Anthropic's Claude Code Leaks Source Code for the Second Time in a Year
Anthropic has suffered a significant security incident: the full source code of its AI coding assistant Claude Code was accidentally leaked via an npm package on March 31, 2026. This marks the second such incident in less than 15 months, raising questions about the company's release processes.
The leak occurred in npm package version 2.1.88, where a source map file (`cli.js.map`) was left publicly accessible. Security researcher Chaofan Shou first flagged the issue on X (formerly Twitter), noting that the 60MB source map allowed reconstruction of approximately 512,000 lines of TypeScript code across nearly 1,900 files.
The root cause was human error in Anthropic's release packaging pipeline. The source map file linked minified JavaScript back to original TypeScript source files stored in the company's Cloudflare R2 storage bucket. Unlike a malicious breach, this was a straightforward packaging oversight that made the entire client-side implementation downloadable.
What Was Exposed
The leaked code revealed extensive details about Claude Code's internal architecture, including tool execution logic, permission schemas, memory systems, telemetry tracking, and system prompts. Security analysts discovered the tool classifies user language using keyword detection—tracking phrases like "wtf," "this sucks," and "frustrating" as negative sentiment signals.
More significantly, the leak exposed unreleased features that Anthropic had not yet announced. These included KAIROS, described as an "always-on autonomous agent mode," and a feature called autoDream for background memory consolidation during idle time. Researchers also found references to over 60 feature flags prefixed with the codename "Tengu," suggesting a substantial roadmap of upcoming functionality.
The leaked code even included an "undercover mode" designed to strip internal codenames from git commits and pull requests—a feature that now seems ironically prophetic.
What Wasn't Exposed
Anthropic confirmed that no customer data, credentials, model weights, or inference infrastructure were compromised. The leak was limited to the client-side CLI tool implementation. While the code reveals architectural decisions and security mechanisms, it does not provide the capability to replicate Claude's model capabilities.
A Pattern Emerges
Notably, this is not Anthropic's first such incident. A nearly identical source map leak occurred in February 2025 with an earlier version of Claude Code. The company had apparently failed to implement preventive measures after the initial incident.
Anthropic has since removed version 2.1.88 from npm and issued DMCA takedowns against public repositories hosting the code. However, the source was already archived across multiple platforms, ensuring widespread availability despite removal efforts.
The incident provides the AI community with an rare look at production-grade agent architecture, though the recurring nature of this packaging failure underscores the challenges of maintaining security across rapid release cycles.