Claude Code source leak via npm: what really happened and why it matters

Home » Python » Claude Code source leak via npm: what really happened and why it matters

The accidental exposure of Claude Code’s internal source via npm has turned a routine release into one of the most talked‑about AI security incidents in recent years. What started as a packaging misstep around a JavaScript source map ended up putting hundreds of thousands of lines of Anthropic’s TypeScript into the hands of researchers, competitors and opportunistic attackers around the world.

Instead of a classic breach involving perimeter defenses or stolen credentials, this case shows how plain human error in software publishing can spill highly sensitive intellectual property. The leak doesn’t include model weights or customer data, but it does expose the inner workings of one of the most advanced agentic coding assistants on the market, from its memory systems and safety filters to experimental features that were never meant to be public yet.

Timeline: from npm release to global replication

The incident centers on the npm package @anthropic-ai/claude-code, specifically version 2.1.88. During an otherwise standard release, Anthropic published a JavaScript source map file of around 60 MB (commonly referenced as cli.js.map) along with the minified CLI bundle. Instead of being stripped from the production artifact, that map retained a sourcesContent field that effectively embedded the original TypeScript code.

Because of that oversight, anyone who grabbed the package could reconstruct roughly 1,900 files and more than 500,000 lines of TypeScript, exposing the CLI’s command routing, tool orchestration, telemetry logic, safety checks and internal prompts. The map also pointed back to a publicly reachable zip archive in Anthropic’s own Cloudflare R2 storage bucket, which meant no intrusion was required: the file was simply there, open to the internet.

The problem was first highlighted by security researcher Chaofan Shou (@Fried_rice), a fellow at blockchain security firm Fuzzland, who posted a direct link to the exposed bucket on X. Within hours, mirror repositories appeared on GitHub, some rapidly attracting tens of thousands of stars as developers rushed to clone and inspect the code before it disappeared.

Anthropic reacted by pulling the affected npm version and launching a wave of DMCA takedown requests targeting GitHub and other hosting platforms. Nevertheless, by the time the removal campaign kicked in, countless copies were already archived, forked and redistributed, making it effectively impossible to fully retract the material.

How a packaging glitch blew open a flagship AI agent

On paper, publishing a new Claude Code version to npm should be a routine task: push a minified JavaScript bundle, include only what’s strictly necessary and rely on configuration files (like .npmignore or the files field in package.json) to keep debug artifacts out of the final package.

In this case, several small choices stacked up in exactly the wrong way. The build pipeline used the Bun bundler, which generates source maps by default. No subsequent step in the compilation or packaging flow removed that map, and a misconfigured ignore list meant the map was shipped straight to the public registry. From there, npm’s open, globally mirrored nature did the rest.

Anthropic has stressed that no sensitive customer data, credentials or model weights were part of the leak. Instead, this was a pure packaging problem: debug metadata meant for internal troubleshooting was accidentally bundled into a production release. That framing is accurate from a narrow security perspective, but it understates just how much strategic information lives inside a modern AI agent’s codebase.

Complicating matters further, this was not the first time something like this had happened. A very similar source-map leak reportedly affected an earlier Claude Code build in February 2025. Two nearly identical incidents within about 13 months inevitably raise questions about how rigorously Anthropic enforces guardrails in its release pipelines.

What the leaked Claude Code actually reveals

Once researchers and developers began combing through the recovered files, it became clear that this was not a superficial peek at some helper scripts, but a full architectural cross-section of Claude Code’s CLI. The TypeScript tree spans roughly half a million lines and covers:

• Tool execution and orchestration: how Claude Code plans, sequences and invokes tools, shells and external services.
• Permission schemas and sandboxing rules: the exact logic that decides which commands can run, with which parameters and in which environments.
• Memory systems and context management: strategies for handling long-running sessions without losing coherence.
• Telemetry and analytics: what gets measured, aggregated and sent back to Anthropic.
• System prompts and feature flags: the hidden instructions that shape the agent’s behavior and toggle experimental capabilities.

Community analyses highlighted a three-layer memory design centered on a file often described as MEMORY.md. Rather than logging raw interaction history indefinitely, Claude Code maintains an indexed, topic-based reference structure. The agent consults that index when it needs to recall prior work, pulling in only the fragments that are relevant to the current task, and following strict write rules to reduce context drift and self-corruption.

This “memory with healthy skepticism” approach helps mitigate the entropy of long-running conversations, where naive context accumulation would otherwise cause the agent to become inconsistent or hallucinate. For other teams building agentic tools, the leak is effectively a free masterclass in production-grade memory orchestration.

The source also exposes assorted internal telemetry hooks. Among them is logic that flags frustration signals — for example, scanning for profanity in prompts — without retaining full user conversations or codebases. Another noteworthy piece is an “undercover” or stealth mode designed to strip internal project codenames and other sensitive identifiers from git commits and pull requests, so AI-written contributions don’t accidentally leak proprietary details.

Beyond systems already visible in the product, the code base references unreleased or hidden functionality controlled by feature flags: modes for background operation, coordination between multiple agents, and even playful UI touches like terminal companions.

Unreleased modules: KAIROS, BUDDY and multi-agent swarms

Some of the most attention-grabbing discoveries revolve around capabilities Anthropic had not publicly announced yet, which now sit exposed in granular engineering detail. One of the standout modules is KAIROS, described in comments and configuration as a continuously running background daemon that watches file changes, logs events and performs so-called dream or “oniric” consolidation passes when the user is idle.

In practice, KAIROS appears to give Claude Code something close to “always-on” autonomy: rather than waiting passively for prompts, the agent can wake up periodically, re-index its understanding of a codebase, clean up its memory structures and prepare better plans for upcoming work sessions. For teams experimenting with fully autonomous agents, this essentially reveals Anthropic’s blueprint for long-lived, background workers.

Another feature that quickly captured the internet’s imagination is BUDDY, portrayed in the code as a kind of terminal-side mascot. The implementation includes 18 different “species” — one of them a capybara — as well as playful stats such as DEBUGGING, PATIENCE and CHAOS. While whimsical on the surface, BUDDY points to Anthropic experimenting with more expressive, emotionally aware developer experiences.

On the more serious end of the spectrum lies an architecture for multi-agent collaboration. Internally described through constructs like a COORDINATOR mode and ULTRAPLAN sessions, this system lets a primary agent spawn and oversee fleets of worker agents in parallel. Documentation fragments reference remote planning meetings between agents lasting 10 to 30 minutes, suggesting a model where Claude Code can break down a big task, delegate subtasks to helpers and then merge the results.

There are also hints of modules and model variants still in development, including references to internal names such as Capybara, framed as evolutions of the Claude 4.x family. Metrics embedded in the code mention false-positive rates hovering around 29‑30% for some safety or detection systems, compared with around 16.7% in earlier rounds — candid numbers that would normally stay inside engineering dashboards.

Taken together, these finds turn the leaked tree into a roadmap-grade snapshot of Anthropic’s agent strategy: where the company sees the boundaries of useful autonomy, how it wants agents to collaborate, and what tradeoffs it is currently wrestling with.

Jailbreaks, clones and supply-chain fallout

Even if no passwords or tokens were exposed, security specialists are far from relaxed. With the full CLI logic in hand, it becomes much easier to reverse-engineer Claude Code’s guardrails and explore paths around them. What used to be a black box is now a step-by-step recipe for how the tool parses commands, applies filters and decides whether something is safe to run in a user’s terminal.

That transparency can be a double-edged sword. On one side, defensive researchers can now audit the safety model in unprecedented depth and suggest hardening strategies. On the other, attackers can carefully craft prompts and context manipulations to slip malicious instructions past Bash validators, exploit subtle differences between permission layers or coax the agent into actions it was never meant to perform.

A closely related worry is the surge in malicious or counterfeit clones. With a production-ready codebase available, it is trivial for a motivated actor to strip branding and telemetry, inject backdoors or data exfiltration logic and publish a near-identical package under a slightly altered name. For developers who install tools from npm on autopilot, the risk of pulling in a tainted “Claude-like” agent is now markedly higher.

The timing of the leak amplified these concerns. Around the same window, npm faced an independent supply-chain attack on the popular axios package, with malicious versions live between roughly 00:21 and 03:29 UTC. That parallel incident underscored just how fragile the JavaScript ecosystem can be when it comes to trust in dependencies.

Security guidance for teams that installed or updated Claude Code via npm during that period has been blunt: audit your dependency tree, especially for packages like axios and plain-crypto-js; rotate credentials that might have been present on affected systems; and keep a close eye on anomalous behavior. Anthropic, for its part, has explicitly suggested preferring its native installer over npm going forward to shrink the attack surface.

Anthropic’s official response and DMCA push

When news of the leak broke, Anthropic moved quickly to shape the narrative. In comments shared with outlets such as TecMundo and VentureBeat, the company emphasized that this was a release-packaging issue caused by human error, not a breach of internal infrastructure or an external hack.

The core message remained consistent: no customer secrets, no credentials, no model weights had leaked; only internal application logic was exposed. The statement also stressed that Anthropic was already rolling out safeguards to prevent similar mishaps in future builds, though detailed postmortems have not been made public.

On the legal front, the company embarked on an energetic DMCA takedown campaign. GitHub and other hosts began receiving requests to remove repositories mirroring the Claude Code source, with some of the most prominent mirrors disappearing after accumulating significant attention and discussion.

Despite these moves, the practical reality is that once a codebase of this size escapes into the wild, fully reining it back in is almost impossible. Archived copies circulate privately, encrypted bundles sit on generic file-sharing sites and subsets of the code have already been ported or reimplemented in other languages like Python and Rust by enthusiasts seeking to sidestep copyright constraints.

The incident also came just days after a different configuration mishap reportedly exposed around 3,000 internal files tied to an unreleased model known as “Claude Mythos” through a misconfigured CMS. Two unrelated publication lapses in less than a week have naturally led observers to question Anthropic’s operational hygiene around content and code releases.

Broader impact on the AI ecosystem and competitors

From a business standpoint, the leak hits a product that was already seen as one of Anthropic’s key revenue drivers. Industry estimates peg Claude Code’s annual recurring revenue in the low billions, with a large majority of usage coming from enterprise customers. That makes the CLI not just a developer toy, but a strategic pillar of the company’s commercial roadmap.

By making so much of its architecture public, the incident effectively hands rival teams a deeply detailed engineering playbook that would otherwise take years of experimentation and significant capital to compile. Competing tools, including newer agentic IDEs and coding copilots, can now benchmark their own approaches against Anthropic’s real-world design decisions instead of operating on guesses and marketing language.

At the same time, the leak lowers the barrier to entry for would-be Claude Code competitors. It is now far easier to assemble an agent with similar memory patterns, background workflows and coordination capabilities by referencing implementations that were already tuned for production use. In that sense, a chunk of Anthropic’s intellectual moat has suddenly become shared knowledge for the broader industry.

History suggests that such events can have a paradoxical effect. On one hand, they accelerate innovation across the field, as more teams learn from high-quality examples. On the other, they shave away at the early mover’s edge, forcing incumbents to move faster and invest more heavily in differentiating features, safety and reliability.

For startups and enterprise buyers evaluating AI tooling, the episode may also subtly shift expectations. Prospective customers are likely to press vendors harder on release discipline, CI/CD safeguards and incident response processes, treating secure publishing pipelines as a non-negotiable part of any serious AI platform.

Security lessons: from config files to MCP servers

Security leaders and practitioners have used the leak as a springboard to propose concrete defensive steps for organizations already experimenting with agentic coding tools. One recurring recommendation is to audit configuration files associated with Claude Code, such as CLAUDE.md and .claude/config.json, which can act as high-privilege vectors for injecting hidden instructions or relaxing safety settings.

Another area of emphasis is treating external tool servers and Model Context Protocol (MCP) endpoints as untrusted dependencies. With the contract surfaces now laid out in detail, malicious operators could try to impersonate legitimate servers or subtly alter behavior at those integration points. Pinning versions, monitoring changes and tightening access controls can reduce that risk.

Given how quickly an AI assistant can move code around, teams are also being urged to lock down shell permissions and systematically scan for secrets before they ever hit a repository. The same abilities that make agents productive — rapidly editing configs, wiring up CI and touching multiple services — can just as easily amplify a single misstep into a serious credential leak.

Finally, there is growing pressure on organizations to track the provenance of AI-assisted commits. As more of the world’s code is written or modified by agents, regulators and auditors may reasonably expect clear disclosure policies, robust logging and ways to verify where critical logic originated, especially in sensitive or regulated domains.

Taken in aggregate, these suggestions reflect a shift from treating AI agents as just another developer tool to recognizing them as core infrastructure with their own dedicated threat models, supply-chain vulnerabilities and governance needs.

All told, the Claude Code leak via npm is less a story about a single flawed release and more about how small, familiar mistakes in modern software pipelines can reshape the competitive and security landscape around AI. With the agent’s internal playbook now effectively public, Anthropic and its peers face mounting pressure to harden their publishing flows, rethink how much logic they expose at the edge and build cultures where configuration minutiae gets as much scrutiny as any cutting-edge model architecture.