The Claude Code Leak

On March 31, 2026, Anthropic shipped version 2.1.88 of their Claude Code npm package with a file that should never have been included: a 59.8 megabyte JavaScript source map. Source maps are debug artifacts. They exist so developers can trace compiled code back to the original source. This particular file pointed to a publicly accessible R2 cloud storage bucket containing the full Claude Code codebase. All 512,000 lines of TypeScript across roughly 1,900 files.

A developer named Chaofan Shou, an intern at Solayer Labs, spotted the oversized .map file and posted about it on X around 4:23 AM Eastern. Within hours the tweet had pulled in 16 million views. Mirror repositories and clean-room rewrites started popping up on GitHub. The fastest, a Python rewrite called claw-code by developer Sigrid Jin, hit 50,000 stars in under two hours, making it the fastest-growing repository in GitHub history.

This wasn't some sophisticated hack. Nobody broke into Anthropic's servers. The company simply forgot to exclude a debug file from their published package. Three things went wrong at once: a missing .npmignore entry that should have filtered out .map files, source maps that referenced publicly readable cloud storage URLs, and Bun's bundler generating source maps by default unless explicitly disabled. A known Bun runtime bug (issue #28001, reported 20 days earlier) was initially cited as a contributing factor, though Bun's founder disputed the connection since that bug relates to the frontend dev server rather than npm packaging. To make matters worse, this was Anthropic's second data exposure in less than a week. Just five days earlier, a CMS misconfiguration had leaked around 3,000 internal files including details about an unreleased model called Claude Mythos.

The exposed codebase gave the public its first real look at how a production AI agent actually works under the hood. The code revealed roughly 40 tools spanning 29,000 lines that handle everything from bash execution to file operations to web fetching. A 46,000-line query engine manages LLM API calls, token budgets, and multi-agent coordination. The memory system uses a three-layer architecture with lightweight indices, topic files loaded on demand, and transcript searches.

But the really interesting stuff was what hadn't been announced yet. Researchers found 44 feature flags controlling capabilities that were fully built but switched off in external builds. Among them was KAIROS, an autonomous daemon mode where Claude Code runs as an always-on background agent, performing what the code calls "memory consolidation" (internally named autoDream) while the user is idle. There was BUDDY, a full Tamagotchi-style virtual pet system with 18 creature species, rarity tiers, a 1% shiny chance, and RPG stats like DEBUGGING and SNARK. It turned out to be an April Fools feature scheduled for the very next day.

Perhaps the most controversial discovery was something called Undercover Mode. When the system detects an Anthropic employee working in a public repository, it automatically suppresses any mention of internal codenames, Slack channels, or the fact that Claude Code is being used. The system prompt literally says: "You are operating UNDERCOVER... Do not blow your cover." And the code notes there is no force-off switch.

The timing could not have been worse. On the same day as the source code leak, a completely separate attack hit the npm ecosystem. Malicious versions of the popular axios HTTP library (versions 1.14.1 and 0.30.4) appeared on npm at 00:21 UTC, roughly four hours before the Claude Code leak went public. These fake packages contained a cross-platform Remote Access Trojan hidden inside a dependency called plain-crypto-js.

Claude Code itself ships with zero npm dependencies, so installing it alone would not have pulled in axios. But anyone who ran npm install or npm update during that window in any project that lists axios as a dependency with a loose version range (such as ^1.x) would have resolved to the malicious 1.14.1, tagged as latest. Developers who happened to be setting up environments or updating dependencies alongside a Claude Code install were at risk. Anthropic told affected users to treat their machines as fully compromised, rotate all secrets and credentials, and perform a clean OS reinstall. This overlap between the accidental leak and the deliberate supply chain attack highlighted a problem that goes well beyond Anthropic. Modern development workflows depend on vast chains of third-party packages, and a single poisoned dependency can compromise thousands of projects within hours. The incident pushed Anthropic to recommend their native installer (curl from claude.ai) over the npm installation path entirely, sidestepping the dependency chain.

Buried in the source code were two strategies designed to stop competitors from training on Claude Code's outputs. The first, called Fake Tools Injection, adds decoy tool definitions into API traffic when a specific flag is enabled. The idea is to corrupt any data that competitors might scrape from Claude Code sessions. The second mechanism uses cryptographically signed reasoning summaries to prevent unauthorized reproduction of the model's chain-of-thought process.

The leak essentially handed every AI company on the planet a complete blueprint for building a production-grade AI coding agent. The full orchestration logic for tools, memory management, multi-agent coordination, and safety guardrails was now public knowledge. Clean-room rewrites started appearing almost immediately. A Python version called claw-code by Korean developer Sigrid Jin surpassed 100,000 GitHub stars, actually outpacing Anthropic's own repository. A Rust rewrite also showed up.

Anthropic filed DMCA takedown notices through GitHub, resulting in over 8,100 repositories being disabled. The clean-room rewrites have so far survived takedowns since they contain no copied code, though their legal standing under copyright law remains genuinely untested and unclear. Decentralized mirrors went live on alternative platforms with promises they would never be taken down. Torrent distribution made complete containment impossible. An interesting legal wrinkle: if significant chunks of Claude Code were written by Claude itself (as Anthropic's CEO has implied), the copyright standing of DMCA claims becomes uncertain.

You don't have to be building AI to learn from this. The Claude Code leak is a textbook example of how small configuration oversights create massive exposures. A missing line in .npmignore. A storage bucket without proper access controls. A known bug that sat unpatched for 20 days. None of these are exotic attack vectors. They are ordinary mistakes that compound into extraordinary consequences.

If your team publishes packages to npm, PyPI, or any public registry, ask yourself: do you have automated checks that flag unexpected file sizes or file types before publishing? Are your CI/CD pipelines configured to strip debug artifacts from production builds? Do your cloud storage buckets have access policies that follow the principle of least privilege? The supply chain angle matters too. The axios trojan was completely unrelated to Anthropic's packaging mistake, but it hit users in the same window because they were pulling fresh installs from npm. Pinning dependency versions, verifying package checksums, and using lockfiles aren't just best practices anymore. They are baseline requirements for any serious development operation.

The Claude Code leak wasn't caused by some novel zero-day or advanced persistent threat. It was a packaging oversight compounded by a known, unpatched bug and a public storage bucket. The kind of thing that happens when teams move fast and configuration hygiene falls behind. Companies building AI tooling are shipping at breakneck speed, and that pace creates exactly these kinds of gaps. If your development workflow depends on third-party tools (and in 2026, it almost certainly does), treat their supply chain with the same rigor you'd apply to your own deployments. Pin versions. Verify checksums. Monitor for unexpected updates. Audit your own publishing pipeline. The question isn't whether something will go wrong. It's whether your team will catch it before the damage is done.