John StephensonIf you installed or updated Claude Code via npm on March 31, 2026 between 00:21–03:29 UTC, check your lockfiles immediately for axios versions 1.14.1 or 0.30.4, or the dependency plain-crypto-js. A concurrent supply-chain attack may have injected a Remote Access Trojan.
Anthropic Accidentally Leaked Claude Code's Entire Source Code — Here's Everything Inside
On the morning of March 31, 2026, security researcher Chaofan Shou made a discovery that sent shockwaves through the AI and developer communities: Anthropic had accidentally shipped its entire Claude Code source code to the public npm registry. Within hours, the repository had been forked more than 41,500 times, backed up across GitHub, and picked apart by thousands of developers worldwide.
The exposure came from a single misconfigured source map file — cli.js.map — bundled inside Claude Code npm package version 2.1.88. Source map files are debugging tools meant only for development environments. When Anthropic's build pipeline published the package, it included a reference pointing directly to an unobfuscated TypeScript source archive sitting on Anthropic's Cloudflare R2 storage bucket — publicly accessible to anyone who knew where to look.
A single misconfigured .npmignore or files field in package.json can expose everything. — Gabriel Anhaia, Software Engineer
Anthropic confirmed the incident in a statement: "Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We're rolling out measures to prevent this from happening again."
How It Happened
The Technical Cause: A Build Pipeline Mistake
Claude Code is distributed as an obfuscated npm package — a deliberate choice to protect Anthropic's proprietary engineering. The tool is built with Bun's bundler, which generates source map files by default unless explicitly disabled. The mistake was straightforward: no one added *.map to the .npmignore file, and the source maps shipped with the production build.
└── cli.js (obfuscated, production)
└── cli.js.map ← should NOT be here
└── points to → zip archive on Anthropic's R2 bucket
└── full unobfuscated TypeScript source (57MB)
The irony runs deep: the leaked code itself contains a system called Undercover Mode — a subsystem specifically designed to prevent Claude from accidentally revealing Anthropic's internal codenames in git commits and pull requests. A whole subsystem to stop AI from leaking secrets, and then the entire source shipped in a .map file.
What Was Inside
The Biggest Revelations From the Leaked Source
The 512,000 lines of TypeScript reveal far more than a simple CLI wrapper. Claude Code is a sophisticated multi-agent orchestration platform with capabilities that were never publicly documented.
44 Hidden Feature Flags — 20 Unshipped
The most striking discovery was a complete list of feature flags representing built but unreleased capabilities. These are not vaporware — they are compiled code sitting behind flags that evaluate to false in the external build.
The Architecture: Far More Than a Chat Wrapper
The leaked code reveals Claude Code as an enterprise-grade platform with four major architectural layers:
Security Implications
What This Means for Security — and What You Should Do Right Now
The leak creates two distinct security concerns that affect different audiences.
For Claude Code Users: The Axios Supply-Chain Attack
Concurrent with the source leak — and almost certainly not a coincidence — the popular axios npm package was compromised. If you updated Claude Code during the window below, you may have a Remote Access Trojan on your system.
Search your package-lock.json, yarn.lock, or bun.lockb for:
• axios version 1.14.1 or 0.30.4
• The dependency plain-crypto-js
If found, remove the package immediately, audit your system for unauthorized processes, and rotate any credentials that may have been accessible.
For the Broader AI Industry: The Blueprint Problem
By exposing the orchestration logic for Hooks and MCP servers, the leak hands a detailed roadmap to anyone looking to bypass Claude Code's security guardrails. Attackers can now design malicious repositories specifically engineered to trick Claude Code into running background commands or exfiltrating data before a trust prompt appears.
For competitors, the implications are more strategic than dangerous. The leaked code is a blueprint for building a production-grade AI coding agent — the kind that has already reached $2.5 billion in annualized recurring revenue with enterprise clients accounting for 80% of the total.
The Bigger Picture
What Builders and Operators Should Take Away
For anyone building AI-powered workflows, this leak is more than a news story. It is a window into where the entire industry is heading — and a sobering reminder of how much operational discipline is required to stay ahead.
The level of engineering inside Claude Code — permission systems, multi-agent orchestration, IDE bridges, persistent memory, autonomous background agents — sets a bar that few teams have the resources to match from scratch. For enterprise operators, that was the moat. Now the blueprint is public.
For builders, the practical lesson is simpler: audit your own build pipelines today. A single misconfigured file field in package.json can expose everything you've built. If Anthropic's team, working at $19 billion ARR, made this mistake — anyone can.
The secrets are out. What you build with them — or protect against them — is now the only question that matters.
Common Questions
John Stephenson
