Skip to main content
HashnodeHintasHintas

Command Palette

Search for a command to run...

The Claude Code leak: 512,000 lines, one misconfigured file, and the future of AI IP protection

Published
8 min read
The Claude Code leak: 512,000 lines, one misconfigured file, and the future of AI IP protection
D
Dante Kakhadze
building infra so agents can use your SaaS @Hintas

At roughly 4 AM UTC on March 31, 2026, Anthropic pushed version 2.1.88 of its @anthropic-ai/claude-code package to the npm registry. Inside was a 59.8 MB source map file that should never have shipped. That single file contained pointers to the complete, unobfuscated TypeScript source of Claude Code: 512,000 lines across 1,906 files, referencing a zip archive sitting on a publicly accessible Cloudflare R2 bucket with no authentication required.

By 4:23 UTC, security researcher Chaofan Shou flagged the discovery on X. The tweet pulled 16 million views. Within two hours, a clean-room rewrite repository hit 50,000 GitHub stars and 41,500 forks. By the time Anthropic pulled the package around 8 AM UTC, the source had been mirrored to decentralized hosting, rewritten in Python and Rust, and dissected by tens of thousands of developers worldwide.

This wasn't a hack. It was a packaging mistake. And it might be the most expensive .npmignore omission in history.

Three failures, one catastrophe

The leak wasn't one misconfiguration. It was three, stacked on top of each other. Any one of them alone would probably have been caught. All three together blew the doors open.

Claude Code's .npmignore file didn't exclude *.map files. Source maps are debugging artifacts that map compiled JavaScript back to original source code. They're standard in development. They have no business in a production npm package. This kind of mistake happens to open-source projects all the time, but for a company guarding proprietary AI agent architecture worth $2.5 billion in annual recurring revenue, it hits differently.

The source maps didn't contain the code inline, either. They referenced a Cloudflare R2 bucket hosting a zip of the original TypeScript. That bucket required no authentication. Anyone with the URL could download everything. The .map file was literally a map to the treasure, and the chest was unlocked.

And then there's the Bun angle. Anthropic acquired Bun, the JavaScript runtime, and used its bundler for Claude Code builds. Bun had an open issue (#28001, filed March 11, 2026) reporting that source maps were being generated in production builds despite documentation saying otherwise. The bug sat unfixed for 20 days. Anthropic's own recently acquired toolchain worked against them.

Security researcher Roy Paz noted the breach likely resulted from bypassed release safeguards, comparing proper procedures to "a vault requiring several keys to open." At Anthropic, several of those keys were apparently left in the lock.

What the code revealed

The leaked source wasn't boilerplate. It was a production AI agent architecture, and the community tore through it fast.

The tools system spans roughly 29,000 lines and includes BashTool, FileReadTool, WebFetchTool, LSPTool, and MultiEditTool, all with granular permission-gating. This is the layer that decides what Claude Code can and can't touch on your machine. The query engine, at 46,000 lines, handles LLM calls, token caching, context management, and multi-agent orchestration. These two subsystems are the core of how a production AI coding agent works, from prompt routing to file system access.

But the real headlines came from 44 hidden feature flags, over 20 of which pointed to unreleased capabilities.

KAIROS is a persistent background daemon with an autoDream memory consolidation feature. It runs continuously, fixing errors and sending notifications without the user starting a conversation. Claude Code that doesn't wait for you to ask.

ULTRAPLAN references 30-minute remote reasoning sessions via a Cloud Container Runtime. Anthropic is apparently building infrastructure for Claude Code to offload long-running planning tasks to remote servers rather than running everything locally.

Coordinator Mode is multi-agent orchestration infrastructure: spawning and managing sub-agents for complex tasks. Agents that delegate to other agents.

And then there's BUDDY. A Tamagotchi-style AI pet with 18 species and deterministic per-user assignment, with an April 1-7 rollout window. Not every feature flag is about the future of computing.

The weirder discoveries sat deeper in the code. An anti-distillation system injects fake tool definitions to corrupt competitor training data if someone tries to distill Claude Code's behavior. An "Undercover Mode" prevents Claude Code from mentioning internal codenames when contributing to external repositories, so AI-authored commits carry no disclosure of AI authorship. And there's a frustration detection system that regex-matches against 50+ common expletives to adjust behavior when users start swearing at it.

The timing couldn't have been worse

The leak didn't happen in isolation. On the same day, at nearly the same hour, attackers hijacked the npm account of the lead Axios maintainer and published malicious versions of one of npm's most-downloaded packages. The poisoned Axios versions (1.14.1 and 0.30.4) contained a cross-platform Remote Access Trojan deployed through a dependency called plain-crypto-js.

The attack window ran from 00:21 to 03:29 UTC on March 31. Anyone who installed Claude Code via npm during that window may have pulled in the compromised Axios as a transitive dependency. Two completely separate incidents on the same registry, same day, compounding each other's blast radius.

It gets worse. Threat actors immediately began typosquatting internal package names found in the leaked source: audio-capture-napi, color-diff-napi, image-processor-napi, modifiers-napi, and url-handler-napi. Developers attempting to rebuild Claude Code from the leaked source were being targeted before the day was out. Others deployed fake Claude Code repositories distributing Vidar Stealer and GhostSocks malware via Rust-based droppers.

And this was Anthropic's second leak in days. Just before the code incident, nearly 3,000 documents about an unreleased model codenamed Mythos (part of a new tier called Capybara) were found in a publicly searchable data cache. The leaked Claude Code source confirmed these codenames, linking the two incidents in the public mind even though they were technically unrelated.

The free engineering education

An Anthropic spokesperson told Fortune: "No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach."

That's accurate but understates the damage. The code didn't contain model weights or customer data. What it contained was architecture. The memory efficiency model. The permission-gating framework. The context management approaches. The multi-agent orchestration patterns. Every competitor would have paid real money for this.

Every rival lab got a free masterclass in how Anthropic builds production AI tooling. The three-layer memory system (lightweight index via MEMORY.md, topic files loaded on demand, raw transcripts searched via grep) is a clever solution to context window limitations that others can now just copy. The tools permission model shows exactly how to gate file system and network access in an AI agent. The query engine reveals token caching strategies that took years of iteration.

One leaked comment revealed that Claude Code burns 250,000 API calls per day globally on failed auto-compaction alone. That kind of operational detail tells competitors exactly where the performance bottlenecks are.

DMCA whack-a-mole

Anthropic moved fast on takedowns. GitHub complied immediately with DMCA requests, pulling mirrors as they appeared. But the internet doesn't forget, and it definitely doesn't comply.

Decentralized mirrors on platforms like Gitlawb explicitly claimed permanent hosting outside DMCA jurisdiction. A Python rewrite was framed as clean-room original work, exploiting the legal ambiguity around AI-generated code and clean-room reverse engineering. Torrents ensured the source would remain available indefinitely.

The DMCA strategy faces a basic problem: the code is out. You can take down individual mirrors, but you can't un-ring a bell that 50,000 developers heard. The architectural insights are already internalized. The patterns are already being reimplemented. The competitive advantage was never in the specific lines of TypeScript anyway. It was in the design decisions those lines encode. And those are now public knowledge.

What this means for you

If you're building AI-powered tools and shipping them through package registries, this is a direct cautionary tale.

Start with your build pipeline. Check your .npmignore (or .gitignore if you're using npm's files field). Search for *.map files in your published packages. Run npm pack --dry-run and actually read the file list. If you're using Bun, verify source map behavior explicitly rather than trusting defaults. Source maps are debugging tools that contain your original source. They should never ship to production registries. Add a CI check: if a .map file appears in the package tarball, the build fails.

Then look at your storage. If your build artifacts reference external storage like CDNs, R2, or S3, those endpoints need authentication. Publicly accessible buckets containing source code are a ticking clock regardless of whether anyone has the URL yet.

Pin your dependencies and audit your lockfile. The Axios supply chain attack hit the same day. If you installed Claude Code via npm during the attack window, rotate your credentials and audit for unauthorized access. SLSA attestations and provenance checks should be part of your dependency management by now.

And think about your distribution model. Anthropic now recommends its native installer over npm for Claude Code. If your product's IP is in its source code and you're distributing through a public registry that ships raw JavaScript, you're one misconfigured file away from the same headline.

The Claude Code leak is a reminder that AI IP protection isn't a model security problem. It's a DevOps problem. The most sophisticated AI agent architecture in the industry was undone by a missing line in a config file, a known bug in a bundler, and a storage bucket without a password. All those anti-distillation countermeasures and stealth mode features? Irrelevant if the source ships in the package.

We keep seeing the same pattern building workflow infrastructure: security in the AI tooling ecosystem is only as strong as the weakest link in the chain. Today that chain includes npm registries, bundler defaults, cloud storage permissions, and every transitive dependency your package pulls in. The leak is permanent. The lessons don't have to be.

If you're interested in early access, reach out at hintas.com.

Photo by Jake Walker on Unsplash

#ai-security#anthropic#devops#npm#supply-chain-security

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

H

Hintas

18 posts

AI agents, MCP, and workflow automation in production. We cover why AI projects fail, how to secure agent infrastructure, and what it takes to make AI actually work inside SaaS — from protocol design to supply chain security.