Key Findings

• Anthropic confirmed Claude Code source code was accidentally exposed via npm package version 2.1.88 due to human error in packaging, not a security breach

• Nearly 2,000 TypeScript files and over 512,000 lines of code were leaked through a source map file and quickly spread across public repositories

• The leaked codebase revealed advanced features including KAIROS autonomous daemon mode, self-healing memory architecture, Undercover Mode for stealth contributions, and anti-distillation defenses

• A concurrent supply chain attack trojanized the HTTP client in versions downloaded between 00:21-03:29 UTC on March 31, 2026, requiring users to downgrade and rotate secrets

• Attackers are already typosquatting internal npm packages to stage dependency confusion attacks against developers attempting to compile the leaked code

Background

Anthropic discovered the leak after releasing Claude Code version 2.1.88 to npm on March 31, 2026. Security researcher Chaofan Shou was first to publicly flag the exposure on X, noting that a source map file contained access to the entire codebase. The post went viral with over 28.8 million views. The leaked code was immediately saved to a public GitHub repository that accumulated more than 78,000 stars and 77,200 forks within hours.

Exposed Technical Architecture

Analysis of the leaked code revealed Claude Code's internal systems. The tool uses a sophisticated four-stage context management pipeline with a self-healing memory architecture that maintains a small index of pointers rather than storing complete data, retrieving information only when needed. This allows the system to operate within the model's fixed context window constraints while maintaining accuracy through continuous verification against real data.

The codebase also exposed a tools system facilitating capabilities like file reading and bash execution, a query engine for LLM API calls and orchestration, and multi-agent orchestration enabling the creation of sub-agents or swarms for complex tasks. A bidirectional communication layer connects IDE extensions to Claude Code's command-line interface.

Advanced Features Revealed

The leaked source code illuminated several unreleased and internal features. KAIROS, referenced over 150 times in the codebase, transforms Claude Code from a reactive tool into an always-on autonomous daemon that operates in the background, performing periodic fixes and task execution without waiting for user input. It includes a process called autoDream that performs memory consolidation during idle periods, merging observations and converting insights into actionable facts.

A companion "dream" mode allows Claude to constantly think in the background to develop and iterate ideas. Perhaps most controversial is Undercover Mode, which enables Claude Code to make stealth contributions to open-source repositories with system prompts explicitly instructing it not to reveal Anthropic-internal information in commit messages or pull requests.

Security Defenses and Countermeasures

The leak exposed Anthropic's anti-distillation defenses designed to combat model scraping attacks. The system injects fake tool definitions into API requests to poison training data if competitors attempt to extract Claude Code's outputs. This defensive measure underscores Anthropic's concerns about competitors reverse-engineering the tool's capabilities through output analysis.

Supply Chain Attack Implications

The incident was compounded by a concurrent supply chain attack that trojanized versions of Claude Code's HTTP client. Users who installed or updated the package via npm between 00:21 and 03:29 UTC on March 31, 2026, pulled a compromised version containing a cross-platform remote access trojan. Anthropic advised immediate downgrade to safe versions and rotating all secrets. This attack represents a critical secondary breach that could give malicious actors direct system access independent of the source code exposure.

Typosquatting Campaign

Security researchers documented attackers rapidly exploiting the leak through dependency confusion attacks. A user named pacifier136 published empty stub packages with names mimicking Anthropic's internal npm dependencies: audio-capture-napi, color-diff-napi, image-processor-napi, modifiers-napi, and url-handler-napi. Security researcher Clément Dumas noted these packages initially contained only empty exports but would likely receive malicious updates targeting developers attempting to compile the leaked source code.

Risk Assessment for Adversaries

The source code exposure provides attackers with a technical blueprint previously unavailable. Rather than attempting brute-force jailbreaks, adversaries can now study the exact data flow through Claude Code's context management pipeline and craft payloads designed to survive compaction and persist across extended sessions. Security company Straiker warned that attackers could effectively inject backdoors into long-running sessions by exploiting knowledge of internal architecture.

Pattern of Internal Security Lapses

This incident represents the second major security failure for Anthropic within a week. The previous week saw details about the company's upcoming AI model, codenamed Numbat, along with other internal data, left accessible via Anthropic's content management system. These successive incidents suggest systemic issues with internal access controls and operational security practices.

Sources

• https://thehackernews.com/2026/04/claude-code-tleaked-via-npm-packaging.html

• https://securityaffairs.com/190229/data-breach/anthropic-accidentally-leaks-claude-code.html

• https://www.bleepingcomputer.com/news/artificial-intelligence/claude-code-source-code-accidentally-leaked-in-npm-package/