Particle.news
Get it on Google Play
Download on the App Store
74 ARTICLES
·
last mo.

Anthropic Confirms Claude Code Source Leak Caused by npm Packaging Error

The exposure triggered security advisories over internal design details.

Claude Code's Source Didn't Leak. It Was Already Public for Years.
Image
Illustration of robotic hands typing on a laptop keyboard with data charts displayed on screen, representing AI-powered coding and software development.
People often compare AI models to interns, PhD-level researchers, middle managers, or professional experts. They are actually much more like aliens, as new research about AI models' tendency to see 'mirages' attests.

Overview

  • Anthropic’s @anthropic-ai/claude-code package, updated Tuesday as version 2.1.88, included a 59.8 MB source map—a debug file that links built code back to original sources—that let researchers reconstruct roughly 1,900 TypeScript files totaling about 512,000 lines.
  • Security researcher Chaofan Shou flagged the file on X, and copies spread to GitHub within hours as posts about the code drew tens of millions of views.
  • Anthropic said the release was a human packaging error, removed the version, and said no customer data, credentials, or model weights were exposed.
  • Analysts reviewing the files described internal architectures and unreleased features, including a three-layer self-healing memory system, a KAIROS background agent, and an “Undercover Mode” for discreet open-source contributions.
  • Security firms warned of targeted exploits and supply-chain risks, pointing to typosquatted npm packages and a separate axios incident during the March 31 UTC window, and advised users to downgrade or use the native installer, audit dependencies, and rotate any keys; the leak is the company’s second exposure reported in a week, heightening scrutiny of its release controls.