Major Anthropic Security Incident: 600,000 Lines of Claude Code Client Source Code Leaked Due to Misconfiguration
On March 31, 2026, a post on the social platform X by security researcher Chaofan Shou revealed a major security lapse by AI unicorn Anthropic. When publishing version v2.1.88 of its coding assistant tool, Claude Code, to the npm repository, the company made a configuration error. It bundled a source map file containing the complete source code mapping, leading to the public exposure of nearly 600,000 lines of the project’s TypeScript source code.
A ‘Digital Striptease’ Caused by a 57MB File

The core of the incident is a file named cli.js.map, approximately 57MB in size. In front-end development, source map files are used for debugging. They can accurately reverse-engineer minified and obfuscated production code back into its original, readable development-stage form, including all variable names, function names, and even comments. According to the fundamental principles of secure software development, such files are strictly forbidden from being deployed to a production environment.
However, the npm package published by Anthropic included this very file. With a few simple steps, anyone could extract the sourcesContent field from the file, thereby obtaining the full content of 1,906 TypeScript source files. Notably, this is the second time Anthropic has leaked code due to the same issue, with the previous incident dating back to February 2025, indicating a persistent vulnerability in its release process management.
Information Dissemination and Community ‘Reverse Engineering’
Once the news of the source code leak broke, it spread rapidly throughout the developer community. Within minutes, the complete code repository was mirrored to GitHub. One such repository, instructkr/claude-code, gained over 9,000 stars in just two hours. Although Anthropic quickly took remedial action—including pulling the problematic version from npm, deleting the related files from cloud storage, and issuing DMCA takedown requests for the mirrored repositories on GitHub—the spread of information was already unstoppable.
A noteworthy subsequent development was that some developers rewrote the leaked TypeScript code’s logic using Python. This move cleverly circumvented the copyright issues associated with directly copying the source code, as the architectural ideas and logic of software itself are not protected by copyright law. This means that even if the original code is deleted, its core design has become public knowledge and cannot be truly ‘recalled’.
What Was Leaked: Unreleased Features and Core Architecture
Analysis of the leaked 600,000 lines of code revealed a vast amount of Anthropic’s internal information, effectively serving as a public product roadmap and technical blueprint.
Key leaked information includes:
- System Architecture and Toolchain: This covered the REPL engine, query engine, tool registry, slash command system, multi-agent coordination logic, state management mechanisms, and Datadog event reporting for telemetry (including user and organization metadata).
- Internal APIs and SDKs: The leak exposed internal API endpoints, JWT authentication logic for the IDE bridge, WebSocket session management, and GrowthBook SDK integration for A/B testing.
- System Prompts: Over 40 complete internal system prompt fragments were made public, revealing the precise prompt engineering behind Claude Code’s intelligent coding capabilities.
- Unreleased Features: The 89 feature flags in the code pointed to several secretly developed features, with four being the most eye-catching:
- Buddy: A pet-like AI companion that resides in the user’s terminal, featuring multiple forms and personalities.
- Kairos: An ‘always-on’ persistent AI agent that can remember across sessions, proactively execute tasks in the background, and even has a ‘dream’ cycle for information processing.
- UltraPlan: A cloud-based deep planning mode that allows Claude to construct complex plans in the cloud, which users then approve locally.
- Coordinator Mode: A client-side multi-agent collaboration system where a primary Claude can spawn multiple worker Claudes to process tasks in parallel.
It is crucial to clarify that this leak only involves the source code of the Claude Code client-side tool. It does not include the underlying AI model weights, training datasets, or backend inference services. Therefore, users’ personal data and the core assets of the model itself were not directly threatened.
The Irony for the ‘Safest AI Company’ and Reflections
The blow to Anthropic’s brand image from this incident far outweighs the direct technical losses. As a company valued at $8 billion that has built its core narrative around ‘AI safety’, its co-founder Dario Amodei once testified before a U.S. Congressional hearing, emphasizing the potential existential risks of AI. The company has long cultivated a public image as the most safety-conscious player in the industry through concepts like ‘Constitutional AI’ and ‘Responsible Scaling’.
However, a configuration error that any mid-level engineer should have spotted in a code review managed to shatter this meticulously constructed safety narrative. This exposes that AI safety is a complex systems engineering problem. It encompasses not only cutting-edge model alignment research but also relies on fundamental and robust software development and security operations (DevSecOps) practices. Overlooking basic security principles in traditional software engineering while pursuing high-level model safety ultimately led to this ‘epic’ failure.
For the entire industry, this incident serves as a wake-up call: as AI systems become increasingly complex, their security perimeter is no longer just the model itself but extends to every part of the lifecycle, from development, testing, and deployment to operations. A single oversight in one area can cause the most cutting-edge technical achievements and trade secrets to go up in smoke.