Summary
On March 31, 2026, Anthropic accidentally published the full source code for Claude Code to the public npm registry. The leak consisted of nearly 2,000 TypeScript files and 512,000 lines of code, including unreleased feature flags, internal model codenames, and performance data. The code spread across GitHub within hours before Anthropic issued takedown requests. Anthropic confirmed the incident was a packaging error, not a security breach, but the damage was done: competitors and researchers now have a detailed roadmap of one of the most commercially significant AI products in the market.
What Happened
When Anthropic pushed version 2.1.88 of the Claude Code npm package on March 31, a misconfigured build process accidentally included a JavaScript source map file that pointed to a publicly accessible zip archive containing the full Claude Code codebase. Security researcher Chaofan Shou spotted it within hours and posted the discovery on X with a direct download link. By the time Anthropic acted, the 59.8 MB codebase had been mirrored thousands of times across GitHub.
Anthropic confirmed the incident in a statement to multiple outlets. As Axios reported, the company said: “Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”
Anthropic subsequently issued copyright takedown requests to GitHub. Bloomberg reported that the takedowns initially swept up more repositories than intended and were later scaled back significantly. By that point, the code was already widely distributed and permanently in the wild.
What the Leaked Code Revealed
The leaked codebase contained dozens of feature flags for capabilities that have been built but not yet publicly shipped. The most significant include an autonomous background mode called KAIROS that lets Claude Code continue working while the user is idle, a persistent memory consolidation system called autoDream that merges observations and refines facts between sessions, a mobile and remote control interface for managing Claude Code from a phone or browser, and a multi-agent coordination architecture for longer autonomous workflows.
The code also exposed internal model codenames. The current Claude 4.6 variant is codenamed Capybara. Opus 4.6 is Fennec. An unreleased model called Numbat is still in testing. Internal comments in the codebase noted that the latest Capybara iteration had a 29 to 30 percent false claims rate, a regression from earlier versions, giving competitors a specific benchmark to work against.
As VentureBeat’s detailed breakdown noted, the leak is more than a security lapse for a company at Anthropic’s stage. With $19 billion in annualized revenue and an IPO being discussed for later in 2026, handing competitors a full engineering blueprint of the product that drives developer adoption is a significant strategic setback regardless of whether customer data was exposed.
The Separate Supply Chain Attack
Separate from the accidental leak, security researchers identified a concurrent supply chain attack on the axios npm package that occurred hours before the Claude Code incident. Users who installed or updated Claude Code via npm on March 31 between 00:21 and 03:29 UTC may have pulled in a malicious version of axios containing a remote access trojan. Users who updated during that window are advised to downgrade immediately and rotate any exposed credentials.
Attackers also moved quickly to exploit the leak itself by registering typosquatted npm package names mimicking internal Claude Code dependencies. Anyone attempting to compile the leaked source code from scratch risks pulling in these malicious packages. Security researchers flagged the packages, all published under the same account, as currently empty stubs that could be updated with malicious code at any time.
The convergence of both incidents on the same day raised questions in the security community about Anthropic’s build pipeline governance and the speed at which the broader npm ecosystem can be weaponized once a high-profile leak attracts attention.
What It Means for Anthropic
Anthropic’s brand has been built in significant part on the claim of being the safety-first AI lab. The leak is awkward precisely because it happened internally, not through external attack. An AI company that positions responsible AI development as its core differentiator is harder to defend when it accidentally ships its own codebase to a public registry through a misconfigured build script.
The more practical damage is competitive. Claude Code has become one of Anthropic’s most commercially important products and a genuine differentiator in the enterprise AI market. The autonomous background features, memory architecture, and multi-agent coordination systems revealed in the leak represent years of engineering investment. That investment is now available for any competitor or open source project to study, reverse engineer, and replicate.
For developers and enterprises currently using or evaluating Claude Code, the immediate concern is the supply chain attack, not the source code leak itself. No user data or API credentials were exposed in the packaging error. The risk for affected users is the compromised axios dependency, which is an actively exploitable remote access trojan for those who updated during the vulnerable window.
The Bigger Picture for AI Tooling
The Claude Code leak is a reminder that the competitive dynamics in AI are increasingly playing out at the tooling layer rather than the model layer. The model itself, Claude Sonnet 4.6, is accessible via API to anyone. The differentiation Anthropic has built with Claude Code is in the product, the user experience, the agentic architecture, and the enterprise workflow integration. That is what the leak exposed, and that is what competitors can now learn from directly.
For the broader AI market, the leak also offers a rare public window into how frontier agentic systems are actually being built. The memory architecture, the autonomous daemon mode, and the multi-agent coordination patterns revealed in the Claude Code codebase are exactly the capabilities that will define the next generation of AI tools. The fact that they were already built and staged behind feature flags tells you something about the pace at which agentic AI is progressing, whether or not individual companies would prefer that progress to remain private. Our piece on what is agentic AI and what it means for marketers covers the broader context for why these capabilities matter.
Frequently Asked Questions (FAQs)
What was leaked in the Anthropic Claude Code incident?
Anthropic accidentally published version 2.1.88 of the Claude Code npm package on March 31, 2026, which included a source map file pointing to a public archive of the full Claude Code codebase. The archive contained nearly 2,000 TypeScript files and approximately 512,000 lines of code, including unreleased feature flags, internal model codenames, performance data, and architectural details of the autonomous and multi-agent systems in development.
Was customer data exposed in the Claude Code leak?
No. Anthropic confirmed that no sensitive customer data or credentials were involved or exposed. The incident was a packaging error that exposed the product’s source code, not user data, API keys, or billing information. The separate supply chain attack on the axios npm package that occurred around the same time is a distinct risk affecting users who updated Claude Code during a specific three-hour window on March 31.
What is the supply chain attack associated with the Claude Code incident?
Separate from the source code leak, a malicious version of the axios npm package was published on March 31, 2026 between 00:21 and 03:29 UTC. Users who installed or updated Claude Code during that window may have pulled in a version of axios containing a remote access trojan. Affected users should downgrade to a safe version of Claude Code and rotate any credentials or secrets that may have been accessible on the affected machine.
What unreleased features were revealed in the Claude Code leak?
The leaked source code contained feature flags for several unshipped capabilities including KAIROS, an autonomous background mode that allows Claude Code to continue working while the user is idle; autoDream, a memory consolidation system that merges observations and refines facts between sessions; remote and mobile control allowing users to manage Claude Code from a phone or browser; and multi-agent coordination architecture for longer autonomous workflows.
What does the Claude Code leak mean for Anthropic’s competitors?
The leak gives competitors a detailed engineering blueprint of one of the most commercially significant AI developer tools in the market. The agentic architecture, memory systems, and multi-agent coordination patterns revealed in the codebase represent years of product development that is now publicly available to study and replicate. For Anthropic, which is preparing for a potential IPO in 2026, the leak is a meaningful setback to the competitive moat Claude Code represents.
