Overview
- Anthropic’s AI coding tool exposed its internal TypeScript code on Tuesday, March 31, after a 60MB sourcemap in an npm package let researchers reconstruct roughly 500,000 lines across about 1,900 to 2,000 files, with no model weights or customer data included.
- To curb the spread, Anthropic sent about 8,000 DMCA notices to GitHub, but network-wide processing also disabled many legitimate forks before the company asked Wednesday for unaffected repositories to be reinstated and for removals to be limited to the 96 listed forks.
- Developers quickly mirrored the code and studied the agent harness, and one programmer rewrote the leaked instructions in Python using AI tools, claiming the language rewrite avoids copyright takedowns and making removal efforts harder.
- Security firm Adversa AI reported a critical permission bug in Claude Code that lets command pipelines with more than 50 subcommands skip deny-rule checks, creating a path for prompt-injected build steps to try to exfiltrate SSH keys and cloud tokens.
- Anthropic executives described the exposure as a release-process error tied to a rapid ship cycle and said new safeguards are rolling out, and a fact-check debunked viral claims that the incident was an April Fools’ stunt.