On March 31, 2026, Anthropic’s Claude Code source code was accidentally leaked to the public through a routine software update — exposing nearly 2,000 files and more than 512,000 lines of proprietary code to anyone who knew where to look. Within hours, the codebase had been mirrored across GitHub, amassing tens of thousands of stars and forks. It is the second significant security lapse at Anthropic in under two weeks, and it raises uncomfortable questions for a company that markets itself as the AI industry’s safety-first lab.
How the Claude Code Leak Happened
The leak originated from a straightforward human error in Anthropic’s software release process. When the company pushed version 2.1.88 of the @anthropic-ai/claude-code package to the public npm registry — the repository that developers use to download and update software tools — it inadvertently included a 59.8 MB JavaScript source map file that was intended only for internal debugging.
Source map files are used by developers to trace errors in bundled or minified production code back to the original readable source. They are never meant to be shipped publicly. In this case, the map file contained a direct reference to a zip archive stored on Anthropic’s own Cloudflare R2 cloud storage bucket — a bucket that turned out to be publicly accessible.
Security researcher Chaofan Shou was the first to spot it. His post on X — “Claude Code source code has been leaked via a map file in their npm registry!” — accumulated more than 28 million views within hours. By the time Anthropic pulled the affected package version from npm, the codebase had already been downloaded, mirrored, and distributed across dozens of GitHub repositories. As of writing, the main mirror has surpassed 84,000 stars and 82,000 forks.
Anthropic confirmed the incident in a statement to multiple outlets: “Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”
What Was Inside the Leaked Code
The leaked archive contained the full source code for Claude Code’s agentic harness — the software layer that wraps Anthropic’s underlying AI model and gives it the ability to use tools, manage files, execute bash commands, and coordinate multi-agent workflows. This is not the model weights themselves, but it is arguably the engineering blueprint that makes Claude Code commercially competitive.
Several previously undisclosed features were exposed in the leak:
KAIROS — referenced more than 150 times in the source — describes an always-on autonomous background agent mode. Rather than waiting for user input, KAIROS allows Claude Code to operate as a daemon, performing what the code calls “autoDream” during idle periods: consolidating memory, resolving contradictions in its context, and preparing clean, relevant information for when the user returns. This represents a significant architectural advancement beyond current reactive AI tools.
Undercover Mode — perhaps the most discussed discovery — reveals a system designed for Claude Code to make contributions to public open-source repositories without revealing that an AI was involved. The system prompt found in the leaked code explicitly instructs the model: “You are operating UNDERCOVER… Your commit messages MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.” Internal model codenames such as “Tengu” and “Capybara” are explicitly blocked from appearing in public git logs.
Three-layer memory architecture — the code details how Claude Code manages context entropy, a known problem in long-running AI agent sessions where the model becomes increasingly confused or hallucinatory as conversations grow. The implementation shows a sophisticated approach to keeping context clean and relevant over extended sessions.
The leaked code also provided further confirmation that Anthropic is actively developing a new flagship model with the internal codename Capybara (also referred to as “Mythos”), with evidence suggesting both a “fast” and a “slow” version are planned, featuring a significantly larger context window than current Claude models.
The Security Risks for Developers
Beyond the competitive intelligence implications, the leak carries a direct security risk for developers who updated Claude Code during a specific window.
Users who installed or updated Claude Code via npm between 00:21 and 03:29 UTC on March 31, 2026 may have inadvertently pulled a trojanized version of the axios HTTP client library — a separate but coinciding supply chain attack. The malicious dependency, named plain-crypto-js, contains a cross-platform Remote Access Trojan (RAT).
Affected developers are advised to immediately downgrade their Claude Code installation to a safe version, rotate all secrets and API keys stored in their development environment, and audit their package-lock.json or yarn.lock files for references to plain-crypto-js, axios version 1.14.1, or 0.30.4.
Anthropic has since designated its native installer — available via curl -fsSL https://claude.ai/install.sh | sh — as the recommended installation method going forward, as it uses a standalone binary that does not rely on the npm dependency chain.
Why This Matters Beyond Anthropic
Claude Code is Anthropic’s fastest-growing product, with annualized recurring revenue estimated at $2.5 billion — a figure that has more than doubled since the start of 2026. Enterprise customers account for approximately 80% of that revenue. The leaked source code hands every competitor — from OpenAI to Google to smaller players like Cursor — a detailed engineering blueprint for how to build a production-grade AI coding agent.
This is the second significant security incident at Anthropic in less than two weeks. Days before the source code leak, Fortune reported that Anthropic had accidentally left close to 3,000 internal files publicly accessible via its content management system, including a draft blog post describing the forthcoming Mythos/Capybara model and its advanced capabilities.
The pattern raises a broader question that extends beyond Anthropic: as AI companies race to ship products, build enterprise relationships, and prepare for public listings, how seriously are they treating the security of their own internal systems? Anthropic’s entire brand proposition rests on being the responsible, safety-conscious alternative in the AI market. Two accidental leaks in a fortnight do not reinforce that narrative.
What Happens Next
Anthropic has stated it is implementing measures to prevent future packaging errors. The company has also issued a takedown notice to at least one developer who hosted the leaked code on GitHub, though the breadth of distribution — tens of thousands of forks — makes full containment effectively impossible.
The Claude Code source code leak of 2026 will not sink Anthropic. The company remains well-funded, and its core AI models were not exposed. But the incident is a reminder that operational security at AI labs is not merely a technical problem — it is a competitive and reputational one. For every line of code now in the hands of rivals, Anthropic’s safety-first positioning becomes a harder story to tell.
