Full Report
Anthropic says it accidentally leaked the source code for Claude Code, which is closed source, but the company says no customer data or credentials were exposed. [...]
Analysis Summary
# Incident Report: Accidental Claude Code Source Code Leak
## Executive Summary
Anthropic inadvertently released the full source code for its closed-source "Claude Code" tool via an NPM package update. The leak occurred due to the inclusion of a verbose source map file (`cli.js.map`) in version 2.1.88, which allowed for the reconstruction of approximately 500,000 lines of code. Anthropic has stated that no customer data or credentials were compromised and is currently utilizing DMCA takedown requests to mitigate the spread.
## Incident Details
- **Discovery Date:** March 31, 2026
- **Incident Date:** March 31, 2026
- **Affected Organization:** Anthropic
- **Sector:** Artificial Intelligence / Software Development
- **Geography:** Global / San Francisco, CA
## Timeline of Events
### Initial Access
- **Date/Time:** March 31, 2026
- **Vector:** Intentional software release (Human error/Misconfiguration)
- **Details:** Anthropic pushed Claude Code version 2.1.88 to the NPM registry. This package included a 60 MB debugging file (`cli.js.map`) containing the original source code.
### Lateral Movement
- **N/A:** As this was a leak via a public repository rather than an intrusion, no internal lateral movement occurred. However, the code was "laterally" distributed across GitHub and social media by third parties.
### Data Exfiltration/Impact
- **Data Leaked:** Reconstructed source code tree consisting of ~1,900 files and 500,000 lines of code.
- **Intellectual Property:** Exposure of unreleased features such as "Proactive mode" and "Dream mode."
### Detection & Response
- **Discovery:** First spotted and reported by security researcher Chaofan Shou (@Fried_rice) on social media.
- **Response Actions:** Anthropic confirmed the leak, attributed it to human error, and began issuing DMCA infringement notifications to hosting platforms (e.g., GitHub).
## Attack Methodology
- **Initial Access:** Not an attack; human error during the CI/CD or packaging process.
- **Persistence:** N/A
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** None reported (Anthropic confirmed no credentials were in the leaked files).
- **Discovery:** Researchers used the `sourcesContent` field within the `.map` file to reconstruct the original code structure.
- **Lateral Movement:** N/A
- **Collection:** Automated and manual cloning of the NPM package and subsequent GitHub mirrors.
- **Exfiltration:** Publicly available via standard `npm install` or registry download.
- **Impact:** Loss of trade secrets and intellectual property; disclosure of internal roadmap features.
## Impact Assessment
- **Financial:** Potential loss of competitive advantage; costs associated with legal/DMCA enforcement.
- **Data Breach:** Source code only; no customer PII or credentials involved.
- **Operational:** No reported downtime, though an unrelated usage limit bug occurred simultaneously.
- **Reputational:** Moderate; highlights a lapse in the secure software development lifecycle (SDLC) for a leading AI firm.
## Indicators of Compromise
- **NPM Package Version:** `[email protected]`
- **File Indicators:** `cli.js.map` (60 MB)
- **Social Media/Source:** hxxps[://]x[.]com/Fried_rice/status/2038894956459290963
## Response Actions
- **Containment:** Removal of the faulty version from the NPM registry.
- **Eradication:** Issuance of DMCA takedown notices to remove mirrors of the source code on GitHub and other platforms.
- **Recovery:** Implementation of packaging measures to prevent the inclusion of source maps in future public releases.
## Lessons Learned
- **Sensitive File Scrubbing:** Source maps can contain the full original source code and should be excluded from production builds of closed-source software.
- **Automated Scanning:** CI/CD pipelines should include automated checks to flag large `.map` files or unexpected file counts before publishing to public registries.
- **Researcher Monitoring:** Prompt monitoring of social media and security researchers allowed for rapid acknowledgment of the issue.
## Recommendations
- **Pre-publish Hooks:** Implement `npm-publish` hooks that scan package contents for sensitive file extensions or high-risk keywords.
- **Source Map Policy:** Ensure build configurations (e.g., Webpack, Vite, TSConfig) are explicitly set to `hidden-source-map` or `none` for production releases.
- **Secret Scanning:** Run tools like `truffleHog` or `gitleaks` on all production build artifacts to ensure no internal identifiers or code leaked into the final distribution.