Anthropic Accidentally Exposes Claude Code's Entire Source Code Through npm Packaging Error, Days After Mythos Leak
A misconfigured npm package exposed 512,000 lines of Claude Code's TypeScript source code via a source map file pointing to Anthropic's cloud storage, marking the company's second data exposure in less than a week.
Overview
Anthropic accidentally published the complete source code for Claude Code, its AI-powered command-line development tool, through a misconfigured npm package on March 31. A source map file included in the release pointed to a zip archive hosted on Anthropic’s Cloudflare R2 storage bucket, exposing approximately 1,900 TypeScript files and over 512,000 lines of unobfuscated code, according to The Register.
The incident marks Anthropic’s second significant data exposure in less than a week, following the accidental disclosure of nearly 3,000 unpublished assets that revealed the existence of its unreleased Mythos model.
What We Know
Security researcher Chaofan Shou identified the exposure on Tuesday morning. Rather than publishing only the compiled JavaScript distribution, Anthropic’s npm release included source map files that referenced the original TypeScript source, hosted on the company’s cloud infrastructure. A GitHub repository hosting snapshots of the leaked code was forked over 41,500 times within hours, ensuring the code was widely distributed before Anthropic could respond, as reported by The Register.
The exposed code constitutes what Fortune described as the “agentic harness” — the software wrapper that instructs the Claude model how to use external tools, manage context, and implement safety guardrails. It does not include the Claude model weights, training data, or any customer information.
Software engineer Gabriel Anhaia highlighted how a single configuration error enabled the exposure: “A single misconfigured .npmignore or files field in package.json can expose everything,” as cited by The Register. Security researcher Roy Paz echoed the concern, telling Fortune that “at Anthropic, it seems that the process wasn’t in place and a single misconfiguration or misclick suddenly exposed the full source code.”
Anthropic acknowledged the incident and stated: “No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach,” according to both The Register and Fortune.
What the Code Reveals
Analysis of the leaked codebase by AI researcher Sebastian Raschka provides a detailed look at Claude Code’s internal architecture. According to Raschka’s analysis, the system loads the main git branch, current branch, recent commits, and CLAUDE.md files for repository context at initialization. It employs aggressive prompt cache reuse with boundary markers separating static from dynamic content, allowing expensive context sections to be processed once and reused across interactions.
Rather than relying on generic shell access, Claude Code implements specialized tools including a custom Grep utility with improved permission handling, a dedicated Glob tool for file discovery, and Language Server Protocol integration for code navigation, according to Raschka. The system also uses a structured markdown memory system that tracks session state, task specifications, file modifications, errors, and work logs.
The code further reveals that Claude Code’s subagent architecture forks child processes from the parent, reusing the prompt cache while maintaining independent state awareness for background tasks like summarization, as detailed by Raschka.
Researchers also found references to Anthropic’s unreleased Capybara model — the internal codename for the Mythos model tier previously reported — suggesting different capability tiers were being tested within Claude Code, according to Fortune.
What We Don’t Know
Anthropic has not disclosed what preventive measures it will implement to avoid similar packaging errors. The company has also not addressed whether the exposed code contains any security-sensitive implementation details that could be exploited to bypass Claude Code’s safety guardrails.
The full scope of the exposure’s competitive implications remains unclear. With the complete agentic harness now publicly available, competitors and open-source developers can study and potentially replicate Claude Code’s architecture. Whether this will lead to a wave of Claude Code clones or primarily benefit the broader AI tooling ecosystem is an open question.
Analysis
Two accidental disclosures in five days — first Mythos, now the Claude Code source — raises questions about Anthropic’s internal security posture at a moment when the company is positioning itself as a leader in AI safety. The Mythos leak exposed strategic product information, while the Claude Code leak exposed engineering implementation. Neither involved customer data or model weights, but together they suggest systemic gaps in release engineering and configuration management.
The technical lessons are straightforward: source map files must be excluded from production npm packages, and automated CI/CD checks should verify that no unintended files are included before publishing. These are well-understood practices in the JavaScript ecosystem, making the oversight particularly notable for a company of Anthropic’s scale and security focus.
The irony is not lost on the security community: Anthropic builds tools designed to help developers write safer code, yet its own release pipeline lacked the safeguards that would have prevented this exposure.