Full Report
Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error. "No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson said in a statement shared with CNBC News. "This was a release packaging issue caused by human error, not a security
Analysis Summary
# Incident Report: Claude Code Source Code Leak via npm Packaging Error
## Executive Summary
Anthropic confirmed the inadvertent leak of internal source code for "Claude Code," its AI-powered coding assistant, due to a human error in the npm release process. The inclusion of a source map file in version 2.1.88 allowed the public to reconstruct nearly 2,000 TypeScript files and over 512,000 lines of code. While no customer data or credentials were compromised, the leak exposed proprietary architecture, internal system prompts, and anti-distillation defense mechanisms.
## Incident Details
- **Discovery Date:** Approximately March 31, 2026
- **Incident Date:** March 31, 2026 (Confirmed by Anthropic)
- **Affected Organization:** Anthropic
- **Sector:** Artificial Intelligence / Technology
- **Geography:** United States / Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 31, 2026 (Tuesday)
- **Vector:** Human Error / Misconfiguration (Insecure Release Packaging)
- **Details:** Anthropic released version 2.1.88 of the `@anthropic-ai/claude-code` package to the npm registry. The package mistakenly included a source map file.
### Lateral Movement
- **N/A:** This was a configuration error leading to public exposure, not an active network intrusion.
### Data Exfiltration/Impact
- **Details:** The source map allowed users to decompile and access the full source code of Claude Code.
- **Scope:** Nearly 2,000 TypeScript files and over 512,000 lines of code. The code was quickly mirrored to GitHub, gaining over 78,000 stars.
### Detection & Response
- **How discovered:** Security researcher Chaofan Shou flagged the leak on the social platform X (formerly Twitter).
- **Response actions taken:** Anthropic removed the affected version (2.1.88) from the npm registry and issued a public statement via CNBC.
## Attack Methodology
- **Initial Access:** Inadvertent public disclosure via npm registry.
- **Persistence:** N/A (Code mirrored by third parties on GitHub and social media).
- **Privilege Escalation:** N/A.
- **Defense Evasion:** N/A.
- **Credential Access:** None (Anthropic confirmed no credentials were in the leaked files).
- **Discovery:** Researchers used the source map in the npm package to reconstruct the original source files.
- **Lateral Movement:** N/A.
- **Collection:** Automated mirroring of the npm package and subsequent extraction.
- **Exfiltration:** Public download of a legitimate (but misconfigured) package.
- **Impact:** Intellectual Property (IP) theft; exposure of internal architecture (memory management, "KAIROS" autonomous mode, and "Undercover Mode" for open-source contributions).
## Impact Assessment
- **Financial:** Potential loss of competitive advantage; R&D costs associated with leaked proprietary logic.
- **Data Breach:** Source code only; no sensitive customer data or credentials exposed.
- **Operational:** Low disruption to services, but high effort required for remediation of architecture.
- **Reputational:** Moderate; emphasizes risks in the rapid deployment of AI tools and supply chain management.
## Indicators of Compromise
- **File indicators:** `@anthropic-ai/[email protected]` (npm package)
- **Behavioral indicators:** Presence of `.map` files in production build artifacts where they should be excluded.
## Response Actions
- **Containment measures:** Unpublishing the vulnerable package version from npm.
- **Eradication steps:** Verification that no credentials or secrets were embedded in the leaked code.
- **Recovery actions:** Implementing new release packaging measures and checks to prevent human error in future deployments.
## Lessons Learned
- **Packaging Integrity:** Source maps are highly valuable for debugging but must be strictly excluded from production builds in public registries.
- **Mirroring Speed:** Once code is leaked to a public registry (npm, PyPI), it is mirrored almost instantly, making "unpublishing" an ineffective containment strategy for IP protection.
- **Prompt Security:** Internal system prompts (like the "Undercover Mode") provide insight into corporate strategies and can be used to bypass guardrails.
## Recommendations
- **CI/CD Guardrails:** Implement automated secrets scanning and artifact inspection (e.g., checking for `.map` or `.ts` files) before any `npm publish` command.
- **Pre-release Checklists:** Mandate peer review for release packaging configurations, not just the code itself.
- **Supply Chain Monitoring:** Monitor for typosquatting packages that may emerge following an IP leak to trick users into downloading malicious forks.