Anthropic has acknowledged there were human errors made which caused the accidental publishing of a significant section of Claude Source Code via an open-source NPM Package.
On Tuesday, the company also acknowledged that the 2nd version of the Claude Source Code NPM package (version 2.1.88) accidentally included a source map file with which to be able to reconstruct nearly 2,000 TypeScript Files and over 512,000 Lines of Internal Code. The problematic version has since been removed from the npm registry.
Security researcher Chaofan Shou was the first to publicly highlight the issue on X, where the post quickly gained over 28.8 million views. The leaked codebase was also mirrored to a public GitHub repository, where it has already received more than 84,000 stars and 82,000 forks.
Anthropic emphasized that no customer data or credentials were exposed. “This was a release packaging issue caused by human error, not a security breach,” a spokesperson told CNBC. The company is implementing additional safeguards to prevent similar incidents.
What the Leak Reveals
Developers who have researched the code have identified a number of fascinating internal components, including the following:
1. An architecture for self-healing memories to counteract the limitations of normal context sub-type models.
2. A sophisticated tools system for executing various file manipulation functions in addition to executing commands in the shell.
3. A distributed multi-agent management framework capable of creating "sub-agents" or groups of agents that will complete difficult tasks.
4. A bidirectional communication system between IDE extensions and the Claude Code command line interface (CLI).
5. The KAIROS feature that transforms Claude Code into a persistent background agent that will automatically repair errors and send push notifications to the user.
6. A "dream" mode that allows agents to continuously think and iterate on ideas in the background.
7. An undercover mode that uses system prompts designed to instruct the agent to make "covert" contributions to open-source repositories without identifying itself as coming from Anthropic.
The leak also exposed Anthropic’s defenses against model distillation attacks, including mechanisms that inject fake tool definitions to poison potential training data scraped by competitors.
Supply Chain Risks Emerge
The incident has already triggered follow-on attacks. Users who installed or updated the package between 00:21 and 03:29 UTC on March 31, 2026, may have received a trojanized version of the HTTP client containing a cross-platform remote access trojan. Anthropic and security researchers are urging affected users to downgrade immediately and rotate all secrets.
Additionally, attackers have begun typosquatting internal package names (published under the user “pacifier136”), including:
1. audio-capture-napi
2. color-diff-napi
3. image-processor-napi
4. modifiers-napi
5. url-handler-napi
These currently appear as empty stubs, but researchers warn that malicious updates could be pushed later to target developers trying to build from the leaked source.
Second Incident in a Week
This is the second notable security lapse for Anthropic in recent days. Last week, internal details about the company’s next AI model described as “the most capable we’ve built to date” were inadvertently left accessible via its content management system.
The events highlight the growing challenges of securely managing and releasing complex AI tooling. The use of AI coding assistants is growing, which means that small mistakes when packaging files can cause a large amount of damage.
Developers are encouraged to:
1. If you installed Claude Code v2.1.88 on 31st March, downgrade your install immediately and rotate any of your exposed secrets.
2. Be careful when using any npm packages associated with Claude Code or Anthropic over the next few days.
3. Treat the leaking of source code for AI agents with the same urgency as leaking other types of source code.
Anthropic has said they are deploying preventative measures to their systems; however, the entire AI community needs to remember that even the largest AI companies are also susceptible to human error resulting in potentially severe consequences.
Source: The Hacker News
