Anthropic Accidentally Exposes Claude Code Source Files

Anthropic accidentally published internal Claude Code source files on March 31, 2026, after an npm package included a map file that pointed to a zip archive on a Cloudflare R2 bucket. Security researcher Chaofan Shou and others downloaded roughly 1,900 TypeScript files (about 512,000 lines), which were mirrored and forked over 41,500 times on GitHub. Anthropic says it was human error, no customer data was exposed, and fixes are underway.
Key Points
- 1Exposes ~1,900 TypeScript files and 512,000+ lines via npm map file pointing to Cloudflare R2
- 2Reveals supply-chain and packaging risk, showing map files can leak internal source when published
- 3Suggests engineers must audit build pipelines, .npmignore and package.json to prevent similar leaks
Scoring Rationale
Confirmed same-day leak with strong evidence (public GitHub mirrors and company admission) raises novelty and actionability. Scope is primarily Anthropic but has broader supply-chain implications for developers, so score is high for immediacy and practical relevance.
Sources
Public references used for this report.
View 7 more sources
- 04Anthropic Leak Reveals Claude Code Internal Source Codebusinessinsider.com
- 05Claude Code Source Leaked via npm Packaging Error, Anthropic Confirmsitsecuritynews.info
- 06AI giant Anthropic suffers strategic code hemorrhage — RT World Newsrt.com
- 07Anthropic Accidently Leaks Code Behind Its Hit Toolnewser.com
- 08Anthropic scrambles to contain self-inflicted leak of valuable AI codenypost.com
- 09Claude Source Code Leak Hands Rivals a Devastating Blueprintpymnts.com
- 10Why were Claude Code source repos removed?alltoc.com
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems