Claude Code Source Code Leak: 512,000 Lines of TypeScript Exposed

TL;DR: On March 31, 2026, security researcher Chaofan Shou discovered that version 2.1.88 of the @anthropic-ai/claude-code npm package shipped with a 59.8 MB JavaScript source map file. That map pointed to a publicly accessible zip archive on Anthropic’s Cloudflare R2 storage bucket. The archive contained approximately 1,900 TypeScript files totaling over 512,000 lines of code, including 44 feature flags for unreleased capabilities. A backup repository was forked more than 41,500 times before Anthropic could respond. The company called it “a release packaging issue caused by human error, not a security breach.” Fortune called it Anthropic’s second major security breach in five days.

Five Days After Claude Mythos: Another Anthropic Leak

On March 26, 2026, a CMS misconfiguration exposed roughly 3,000 unpublished Anthropic assets to the public internet, including draft documentation describing the Claude Mythos model. That incident triggered a cybersecurity stock selloff estimated at $400 billion in market capitalization. Anthropic’s post-incident messaging described it as an internal publishing error.

Five days later, on March 31, it happened again.

This time the vector was not a CMS. It was npm, the package manager used by millions of JavaScript developers worldwide. Fortune characterized the Claude Code exposure as Anthropic’s “second major security breach” in under a week. Anthropic disputed the word “breach.” The distinction between a breach and a packaging error matters legally, but for the purposes of what ended up publicly accessible, the practical difference was negligible.

How the Claude Code Source Code Was Exposed

Version 2.1.88 of the @anthropic-ai/claude-code npm package was published with a JavaScript source map file included in the distribution bundle. The file was 59.8 MB, anomalously large for a production package. Source map files are development artifacts that map minified or bundled JavaScript back to the original source code. They are routinely excluded from production builds.

The source map did not contain the full source code directly. Instead, it referenced a zip archive hosted on one of Anthropic’s Cloudflare R2 storage buckets. The bucket URL was publicly accessible without authentication. Anyone who inspected the source map could follow the reference to the archive.

The zip archive contained approximately 1,900 TypeScript files totaling more than 512,000 lines of code. This represented the complete source tree for Claude Code, Anthropic’s command-line AI coding assistant. The files included application logic, internal tooling, configuration schemas, agent orchestration code, and unreleased feature definitions.

The chain of exposure was straightforward: a build pipeline failed to strip the source map from the published package, and the referenced storage bucket lacked access controls. Either problem alone would not have resulted in a full source code exposure. Together, they created one.

Who Discovered the Claude Code Leak

Chaofan Shou, a security researcher, identified the exposure on Tuesday morning, March 31. Shou publicly disclosed the finding, noting the unusual size of the source map file and the accessible R2 bucket URL.

Within hours of the disclosure, multiple parties began mirroring the source code. A backup repository appeared on GitHub and was forked more than 41,500 times before Anthropic could issue takedown requests. The speed of the forking made complete removal from public access effectively impossible. Cached copies, forks, and secondary mirrors ensured the code would persist regardless of any subsequent takedown efforts.

The rapid propagation followed a pattern familiar from prior source code exposures: once a repository reaches a critical mass of forks on a platform like GitHub, the content becomes practically irrevocable. Anthropic’s window for containment was measured in hours, and the response did not come within that window.

What Was Inside Claude Code’s Source

The exposed codebase revealed significant details about Claude Code’s architecture and development roadmap. Most notably, researchers cataloged 44 distinct feature flags referencing capabilities that had not been publicly announced or documented.

Four feature flags attracted the most attention:

KAIROS was referenced more than 150 times across the codebase. The flag pointed to an autonomous daemon mode, a persistent background process that would allow Claude Code to operate continuously without direct user prompting. The scope of the references suggested KAIROS was among the most actively developed unreleased features. A detailed analysis is available at Claude Code KAIROS Daemon Mode.

BUDDY described a terminal pet system with 18 distinct species. The feature appeared to be a morale or engagement tool, rendering animated companions in the terminal interface during coding sessions. Its inclusion in the codebase of a professional developer tool generated considerable commentary.

COORDINATOR MODE referenced the ability to spawn parallel worker agents from a single Claude Code session. The implementation suggested a multi-agent architecture where a primary agent could delegate subtasks to secondary agents running concurrently.

ULTRAPLAN described a remote multi-agent planning system designed for complex tasks estimated at 10 to 30 minutes of execution time. The feature appeared to coordinate multiple agents working in parallel on different components of a larger task, with a centralized planning layer managing dependencies and sequencing.

A comprehensive breakdown of all 44 feature flags is available at Claude Code Leaked Feature Flags.

Anthropic’s Response to the Claude Code Leak

Anthropic’s official statement described the incident as “a release packaging issue caused by human error, not a security breach.” The company emphasized that no customer data, API keys, or credentials were included in the exposed source code. The exposure was limited to Anthropic’s own proprietary application code.

The framing was notably similar to the language used five days earlier in response to the Mythos CMS leak, which Anthropic had also attributed to an internal error rather than an external attack or systemic vulnerability. In both cases, the company drew a sharp distinction between accidental exposure and a security breach, a distinction that some security researchers and journalists questioned.

Anthropic did not disclose how long the source map had been included in published versions of the package, whether versions prior to 2.1.88 were also affected, or what specific changes to the build pipeline caused the file to be included. The company stated that the issue had been remediated and that the R2 bucket was no longer publicly accessible.

No timeline was provided for an internal review or post-mortem. Anthropic did not address the 41,500+ forks or the practical impossibility of removing the code from public circulation.

What the Claude Code Leak Means for Developers

The open source community’s reaction was mixed. Some developers expressed concern about the security implications of a major AI company failing to audit its own npm publishing pipeline. Others viewed the exposure as an unexpected opportunity to understand how Anthropic builds its AI-powered developer tools.

The leaked source code provided the first detailed look at how Claude Code orchestrates interactions between a large language model and local development environments. The agent architecture, tool-use patterns, and prompt engineering strategies embedded in the codebase became subjects of immediate analysis by developers and researchers.

The incident also reignited a recurring tension in the AI tooling space: the gap between closed-source commercial AI products and the developer communities that depend on them. Claude Code is not open source. Its users interact with it as a black box. The accidental exposure gave those users visibility into decisions that directly affect their workflows, from how context is managed to how tool calls are prioritized.

Whether that transparency was constructive or damaging depends on perspective. For Anthropic, it was an unplanned disclosure of proprietary technology and unreleased product strategy. For the developer community, it was an unfiltered look at the engineering behind a tool they use daily. Both readings are valid. Neither changes the fact that the code is now permanently in public circulation.