop ideas and iterate existing ones.
The "Undercover Mode" Feature
One of the most intriguing discoveries was Claude Code's "Undercover Mode" for making "stealth" contributions to open-source repositories. The system prompt reads: "You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover."
Anti-Distillation Measures
The leak also exposed Anthropic's attempts to combat model distillation attacks. The system has controls that inject fake tool definitions into API requests to poison training data if competitors attempt to scrape Claude Code's outputs.
Security Implications
With Claude Code's internals now publicly available, security researchers have identified several potential risks:
- Attackers can study and fuzz exactly how data flows through Claude Code's four-stage context management pipeline
- Malicious actors could craft payloads designed to survive compaction, effectively persisting a backdoor across an arbitrarily long session
- The leak provides a blueprint for bypassing guardrails and tricking the system into performing unintended actions
AI security company Straiker warned: "Instead of brute-forcing jailbreaks and prompt injections, attackers can now study and fuzz exactly how data flows through Claude Code's four-stage context management pipeline and craft payloads designed to survive compaction, effectively persisting a backdoor across an arbitrarily long session."
Supply Chain Attack Concerns
Compounding the issue, the Axios supply chain attack occurred during the same timeframe. Users who installed or updated Claude Code via npm on March 31, 2026, between 00:21 and 03:29 UTC may have pulled a trojanized version of the HTTP client containing a cross-platform remote access trojan.
Users are advised to immediately downgrade to a safe version and rotate all secrets.
Typosquatting Attacks Emerge
Attackers are already capitalizing on the leak by typosquatting internal npm package names. Security researcher Clément Dumas identified packages published by user "pacifier136":
- audio-capture-napi
- color-diff-napi
- image-processor-napi
- modifiers-napi
- url-handler-napi
"Right now they're empty stubs (module.exports = {}), but that's how these attacks work – squat the name, wait for downloads, then push a malicious update that hits everyone who installed it," Dumas explained.
Recent Anthropic Security Incidents
This incident marks the second major security blunder for Anthropic within a week. Details about the company's upcoming AI model, along with other internal data, were left accessible via the company's content management system (CMS) last week. Anthropic acknowledged it's been testing the model with early access customers, stating it's "most capable we've built to date," per Fortune.
The Claude Code source code leak represents a significant exposure of proprietary AI technology, providing competitors and malicious actors alike with detailed insights into one of the industry's leading coding assistants. While Anthropic has moved quickly to contain the immediate damage, the long-term implications for AI security and intellectual property protection remain to be seen.
Comments
Please log in or register to join the discussion