On March 31, 2026, Anthropic confirmed that the complete source code of Claude Code, its AI-powered coding tool, was inadvertently exposed through a source map file accidentally included in the company’s npm package. The leak, discovered by security researcher Chaofan Shou from blockchain security firm Fuzzland, exposed over 512,000 lines of TypeScript code and approximately 1,900 internal files containing the tool’s core architecture.
According to Cybernews, the incident represents one of the most significant accidental source code exposures from a major AI laboratory in recent years. The discovery was first announced via X, where the post quickly accumulated millions of views and sparked immediate community interest.
The exposed source code quickly spread across multiple GitHub repositories, with mirrors accumulating over 30,000 stars within hours of the discovery. Anthropic immediately removed the compromised package from the npm registry and deleted old versions, reported NDTV. However, the source code had already been archived by independent developers, making complete removal impossible. The company has not issued a public statement regarding the incident as of the publication date.
Source Map Vulnerability: How the Claude Code Leak Occurred
The technical root cause of the leak traces back to a standard development practice that went wrong during the build and packaging process. Anthropic uses Bun as its bundler for Claude Code, a tool that automatically generates source map files to help developers debug compiled code by mapping it back to original TypeScript source lines.
The build configuration failed to exclude these debugging files from the final npm package, according to LowCode Agency’s technical analysis. The resulting 57MB source map file contained references to unobfuscated TypeScript sources hosted in Anthropic’s R2 cloud storage bucket, effectively making the entire development snapshot publicly downloadable through the npm registry.
The irony of the incident is not lost on the developer community: Claude Code includes a system internally called “Undercover Mode” specifically designed to prevent internal codenames from appearing in git commits, yet the entire source code subsequently shipped in a map file. The exposed codebase reveals detailed implementations of core components including a 46,000-line query engine handling LLM API calls, streaming, and tool orchestration, a 29,000-line tool definition system for agent capabilities, and approximately 85 slash commands ranging from code review to git operations.
The leak also revealed unreleased features including an internal mode called “Kairos” and a companion system named “Buddy” featuring a digital pet system with rarity tiers and procedurally generated stats, according to DEV Community analysis.
Security researchers emphasize that this represents a packaging mistake, not a targeted cyberattack. The source map file was part of Claude Code version 2.1.88, published to npm on March 31, 2026. Within hours of the discovery, at least three public GitHub mirrors had been created, with the primary repository reaching significant popularity.
Anthropic’s rapid response to pull the package demonstrated awareness of the issue, though the exposure had already occurred. This marks the second time Claude Code has suffered a similar leak, following an incident in February 2025 when an early version was similarly exposed through source map files, which Anthropic subsequently removed from the registry.
Security Implications and What Remains Protected
Despite the extensive nature of the source code exposure, Anthropic has confirmed that no sensitive user data or core AI model assets were compromised in the incident. The leak does not involve Claude model weights, training data, API endpoints, or customer information, reported NDTV. Users of the Claude API and Claude.ai services are not at direct risk from this exposure.
The implications for the broader AI development ecosystem remain significant. Security analysts note that the exposed source code makes it substantially easier to reverse-engineer Claude Code’s internal workings, identify potential vulnerabilities, and understand how the tool communicates with Claude’s API. The code also revealed that Claude Code uses axios as a dependency, which was recently involved in a critical supply chain compromise, potentially introducing additional security considerations, reported Cybernews.
Third parties creating independent builds of Claude Code may face legal risks, as the source code remains Anthropic’s intellectual property protected under copyright law. The availability of the source code does not constitute an open-source release, and using, copying, or redistributing the code without authorization would violate the original license terms.