Anthropic Accidentally Leaks Claude Code's Source Code in an npm Blunder

Anthropic accidentally exposed source code for Claude Code on March 31 after a public npm release shipped with a source map file, allowing outsiders to reverse-engineer a large chunk of the company’s closed-source coding assistant. 

Security researcher Chaofan Shou was among the first to publicly flag the bundled cli.js.map file. Anthropic later told The Register in an emailed statement, “This was a release packaging issue caused by human error, not a security breach.” Anthropic’s public changelog currently tops out at 2.1.87, not 2.1.88, and its docs now mark npm installation as deprecated and direct users to the native installer.

That made this more than a routine packaging mistake. Claude Code is not some side project inside Anthropic. The company said in February that Claude Code had already grown to more than $2.5 billion in run-rate revenue, with enterprise use representing more than half of all Claude Code revenue.

There was also a different supply-chain scare in the background. Malicious axios@1.14.1 and axios@0.30.4 were live on npm for a few hours on March 31, giving developers another reason to check lockfiles carefully if they were installing packages in that window, even though the incident could be separate from the Claude Code source leak itself.

The part that really grabbed people was what sat inside the dump. Decrypt reported that the internet quickly archived roughly 512,000 lines of code across 1,900 files, while the cli.js.map file pointed to a downloadable zip archive on Anthropic’s Cloudflare R2 storage bucket. From there, researchers started digging through the agent loop, hooks, permissions, memory systems, tool orchestration, and IDE integrations. 

Also read: Anthropic wins first court fight over Trump and the Pentagon blacklist.  

Some of the louder claims online go further, pointing to features or flags such as KAIROS, Undercover Mode, Buddy, and what outside analysts described as a “Self-Healing Memory” system for handling “context entropy.” Those details are now part of the public conversation, but they still come from post-leak analysis rather than official Anthropic confirmation.

The timing makes the leak worse. It landed just days after a separate Anthropic lapse exposed nearly 3,000 unpublished CMS assets, including details of its upcoming Claude Mythos model. That earlier leak also rattled investors and helped push cybersecurity stocks lower. 

Now the Claude Code dump is colliding with another reality of proprietary software leaks: mirrors and reposts are already drawing DMCA pressure even as copies keep spreading.