Three times in thirteen months, Anthropic accidentally published Claude Code's source code. February 2025: an 18-million-character source map left inline in npm. March 26, 2026: ~3,000 internal files including the secret Mythos model exposed via misconfigured CMS. March 31, 2026: a 59.8 MB source map in npm exposing 512,000 lines across 1,900 files. Same root cause every time — Bun bundler generating source maps by default. Fortune called it "a second security lapse in days."
The Complete Timeline: Three Leaks in 13 Months
What makes this story exceptional is not a single incident but a pattern. Anthropic's Claude Code source has leaked three separate times through the same fundamental mechanism. Each time, source maps — debug files that map compiled code back to the original TypeScript — were accidentally included in public npm packages.
| Date | Leak | Vector | Scale | Discovery |
|---|---|---|---|---|
| Feb 24, 2025 | First source map leak | Inline base64 source map in cli.mjs (23 MB) | 18M characters base64-encoded source | Dave Shoemaker |
| Mar 26, 2026 | Mythos/Capybara internal docs | Misconfigured CMS / data store | ~3,000 internal files exposed | Security researchers |
| Mar 31, 2026 | Full source code leak | npm source map file (59.8 MB) in v2.1.88 | 512,000 lines / 1,900 files | Chaofan Shou (Solayer Labs) |
The pattern is clear: 363 npm versions of Claude Code were published between the first and third leaks. Despite the February 2025 incident, no automated build pipeline check was added to prevent source maps from shipping again.
Leak #1 — February 2025: The First Warning
On February 24, 2025, Anthropic published Claude Code on npm for the first time. Dave Shoemaker, a developer reviewing the package, discovered an inline source map of 18 million characters encoded in base64 inside the cli.mjs file (23 MB total). The source map contained the complete original TypeScript source code of Claude Code at that point in development.
Anthropic reacted quickly. Within approximately two hours, the team retired the source map, unpublished the affected npm version, and purged CDN caches. By March 1, 2025, the immediate crisis appeared contained.
But the code had already been preserved. Daniel Nakov published the extracted source on GitHub as dnakov/claude-code on February 25. More creatively, Dave Shoemaker documented that the full source could be recovered from Sublime Text's undo history files — a persistence vector that npm cache purging could not reach. By March 7, security researcher Lee Han Chung had completed a thorough architecture analysis, documenting system prompts (including internal prompt strategies like "megathink" and "ultrathink"), MCP integration, and AWS Bedrock connectivity.
The February 2025 leak revealed Claude Code in its early state: already an agentic harness rather than a simple CLI, but far less sophisticated than what would be exposed 13 months later. The critical question that the industry would later ask: why didn't this incident trigger permanent build safeguards?
Leak #2 — March 26, 2026: The Mythos Model Exposure
Five days before the source code leak, Anthropic suffered a different kind of exposure. Around March 26, 2026, security researchers discovered approximately 3,000 internal Anthropic files accessible through a misconfigured content management system. Among those files: a draft blog post revealing a secret next-generation AI model codenamed "Mythos" (internal name: "Capybara"), positioned as a tier above the current flagship Claude Opus 4.6.
The Mythos leak included internal benchmark data, safety evaluations, project planning documents, and details about Capybara v8's performance — including a troubling regression in false affirmation rates (29-30% vs. 16.7% in v4). Fortune published an exclusive report, and the story generated significant market reactions before Anthropic managed to secure the exposed data store.
This was a different attack surface — a CMS misconfiguration rather than a build pipeline error — but it established a pattern of operational security failures that would become much harder to defend when the npm leak hit five days later.
Leak #3 — March 31, 2026: The Full Source Code Exposure
The largest leak occurred on March 31, 2026. At approximately 04:23 ET, Chaofan Shou, a research intern at Solayer Labs, discovered a 59.8 MB source map file (.map) inside the npm package @anthropic-ai/claude-code@2.1.88. Shou posted his discovery on X (formerly Twitter), and within hours the thread had accumulated 16 million views.
The Technical Mechanism
The source map file referenced a ZIP archive hosted on a Cloudflare R2 bucket. This archive contained the complete, unobfuscated TypeScript source code of Claude Code: approximately 512,000 lines spread across 1,900 files. The root cause was identical to the February 2025 incident: Bun, the JavaScript bundler used by Anthropic, generates source maps by default unless explicitly disabled with a build configuration flag.
| Metric | Value |
|---|---|
| TypeScript files exposed | ~1,902 |
| Lines of code | ~512,000 |
| Source map file size | 59.8 MB |
| npm package version | v2.1.88 |
| Feature flags (compile-time) | 32 |
| Feature gates (runtime, GrowthBook) | 22+ |
| Environment variables | 330+ |
| Tools modules | 184 |
Community Reaction
The open-source community moved fast. Sigrid Jin (GitHub: instructkr) ported the leaked architecture into a Python-based clone called claw-code, which reached 75,700 GitHub stars — an all-time platform record. The original mirror accumulated over 41,500 forks. Anthropic issued DMCA takedown notices on GitHub, but decentralized mirrors had already proliferated. The site ccleaks.com published what became the most complete database of hidden features found in the code.
The Axios Supply Chain Attack — Same Day Context
What makes March 31 even more significant for the security community is what happened hours before the Claude Code leak was discovered. Between 00:21 and 03:29 UTC, malicious versions of the popular axios npm package were published, containing a Remote Access Trojan (RAT) called NukeSped. Security researchers attributed the attack to Lazarus Group, a North Korean state-sponsored hacking operation (DPRK).
The coincidence of a state-sponsored npm supply chain attack and one of the largest accidental source code exposures in AI history occurring on the same day underscored a broader vulnerability in the npm ecosystem. For security teams already scrambling to audit axios dependencies, discovering that Anthropic's entire AI agent codebase was also exposed added urgency to an already critical day.
The Root Cause: Bun Bundler Default Source Maps
The technical root cause is remarkably simple for an incident of this magnitude. Bun, the JavaScript runtime and bundler Anthropic uses to build Claude Code, generates source maps by default. Unless the build configuration explicitly sets sourcemap: "none" or equivalent, every build produces a .map file that contains the complete original source code.
This is a known Bun behavior. It is documented. It is not a bug in Bun. The failure was operational: Anthropic's build pipeline did not include an automated check to strip or exclude source maps from npm packages before publishing.
The same error occurred three times:
- February 2025: Source map inlined as base64 in cli.mjs — 18M characters
- March 2026 (v2.1.88): Source map as separate 59.8 MB .map file referencing Cloudflare R2 archive
- Intermediate discovery (March 7, 2026): gentic.news found a bundle of 13,800 lines in
@anthropic-ai/claude-agent-sdkv2.1.71
Security experts noted the absence of what should be a basic CI/CD guardrail: a pre-publish check that verifies no .map files are included in the npm package. Most organizations building security-sensitive software add this check as a standard part of their release pipeline.
Anthropic's Response: "Human Error, Not a Security Breach"
Anthropic's official response characterized the March 31 leak as a "release packaging issue caused by human error, not a security breach." The company drew a distinction between an intentional intrusion (breach) and an accidental inclusion of files in a public package (packaging error).
This framing drew mixed reactions. Security professionals generally agreed that source maps in npm packages are a build pipeline failure, not a targeted attack. However, the "not a security breach" characterization frustrated those who pointed out that the outcome — complete exposure of proprietary source code containing security-sensitive systems including anti-distillation measures, permission models, 23 bash security checks, and internal API keys — was equivalent in impact to a breach.
The DMCA takedown approach also drew criticism. While legally valid, issuing DMCA notices against GitHub mirrors of accidentally published code struck many in the open-source community as a poor response to a self-inflicted problem. By the time takedowns were processed, the code had been forked, archived, analyzed, and discussed extensively across multiple platforms.
What the Leak Revealed
The exposed source code showed that Claude Code is not the simple CLI tool it appears to be externally. It is a complete distributed agentic harness with capabilities far beyond what is publicly available. Key discoveries include:
- KAIROS daemon mode: A persistent always-on agent (150+ code references) that monitors the developer environment, writes daily logs, and acts proactively with a 15-second blocking budget
- Coordinator Mode: Multi-agent orchestration where one "lead" Claude directs N workers in parallel through 4 phases (Research → Spec → Implementation → Verification)
- Agent Teams / Swarm Mode: Separate CLI processes working as teammates with filesystem-based coordination and peer-to-peer messaging
- Anti-distillation: Injection of fake tool definitions into system prompts to poison competitor training data
- Undercover Mode: System that suppresses all Anthropic traces when employees work on public repositories, with the instruction "Do not blow your cover"
- Buddy System: An ASCII Tamagotchi companion with 18 species, 5 rarity tiers, and RPG stats — planned for April 1 reveal, spoiled by the leak
- 6+ months of roadmap already fully coded behind feature flags
Security Implications for the AI Industry
The double leak (Mythos + source code) within five days raises broader questions about operational security at frontier AI labs. These organizations build some of the most capable and potentially dangerous software in the world. Their internal codebases contain safety mechanisms, permission models, anti-abuse systems, and architectural details that could be exploited if understood by adversaries.
The Claude Code leak specifically exposed:
- 23 bash security checks including the exact Zsh defense model, injection detection patterns, and bypass mitigations
- 5 known CVEs (some pre-existing, some discovered through the leaked code)
- SDK keys hardcoded in source (production, dev, and external keys)
- API key construction pattern: Keys assembled at runtime via
['sk','ant','api'].join('-')to evade their own secret scanner - Native Client Attestation details (the
cch=00000mechanism replaced by Zig-level hash before requests leave the process) - Anti-distillation details now publicly known, allowing competitors to filter out the fake tool injections
For the broader AI industry, the incident demonstrates that build pipeline security deserves the same attention as model security. A source map check in CI would have prevented all three leaks.
Frequently Asked Questions
How many times has Claude Code source been leaked?
Three times. First in February 2025 (18M characters via inline base64 source map), then the Mythos/Capybara internal docs on March 26, 2026 (~3,000 files via misconfigured CMS), and the full source code on March 31, 2026 (512,000 lines via 59.8 MB npm source map). The February 2025 and March 2026 leaks share the same root cause: Bun bundler generating source maps by default.
What is the connection between the Claude Code leak and the axios attack?
On March 31, 2026, between 00:21 and 03:29 UTC, malicious axios npm packages containing a NukeSped RAT were published in a supply chain attack attributed to North Korea's Lazarus Group. Hours later, the Claude Code source map leak was discovered in npm. While unrelated in execution, both incidents occurring on the same day highlighted systemic npm ecosystem vulnerabilities and created an exceptionally challenging day for security teams worldwide.
What did Anthropic say about the leaks?
Anthropic characterized the March 31 source code leak as a "release packaging issue caused by human error, not a security breach." The company issued DMCA takedown notices against GitHub mirrors but the code had already been widely distributed. Fortune described the incident as Anthropic's "second security lapse in days," referencing the Mythos leak five days earlier. Anthropic did not publicly address why build pipeline safeguards were not implemented after the February 2025 incident.
What was exposed in the Claude Code source?
The leak revealed approximately 512,000 lines of TypeScript across 1,900 files. Claude Code was found to be a complete distributed agentic harness, not a simple CLI. Hidden features include KAIROS (always-on daemon mode), Coordinator Mode (multi-agent orchestration), Agent Teams/Swarm Mode, anti-distillation fake tool injection, Undercover Mode for Anthropic employees, a Tamagotchi companion system (Buddy), voice mode, computer use automation, and 6+ months of roadmap coded behind 32 feature flags. Additionally, 330+ environment variables, 22+ runtime feature gates, 184 tool modules, and hardcoded SDK keys were exposed.
Could these leaks have been prevented?
Yes. All source map leaks share the same root cause: Bun bundler generates source maps by default unless explicitly configured otherwise. A standard CI/CD pre-publish check that verifies no .map files are included in npm packages would have prevented both the February 2025 and March 2026 source code leaks. The Mythos CMS leak was a different vector (cloud storage misconfiguration) but similarly preventable with standard access control auditing. Security experts noted the absence of multi-step approval processes in Anthropic's release pipeline.
Frequently Asked Questions
What caused all three Anthropic Claude Code leaks in 2025 and 2026?
All three leaks share the same root cause: Bun bundler generates source maps by default. Without an explicit sourcemap: 'none' build flag, every Claude Code npm publish included .map files with complete TypeScript source. February 2025: an 18M-character base64 source map in cli.mjs. March 31, 2026: a separate 59.8 MB .map file in v2.1.88 exposing 512,000 lines across 1,900 files. Despite 363 npm versions published between the first and third leak, no automated CI/CD pre-publish check was ever added to strip source maps.
Has OpenAI ever suffered a source code leak similar to Anthropic's three npm incidents?
OpenAI has not publicly experienced an accidental npm source map leak of comparable scale or repetition. OpenAI's most notable security incident was a March 2023 ChatGPT data breach affecting user conversation histories — a different attack surface entirely. Anthropic's three leaks via the same Bun bundler default setting, reproducing the exact same build pipeline error 363 npm versions after the first incident, are exceptional for a company whose stated mission centers on AI safety.
What is the Mythos model (codenamed Capybara) that was leaked on March 26, 2026?
Mythos is Anthropic's unreleased next-generation AI model, internally codenamed Capybara (v8). Positioned a tier above the current flagship Claude Opus 4.6, it was exposed in approximately 3,000 internal files via a misconfigured CMS on March 26, 2026. Internal benchmark data revealed a safety regression: false affirmation rates of 29–30% in Capybara v8 versus 16.7% in v4. Fortune published an exclusive report that generated significant market reactions before Anthropic secured the exposed data store.
How many GitHub stars did claw-code reach after the Claude Code leak — and was it taken down?
claw-code, a Python-based Claude Code clone built by Sigrid Jin (GitHub: instructkr) from the leaked architecture, reached 75,700 GitHub stars — described as an all-time platform record. The original mirror accumulated over 41,500 forks. Anthropic issued DMCA takedown notices on GitHub, but decentralized mirrors proliferated, including ccleaks.com, which published the most complete public database of hidden features found in the exposed source code.
Was the Axios npm supply chain attack by Lazarus Group connected to the Anthropic leak?
Both events occurred on March 31, 2026, but appear unrelated. The axios supply chain attack ran from 00:21 to 03:29 UTC and was attributed to Lazarus Group (North Korean state-sponsored, DPRK), distributing a Remote Access Trojan called NukeSped via malicious axios npm versions. The Anthropic Claude Code source map was independently discovered at approximately 04:23 ET by Chaofan Shou of Solayer Labs. The coincidence of a nation-state npm attack and the largest accidental AI source code exposure in history on the same day underscored systemic npm ecosystem vulnerabilities.
What specific data was exposed in the March 31, 2026 Claude Code npm leak?
The 59.8 MB source map in @anthropic-ai/claude-code@2.1.88 exposed approximately 512,000 lines across 1,902 TypeScript files, hosted in a ZIP archive on Cloudflare R2. The code contained 330+ environment variables, 32 compile-time feature flags, 22+ GrowthBook runtime feature gates, and 184 tool modules. Internal system prompt strategies including 'megathink' and 'ultrathink' were also revealed. Within hours of Chaofan Shou's post on X, the discovery thread had accumulated 16 million views.
How does Anthropic's security track record compare to Google DeepMind or Meta AI?
No comparable accidental source code exposures via npm have been publicly documented for Google DeepMind or Meta AI's flagship models. Anthropic's pattern — three leaks via the same Bun bundler misconfiguration over 13 months, with 363 npm versions published between the first and third incident without adding any automated safeguard — is unprecedented. The February 2025 leak even generated a complete GitHub mirror (dnakov/claude-code) within 24 hours, yet the build pipeline was never audited before the March 2026 exposure.
Is Claude Code still safe to use after the March 2026 leaks?
The leaks exposed Anthropic's proprietary source code and internal architecture — not user data or API keys. Claude Code remains operational. However, the public exposure of 330+ environment variable names, 32 compile-time feature flags, 22+ runtime GrowthBook feature gates, 184 tool modules, and internal prompt strategies gives security researchers and potential adversaries detailed visibility into the agent's attack surface, MCP integration points, and AWS Bedrock connectivity patterns.
