On March 31, 2026, a major incident shook the AI and developer community. Anthropic unintentionally exposed the complete source code of its terminal-based AI coding agent, Claude Code. This happened due to a packaging mistake in the npm release @anthropic-ai/claude-code version 2.1.88, where a large .map file—about 59.8 MB—was included publicly.
This wasn’t a small leak. The source map pointed to an archive containing roughly 513,000 lines of TypeScript code spread across 1,906 files. In simple terms, it revealed almost the entire client-side logic of the system.
A security researcher quickly spotted the issue and shared it publicly. Within hours, the code was downloaded, mirrored, and widely shared across platforms like GitHub. Thousands of developers, researchers, and even malicious actors started analyzing and modifying the code. Some repositories gained massive traction, with tens of thousands of forks and stars.
Although Anthropic issued takedown notices, the reality is that once something spreads this widely, it becomes nearly impossible to fully contain.
What Was Actually Exposed?
The leaked code gives a deep look into how Claude Code operates behind the scenes. This includes how it communicates with AI models, manages tasks, executes commands, and handles memory.
Key areas revealed include agent orchestration, where the system handles API calls, tool usage, and retry logic. It also exposed how the system manages permissions and executes commands through hooks and integrations like MCP.
Another critical area is memory handling. The system uses persistent memory and background processes to maintain context across tasks. Additionally, internal security-related mechanisms such as telemetry, encryption methods, and authentication flows were visible.
There were even hidden features—over 40 feature flags, including many that were not yet released.
However, some sensitive components remained safe. Model weights, safety systems, and user data were not exposed.
The Real Danger: How This Can Be Misused
The biggest concern is not just the leak itself, but what people are doing with it.
Thousands of copies of the code now exist online. Many of these versions are unverified, and some are already being modified with malicious intent. Attackers are using this opportunity to distribute altered versions containing backdoors, data stealers, or hidden crypto miners.
This creates a serious supply chain risk. Developers who clone what looks like a legitimate repository could unknowingly run harmful code.
Another issue is vulnerability exploitation. With full visibility into the code, attackers can easily identify weak points. Known vulnerabilities—such as remote code execution or API key leaks—become much easier to exploit.
There is also a direct risk to developer machines. Running or building this leaked code locally may introduce unsafe dependencies or scripts that can compromise systems.
Malware Campaign Disguised as “Claude Code Leak”
Security researchers also uncovered a related threat campaign. A fake GitHub repository claiming to host the leaked Claude Code was used as bait.
The repository looked convincing. It included documentation explaining the leak and even claimed to offer enhanced features like unlimited usage. But in reality, it contained a malicious archive.
Inside the archive was an executable file acting as a dropper. Once run, it installed Vidar (an information-stealing malware) and GhostSocks (a tool used to route traffic through compromised systems).
This shows how quickly attackers adapt to trending events. As soon as the leak became public, it was turned into a social engineering trap.
How to Stay Safe
This situation highlights the importance of caution, especially for developers.
Avoid downloading or running any code that claims to be the leaked version unless it comes directly from verified sources. Even then, it’s best to wait for official fixes.
Organizations should adopt a Zero Trust approach, limiting access and verifying every interaction. Monitoring unusual behavior on developer machines is also critical.
Developers should understand that leaked code is not open-source. It is still proprietary and potentially unsafe.
Finally, scanning local environments and delaying updates during such incidents can reduce risk significantly.
Our Perspective on This Incident
What stands out in this case is how quickly a technical mistake turned into a global security concern. A single overlooked file in a package exposed not just code, but an entire ecosystem of risks. This shows how fragile modern software pipelines can be, especially when dealing with complex AI systems.
In our view, the bigger issue is not just the leak—it’s the reaction to it. The speed at which developers rushed to download, fork, and experiment with the code reflects a common problem in the tech community: curiosity often outweighs caution. While exploration drives innovation, it also opens doors to serious threats when done carelessly.
Another important takeaway is how fast attackers move. Within hours, malicious actors had already created fake repositories and weaponized the situation. This level of responsiveness means organizations can no longer rely on slow or reactive defenses.
We believe this incident will push companies to rethink how they package and distribute software, especially AI tools with deep system access. It also reinforces the need for stronger developer awareness. Security is no longer just a company responsibility—it’s something every individual developer must actively consider.
Ultimately, this leak is a reminder that in today’s environment, even a small oversight can have massive consequences.
