Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error.
“No sensitive customer data or credentials were involved or exposed,” an Anthropic spokesperson said in a statement shared with CNBC News. “This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”
The discovery came after the AI upstart released version 2.1.88 of the Claude Code npm package, with users spotting that it contained a source map file that could be used to access Claude Code’s source code – comprising nearly 2,000 TypeScript files and more than 512,000 lines of code. The version is no longer available for download from npm.
Security researcher Chaofan Shou was the first to publicly flag it on X, stating “Claude code source code has been leaked via a map file in their npm registry!” The X post has since amassed more than 28.8 million views. The leaked codebase was saved to a public GitHub repository, where it has surpassed 78,000 stars and 77,2000 forks.
A source code leak of this kind is significant, as it gives software developers and Anthropic’s competitors a blueprint for how the popular coding tool works. Users who have dug into the code have published details of its self-healing memory architecture to overcome the model’s fixed context window constraints, as well as other internal components.
These include a tools system to facilitate various capabilities like file read or bash execution, a query engine to handle LLM API calls and orchestration, multi-agent orchestration to spawn “sub-agents” or swarms to carry out complex tasks, and a bidirectional communication layer that connects IDE extensions to Claude Code CLI.
The leak has also shed light on a feature called KAIROS that allows Claude Code to operate as a persistent, background agent that can periodically fix errors or run tasks on its own without waiting for human input, and even send push notifications to users. Complementing this proactive mode is a new “dream” mode that will allow Claude to constantly think in the background to develop ideas and iterate existing ones.
Perhaps the most intriguing detail is the tool’s Undercover Mode for making “stealth” contributions to open-source repositories. “You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover,” reads the system prompt.
Another fascinating finding involves Anthropic’s attempts to covertly fight model distillation attacks. The system has controls in place that inject fake tool definitions into API requests to poison training data if competitors attempt to scrape Claude Code’s outputs.
Typosquat npm Packages Pushed to Registry
With Claude Code’s internals now laid bare, the development risks provide bad actors with ammunition to bypass guardrails and trick the system into performing unintended actions, such as running malicious commands or exfiltrating data.
“Instead of brute-forcing jailbreaks and prompt injections, attackers can now study and fuzz exactly how data flows through Claude Code’s four-stage context management pipeline and craft payloads designed to survive compaction, effectively persisting a backdoor across an arbitrarily long session,” AI security company Straiker said.
The more pressing concern is the fallout from the Axios supply chain attack, as users who installed or updated Claude Code via npm on March 31, 2026, between 00:21 and 03:29 UTC may have pulled with it a trojanized version of the HTTP client that contains a cross-platform remote access trojan. Users are advised to immediately downgrade to a safe version and rotate all secrets.
What’s more, attackers are already capitalizing on the leak to typosquat internal npm package names in an attempt to target those who may be trying to compile the leaked Claude Code source code and stage dependency confusion attacks. The names of the packages, all published by a user named “pacifier136,” are listed below –
- audio-capture-napi
- color-diff-napi
- image-processor-napi
- modifiers-napi
- url-handler-napi
“Right now they’re empty stubs (`module.exports = {}`), but that’s how these attacks work – squat the name, wait for downloads, then push a malicious update that hits everyone who installed it,” security researcher Clément Dumas said in a post on X.
The incident is the second major blunder for Anthropic within a week. Details about the company’s upcoming AI model, along with other internal data, were left accessible via the company’s content management system (CMS) last week. Anthropic subsequently acknowledged it’s been testing the model with early access customers, stating it’s “most capable we’ve built to date,” per Fortune.
