The Day Anthropic's "Safety-First" Reputation Met a Missing .npmignore Rule

In the early hours of March 31, 2026, the complete source code of Claude Code—one of the most popular AI coding assistants on the market—spilled onto the public internet through Anthropic's own npm package registry. Approximately 512,000 lines of TypeScript across 1,906 files, packaged in a 59.8 MB source map file, became downloadable by anyone who ran npm install. For a company that has built its brand on being the "safety-first" AI lab, the irony was impossible to ignore.

This wasn't a sophisticated cyberattack. It was a human error: someone on the release team failed to exclude a debugging artifact from the published package. But the fallout—spanning competitive intelligence leaks, supply chain attacks, congressional scrutiny, and a DMCA debacle—has become one of the most consequential security incidents in AI industry history.

How It Happened: A Source Map That Shipped the Blueprints

Source map files are standard debugging tools that map minified production code back to its original, human-readable source. Think of it as accidentally shipping the architect's complete blueprints inside the walls of a finished building. When Anthropic pushed version 2.1.88 of @anthropic-ai/claude-code to npm, the .map file was included because it wasn't listed in .npmignore and the files field in package.json didn't explicitly exclude it.

At 4:23 AM ET, Chaofan Shou, an intern at Solayer Labs, posted the discovery on X. What followed was a digital gold rush. The codebase was downloaded from Anthropic's own Cloudflare R2 bucket, mirrored to GitHub, and became the fastest repository in GitHub history to reach 50,000 stars—doing so in under two hours. Over 41,500 forks proliferated before any takedown could occur. A Python clean-room rewrite appeared within hours.

What the Leaked Code Revealed

Unreleased Features and Strategic Roadmap

The source contained 44 hidden feature flags for capabilities that were fully built but not yet shipped. Among them: a self-review system for Claude's sessions, a "persistent assistant" running in background mode, and remote control capabilities allowing users to operate Claude from a phone or secondary browser. Researchers also found references to "Mythos," an unreleased AI model—a discovery that had already embarrassed Anthropic just days earlier in a separate incident.

For competitors like OpenAI, Google DeepMind, and Cursor, this was an unprecedented window into Anthropic's technical architecture and product strategy.

Three Critical Attack Paths

Security firm Straiker published a detailed analysis identifying the most concerning vulnerabilities exposed by the leak:

Context Poisoning via Compaction Pipeline: Claude Code uses a four-stage context management system (tool result budgeting → microcompaction → context collapse → autocompaction). The leak revealed that MCP tool results and file read contents are exempt from microcompaction, persisting until the final autocompaction stage. The compaction prompt instructs the model to "pay special attention to specific user feedback" and preserve "all user messages that are not tool results." This means malicious instructions embedded in repository files like CLAUDE.md can survive compression, get laundered as legitimate "user feedback," and be followed as genuine directives—all without requiring an actual jailbreak.

Bash Permission System Gaps: The bash security validator chain contained three exploitable patterns. First, "early-allow short circuits" where validators like validateGitCommit can return allow, bypassing all subsequent validators. Second, parser differentials across three different command parsing systems—the source itself documents one: "shell-quote's character class treats CR as separator, but bash IFS does not." Third, permission discardability, where warnings can be silently dropped if users have matching allow rules.

Expanded Supply Chain Attack Surface: With the full interface contracts now public, creating convincing malicious MCP servers became significantly easier. The leaked source also enabled the creation of backdoored npm forks that would be difficult to detect without binary hash verification.

As Straiker's analysis emphasized: "What changed on March 31 is that the attack research cost collapsed overnight." The attacks were theoretically possible before—but now they're dramatically cheaper to develop.

The Axios Supply Chain Attack: A Perfect Storm

The timing was devastating. On the same day as the Claude Code leak, a separate supply chain attack compromised the axios npm package—an HTTP client library present in roughly 80% of cloud environments with over 100 million weekly downloads. Between 00:21 and 03:29 UTC on March 31, anyone who installed or updated Claude Code via npm may have pulled in malicious axios versions (1.14.1 or 0.30.4) containing a fully functional Remote Access Trojan (RAT).

Google's Threat Intelligence Group attributed the attack to UNC1069, a financially motivated threat actor linked to North Korea that has been active since at least 2018. Microsoft published a detailed mitigation guide for the compromise. The convergence of these two events—Anthropic's accidental code disclosure and a state-actor supply chain attack targeting the same ecosystem—painted a stark picture of how fragile the AI development supply chain remains.

The DMCA Debacle: When Damage Control Creates More Damage

Anthopic's initial statement was measured: "No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach." But the company's subsequent attempt to contain the spread created a new controversy.

Anthopic filed DMCA takedown notices with GitHub, but the notices were executed against approximately 8,100 repositories—including legitimate forks of Anthropic's own publicly released Claude Code repository that contained only documentation, examples, and skills. Developers who had simply forked the public repo found themselves receiving takedown notices.

Claude Code lead Boris Cherny acknowledged the error and retracted most takedowns, limiting them to one repository and 96 forks containing the actual leaked source. But the damage to community trust was done. Futurism captured the sentiment: Anthropic, a company that has freely utilized others' intellectual property for AI training, suddenly discovered an intense passion for IP protection when it was their own code in the wild.

Meanwhile, claw-code—a clean-room rewrite of Claude Code—crossed 100,000 GitHub stars, becoming the fastest-growing repository in the platform's history. The practical reality: 512,000 lines of Claude Code are permanently in the wild.

Pre-Existing Vulnerabilities the Leak Amplified

The source code exposure didn't create Claude Code's security challenges—it amplified existing ones. Check Point Research had previously discovered and responsibly disclosed two critical vulnerabilities:

CVE-2025-59536 (CVSS 8.7): A code injection vulnerability allowing arbitrary shell command execution during tool initialization when a user starts Claude Code in an untrusted directory. Patched in version 1.0.111 (October 2025).

CVE-2026-21852: An API credential theft vulnerability requiring zero user interaction, exploitable through malicious project configurations. Patched in version 2.0.65 (January 2026).

Both were patched before the leak, but having the full source code dramatically lowers the barrier for discovering similar attack paths. Security researchers note that Claude Code-assisted commits leak secrets at a 3.2% rate versus the 1.5% baseline across all public GitHub commits, with AI service credential leaks surging 81% year-over-year.

What You Should Do Right Now

Immediate Actions for All Claude Code Users

Verify package integrity. Pin your Claude Code version and verify binary hashes. If you installed or updated via npm on March 31, 2026, run npm audit immediately and confirm your axios version isn't 1.14.1 or 0.30.4.

Rotate API keys. Change your Anthropic API keys via the developer console and monitor usage for anomalies.

Audit CLAUDE.md files. Manually review CLAUDE.md and .claude/config.json in any cloned repositories, especially untrusted ones. These are the primary vectors for context poisoning attacks.

Tighten permission rules. Never use broad rules like Bash(git:*). Configure Claude Code's three-tier permission system (allowlist, asklist, denylist) with surgical precision. Block WebFetch, curl, and sensitive file access by default.

Enterprise Security Hardening

Implement commit provenance verification. The leaked source revealed an "Undercover Mode" module that strips AI attribution from commits with no force-off option. Ensure your CI/CD pipeline can verify whether code was AI-generated.

Treat MCP servers as security-critical dependencies. Vet, pin, and monitor them with the same rigor as any npm package. The leaked interface contracts make crafting malicious MCP servers significantly easier.

Limit session lengths for sensitive work. Agents with long conversation histories are substantially more vulnerable to manipulation—attackers can potentially frame contradictions as "policy updates" that the model accepts.

Run as standard user, never admin. If your account has admin privileges, every process including Claude Code inherits elevated permissions. A successful prompt injection becomes full system compromise.

Enable allowManagedHooksOnly. This enterprise setting restricts hook execution to admin-deployed hooks only, preventing user, project, or plugin hooks from running.

Never use dangerouslyDisableSandbox in shared environments. The name is the warning.

The Bigger Picture: AI Agent Security in 2026

The Claude Code leak arrived at a pivotal moment. OWASP has formally documented the top security threats for agentic AI systems. Microsoft published guidance on addressing OWASP's Top 10 risks in agentic AI through Copilot Studio. The industry consensus is converging on Zero Trust principles for AI agents, behavioral monitoring, human-in-the-loop checkpoints for high-impact actions, and immutable audit trails.

U.S. Representative Josh Gottheimer has pushed Anthropic formally on its safety protocols and the source code leak, signaling that this issue is expanding beyond technical circles into the policy arena.

The uncomfortable truth the Claude Code incident has surfaced is this: AI agent security is a fundamentally different problem from AI model safety. You can have the most carefully aligned model in the world, and it won't matter if the agent framework around it ships debugging artifacts to a public registry, grants overly broad shell permissions, or fails to sanitize repository configuration files. Traditional software security principles—least privilege, supply chain verification, defense in depth—remain the most important defense lines in the AI era.

512,000 lines of code are permanently public. Defenders must now assume the attackers have the blueprints—and build accordingly.