On March 31, 2026, a single misconfigured file exposed 512,000 lines of Anthropic’s proprietary source code to the public. There was no hack, no sophisticated attack, just one overlooked setting in a build configuration. That’s what it took for Claude Code’s internals to be available to anyone with an npm account.
If you are using AI-assisted software development anywhere in your business, this incident tells you something extremely important. It’s not about Anthropic, but about what your own pipeline might be silently exposing right now. Today, we’ll talk about how to understand and subsequently minimize these new risks.
What Actually Happened with the
What Actually Happened with the Claude Code Leak
Here’s a quick recap: Anthropic ships Claude Code as a closed-source, obfuscated npm package. On March 30, 2026, they released version 2.1.88, and buried inside that package was a source map file, cli.js.map, that pointed to the full, unobfuscated TypeScript source.
Security researcher Chaofan Shou was the first to flag it publicly on March 31, discovering that Claude Code’s entire source code had been exposed via a source map file published to the npm registry. Within hours, the code was archived to GitHub and mirrored across the internet.
The leaked codebase comprised nearly 2,000 TypeScript files and more than 512,000 lines of code. The GitHub repository where it was backed up surpassed 84,000 stars and 82,000 forks.
Anthropic confirmed the incident: a spokesperson told The Register it was “a release packaging issue caused by human error, not a security breach,” and that no customer data or credentials were involved.
That’s a classic consequence of human error and one of the many reasons developers use automation today. However, would automating the release process entirely have helped prevent this problem? Let’s dive deeper into this Claude Code leak and its implications for large-scale AI automation and development.
The Technical Mechanics: Why the Claude Code Leak Was So Easy to Miss
If you’re not a developer, here’s the short version of how such things might happen. When engineers build JavaScript or TypeScript applications, the code is intentionally bundled and minified (compressed into something barely readable). Source map files are debugging tools that reverse this. It means they map the minified output back to the original source code. It’s highly useful on your machine, but becomes a liability in production.
According to the analysis of the exposed Claude Code source, the leak resulted from a reference to an unobfuscated TypeScript source in the map file included in the npm package.
A single misconfigured .npmignore or files field in package.json can expose everything.
That’s all it takes, a single file or a missed exclusion, and you’re in a world of trouble. In Anthropic’s case, the build toolchain (reportedly Bun) generated source maps that were not excluded from the published artifact, so the .npmignore configuration didn’t account for them. Think of it this way: it’s like printing your internal roadmap on the back of every product you ship. The product works fine, but anyone who turns it over now knows everything.
This is what makes the Claude Code leak so instructive for engineering teams. The failure wasn’t caused by some extreme and exotic combination of factors but rather the kind of thing that happens in any fast-moving team shipping frequently. The only reliable way to catch similar issues is to have the right checks in place before publishing, not after.
What Was Inside the Leaked Claude Code?
The leak contained Anthropic’s intellectual property and internal roadmap, basically in full. Here’s what the community found inside those 1,906 TypeScript files:
Architecture and tooling:
- A plugin-based tool architecture with approximately 40 discrete tools (file read, bash execution, LSP integration), each permission-gated
- A 46,000-line query engine handling all LLM API calls, streaming, caching, and tool-call loops
- Multi-agent orchestration logic that was previously undocumented
Unreleased features:
- A feature called KAIROS, a persistent background agent that can periodically fix errors or run tasks autonomously, sending push notifications without waiting for user input. Complementing it is a “dream” mode that allows Claude to continuously develop ideas in the background.
- A Tamagotchi-style companion pet (a deterministic species based on your user ID hash), scheduled for internal release in April 2026 with a full launch planned for May 2026.
Moreover, the “Undercover Mode” revealed in the leaked code shows that Anthropic uses Claude Code to make stealth contributions to public open-source repositories. The system prompt for this mode reads: “You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.”
This detail, in particular, generated the most controversy in the developer community as it represents an AI agent operating incognito on public repos, by design. Whether you find that concerning or not, the point is that this information was never meant to be public. However, now it’s been permanently etched into the memory of the Internet.
In addition, the Claude Code leak uncovered model performance internals. The code confirms that Capybara is the internal codename for a Claude 4.6 variant, with developers noting a 29-30% false claims rate in v8, which is an actual regression compared to the 16.7% rate seen in v4. Developers also noted an “assertiveness counterweight” designed to prevent the model from becoming too aggressive in its refactors. For competitors, that’s a new benchmark, and for security researchers, it’s a map of where the guardrails are and how they work.
The Bigger Threat: The Axios Supply Chain Attack
Here’s where the story gets more serious for your own team. The Claude Code leak was embarrassing for Anthropic, but it wasn’t a direct security breach for users. However, the concurrent Axios attack was a top-level threat.
On March 30-31, 2026, the Axios npm package was compromised in one of the most significant npm supply chain attacks to date. With over 100 million weekly downloads, Axios is a foundational HTTP client used across the JavaScript ecosystem. An attacker hijacked the lead maintainer’s npm account and published two malicious versions that deployed a cross-platform Remote Access Trojan (RAT) on any machine that ran npm install.
Users who installed or updated Claude Code via npm on March 31, 2026, between 00:21 and 03:29 UTC may have inadvertently pulled in a malicious version of axios (1.14.1 or 0.30.4) that contains a Remote Access Trojan. Users should immediately search project lockfiles for these specific versions or the dependency plain-crypto-js.
Microsoft Threat Intelligence attributed the Axios npm compromise to Sapphire Sleet, a North Korean state actor. This wasn’t an opportunistic strike. Instead, it was targeted, timed, and designed for maximum blast radius.
The attack worked because it exploited a trust gap that exists in almost every modern JavaScript project: the attacker used a stolen long-lived npm access token to publish directly to the npm registry, completely bypassing CI/CD pipelines. Legitimate Axios releases include OIDC provenance metadata that links the npm package to a specific GitHub Actions run. The malicious versions had none of this as they were published directly, leaving no verifiable build trail. The majority of teams would have had no idea anything was wrong.
What Both Incidents Reveal About Your Pipeline
Two separate incidents on the same day, with the same package ecosystem. That’s not a coincidence but a pattern. And it points to a set of structural risks that exist in most modern dev pipelines.
- Build Artifact Leakage
Most teams never run npm pack –dry-run before publishing. They trust the build toolchain to do the right thing. Anthropic’s team did too, hence the Claude Code leak. Source maps, internal configs, .env.example files with real-looking values, all these can end up in a published package without anyone noticing. - Third-Party Dependency Blindness
Analysis of 2025-2026 attacks reveals a consistent pattern: attackers gain initial footholds via compromised credentials, and the same attack chain repeats. Maintainers get phished, credentials get abused, and malicious code persists far too long before anyone catches it. Claude Code happened to use Axios, and your app probably does too. - Over-Reliance on Automated Installs
Running npm install in a CI/CD pipeline without any verification of provenance, version pinning, or SBOM tracking is the default for most teams. It’s also how a RAT ends up on your developer’s machine without a single suspicious click. - Missing Publish Gates
The lesson from the Claude Code leak is clear: .npmignore is load-bearing. Treat it like a security boundary. Most engineering teams have no formal review step between “build” and “publish.” That gap is where these incidents live.
This isn’t all hypothetical, for example, in September 2025, attackers hijacked 18 popular npm packages collectively downloaded over 2 billion times weekly. These attacks happen at scale, and they land on real teams.
What Your Team Should Do Now
Here’s what a review of your pipeline should cover, given what March 31 exposed:
Audit your npm publish configuration before your next release. Run npm pack –dry-run and inspect every file that would be shipped. Look for:
- Any .map files in dist/
- Accidentally included source directories
- Config files with internal paths or tokens
Flag your .npmignore as a security boundary and include it in every release checklist.
Pin your critical dependencies by removing caret (^) and tilde (~) from package.json for libraries like Axios that sit deep in your dependency tree. Microsoft recommends disabling auto-upgrade features for npm packages in organizations where security posture requires review before deployment.
Check your lockfiles now if you or your team ran npm install on March 31, 2026, between 00:21 and 03:29 UTC, search your lockfiles immediately:
grep -r "1.14.1\|0.30.4\|plain-crypto-js" package-lock.jsonRequire npm publish provenance checks and SLSA level 2+ for all internal and critical third-party packages. The absence of OIDC provenance on a new version of a major package should trigger an automatic alert. Most teams haven’t set this up, but it’s because they haven’t needed it yet.
Add a publish review step to your CI/CD pipeline for every release. Integrate a pre-publish artifact inspection step that checks for source maps, debug URLs, and sourceMappingURL directives in your final distributed output.
Review your AI coding tool usage in sensitive environments and adopt a zero-trust posture when using Claude Code in unfamiliar environments. Avoid running the agent inside freshly cloned or untrusted repositories until you have manually inspected .claude/config.json and any custom hooks. The same logic applies to any AI tool with filesystem and shell access. That’s something we’ve explained in detail in our article on OpenClaw security best practices.
The Broader Question: How Much Do You Know About Your Pipeline?
Most founders and engineering leads can describe their product architecture in detail. Fewer can describe, with the same confidence, exactly what their CI/CD pipeline ships, what dependencies it trusts automatically, and what a bad actor with a compromised npm token could put in front of their developers tomorrow.
The key to preventing incidents like the Claude Code leak is to build the right review processes so you can ship fast without hidden risk. A professional software audit, one covering your build configuration, dependency chain, CI/CD pipeline, and publish process, takes days, not weeks. The Anthropic incident took hours to unfold, and the Axios attack window was just 39 minutes.
If you’re using AI-assisted development tools and want to ensure the pipeline around them is secure and properly governed, that’s exactly the kind of work Redwerk has been doing for tech companies since 2005. Our code review service includes build and dependency configuration, and our DevOps consulting covers CI/CD hardening that makes incidents like these far less likely to affect your team.
The Claude Code leak occurred due to a single misconfigured file. The Axios attack succeeded because of one compromised account and one un-gated npm token. Both are kinds of small, process-level failures that smart teams overlook until they can’t.
What March 31 really revealed isn’t that Anthropic made a mistake. It’s that the modern JavaScript dev pipeline, with its dense dependency trees, automated installs, and trust-by-default package registries, is far more exposed than most teams realize. And the faster you ship, the more likely it is that one of these gaps exists somewhere between your code and your users. If you are ready to prevent this in your pipeline, contact us, and let’s close any gaps in your security together.
Check out how we helped Complete Network's Project Science boost code maintainability by 80%
