{"id":453,"date":"2026-04-01T07:28:20","date_gmt":"2026-04-01T07:28:20","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=453"},"modified":"2026-04-01T07:28:20","modified_gmt":"2026-04-01T07:28:20","slug":"claude-code-source-leaked-via-npm-packaging-error-anthropic-confirms","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=453","title":{"rendered":"Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 01, 2026<\/span><\/span>Data Breach \/ Artificial Intelligence<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error.<\/p>\n

\u00abNo sensitive customer data or credentials were involved or exposed,\u00bb an Anthropic spokesperson said<\/a> in a statement shared with CNBC News. \u00abThis was a release packaging issue caused by human error, not a security breach. We\u2019re rolling out measures to prevent this from happening again.\u00bb<\/p>\n

The discovery came after the AI upstart released version 2.1.88<\/a> of the Claude Code npm package, with users spotting that it contained a source map file that could be used to access Claude Code’s source code \u2013 comprising nearly 2,000 TypeScript files and more than 512,000 lines of code. The version is no longer available for download from npm.<\/p>\n

Security researcher Chaofan Shou was the first to publicly flag<\/a> it on X, stating \u00abClaude code source code has been leaked via a map file in their npm registry!\u00bb The X post has since amassed more than 28.8 million views. The leaked codebase remains accessible via a public GitHub repository<\/a>, where it has surpassed 84,000 stars and 82,000 forks.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

A source code leak of this kind is significant, as it gives software developers and Anthropic’s competitors a blueprint for how the popular coding tool works. Users who have dug into the code<\/a> have published details of its self-healing memory architecture<\/a> to overcome the model’s fixed context window constraints<\/a>, as well as other internal components.<\/p>\n

<\/p>\n

These include<\/a> a tools system to facilitate various capabilities like file read or bash execution, a query engine to handle LLM API calls and orchestration, multi-agent orchestration to spawn \u00absub-agents\u00bb or swarms to carry out complex tasks, and a bidirectional communication layer that connects IDE extensions to Claude Code CLI.<\/p>\n

The leak has also shed light on a feature called KAIROS<\/a> that allows Claude Code to operate as a persistent, background agent that can periodically fix errors or run tasks on its own without waiting for human input, and even send push notifications to users. Complementing this proactive mode is a new \u00abdream\u00bb mode<\/a> that will allow Claude to constantly think in the background to develop ideas and iterate existing ones.<\/p>\n

\"\"<\/a><\/div>\n

Perhaps the most intriguing detail is the tool’s Undercover Mode for making \u00abstealth\u00bb contributions to open-source repositories. \u00abYou are operating UNDERCOVER in a PUBLIC\/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover,\u00bb reads the system prompt.\u00a0<\/p>\n

Another fascinating finding involves Anthropic’s attempts to covertly fight model distillation attacks. The system has controls in place<\/a> that inject fake tool definitions into API requests to poison training data if competitors attempt to scrape Claude Code’s outputs.<\/p>\n

Typosquat npm Packages Pushed to Registry<\/h3>\n

With Claude Code’s internals now laid bare, the development risks provide bad actors with ammunition to bypass guardrails and trick the system into performing unintended actions, such as running malicious commands or exfiltrating data.<\/p>\n

\u00abInstead of brute-forcing jailbreaks and prompt injections, attackers can now study and fuzz exactly how data flows through Claude Code’s four-stage context management pipeline and craft payloads designed to survive compaction, effectively persisting a backdoor across an arbitrarily long session,\u00bb AI security company Straiker said<\/a>.<\/p>\n

The more pressing concern is the fallout from the Axios supply chain attack, as users who installed or updated Claude Code via npm on March 31, 2026, between 00:21 and 03:29 UTC may have pulled with it a trojanized version of the HTTP client that contains a cross-platform remote access trojan. Users are advised to immediately downgrade to a safe version and rotate all secrets.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

What’s more, attackers are already capitalizing on the leak to typosquat internal npm package names in an attempt to target those who may be trying to compile the leaked Claude Code source code and stage dependency confusion attacks. The names of the packages, all published by a user named \u00abpacifier136<\/a>,\u00bb are listed below –<\/p>\n