Claude Code Leaked on GitHub: Inside Anthropic's Biggest Source Code Exposure of 2026

On March 31, 2026, a single forgotten file inside an npm package turned Anthropic's most powerful developer tool into an open book. What followed was one of the most discussed source code leaks in AI history — not because of a hack, but because of a build pipeline oversight that any junior DevOps engineer would flag on day one.

🔍 What Happened: The Short Version

Security researcher Chaofan Shou posted a brief but explosive message on X on the morning of March 31, 2026:

"Claude code source code has been leaked via a map file in their npm registry!"

Within hours, the post had amassed 28.8 million views. A GitHub mirror of the code hit 84,000+ stars and 82,000+ forks before Anthropic began firing off DMCA takedowns — ultimately removing over 8,100 repository forks within days.

The irony? Anthropic wasn't hacked. No credentials were stolen. No zero-day was exploited.

They simply forgot to add *.map to their .npmignore file.

🧬 How the Leak Actually Occurred

To understand this, you need to know what a source map is.

When developers write code in TypeScript or modern JavaScript, it gets compiled and minified before shipping to production — turning readable code like getUserSession() into something like a(). Source maps are debugging artifacts that reverse this process, mapping the minified output back to the original readable source.

Claude Code version 2.1.88 was published to the public npm registry with a 59.8 MB source map file (cli.js.map) accidentally bundled inside the package.

Here's the exact chain of events:

[Anthropic Dev] → publishes @anthropic-ai/claude-code v2.1.88 to npm
       ↓
[npm package] → contains cli.js.map (59.8 MB source map)
       ↓
[Source map] → references unobfuscated TypeScript source hosted on
               Anthropic's Cloudflare R2 cloud storage bucket
       ↓
[Anyone on the internet] → downloads ZIP archive directly from R2
       ↓
[Result] → 512,000 lines of TypeScript source code, fully readable

The Bun runtime that Claude Code uses generates source maps by default. Nobody added *.map to .npmignore. The result was a fully downloadable codebase — not from a hack, but from Anthropic's own cloud storage.

How Source Map Leaks Work (Diagram)

┌─────────────────────────────────────────────────────────┐
│                   Build Pipeline                        │
│                                                         │
│  TypeScript Source  →  Compile & Bundle  →  cli.js      │
│       (original)                         (minified)     │
│                                    ↓                    │
│                              cli.js.map  ←── LEAKED     │
│                         (source map file)               │
│                                    ↓                    │
│                    Points to → R2 Cloud Storage Bucket  │
│                                    ↓                    │
│                         Full ZIP downloadable           │
│                         by anyone, anywhere             │
└─────────────────────────────────────────────────────────┘

Fix: Add *.map to .npmignore  ✅

📦 What Was Inside the Leaked Code?

The exposed codebase was massive:

The leaked code covered nearly every aspect of Claude Code's internals:

• Internal API design and architecture
• Telemetry and analytics systems
• Encryption tooling
• Inter-process communication protocols
• The full CLI system prompts (embedded directly in the package, not on a server)
• Developer comments — left entirely intact

🚀 The 44 Hidden Feature Flags: A Peek at Anthropic's Roadmap

Perhaps the most exciting discovery was buried deep in the source: 44 hidden feature flags for features that are fully built but not yet publicly shipped. These aren't vaporware or half-finished experiments — they are compiled code sitting behind false flags that get stripped in the external production build.

Here's what the community found:

Translation: Almost everything you've been waiting for from Claude Code is already built. Anthropic is choosing when — not whether — to release it.

🔐 The "Undercover Mode" Irony

One of the most talked-about discoveries was a feature called Undercover Mode.

Anthropic had specifically built a subsystem inside Claude Code to prevent the tool from accidentally revealing internal codenames in commits on public repositories. The system prompt injected during Undercover Mode explicitly instructs the model:

• Do not mention animal-named internal model codenames ("Capybara", "Tengu")
• Do not reference unreleased version numbers
• Do not mention internal Slack channels or short links

That precaution? In place.

The source map exclusion from .npmignore? Not in place.

Anthropic built a sophisticated AI-layer defense against accidental disclosure, while the actual build pipeline lacked a one-line file exclusion. The security community noted this contrast widely.

⚠️ Should You Be Worried?

If you're a regular Claude user — no. This leak does not expose:

• Model weights or training data
• User conversations or personal data
• API keys or authentication credentials

What is exposed is Anthropic's internal architecture, security mechanisms, and telemetry logic — information that matters most to competitors and security researchers.

However, there's a secondary concern: supply chain attacks. The day of the Claude Code leak coincidentally saw another major npm incident — the Axios package (83 million weekly downloads) was compromised via a hijacked maintainer account, deploying a Remote Access Trojan. Two completely different failure modes, same infrastructure. It underscored how fragile the npm ecosystem can be.

📅 This Has Happened Before

This is not Anthropic's first time. A nearly identical source map leak was reported and patched in February 2025. The same root cause, the same type of file, the same fix that was apparently not applied consistently across all build pipelines.

Shipping a tool at the scale and speed of Claude Code appears to have outpaced DevOps discipline. The fix itself is a single line. The consequences were global.

🛠️ What Developers Should Take Away

Whether you build with Claude or ship your own npm packages, this incident is a masterclass in supply chain hygiene:

1. Always audit your .npmignore — source maps, internal configs, and debug files should never ship to production registries
2. Automate build artifact auditing — CI/CD pipelines should fail if *.map files are detected in release builds
3. Assume your minified code will be reversed — source maps or not, treat your shipped package as partially readable
4. Rotate secrets after any unintended disclosure — even if no credentials leaked, audit everything
5. Test your npm package locally before publishing — npm pack shows exactly what will be uploaded

🤔 Accident, Incompetence, or the Best PR Stunt in AI History?

The internet couldn't resist the conspiracy theories. Some developers pointed out that the leak conveniently revealed that Anthropic is significantly ahead of its public roadmap, which in turn sparked renewed excitement about Claude Code's future. The GitHub repo hit 9,000 stars in under two hours — organic momentum any marketing team would dream of.

Was it accidental brilliance? Almost certainly not. But the timing — right as competition between AI coding tools is at a fever pitch — made for a story that will live in developer circles for years.

Whether you view it as a cautionary tale about DevOps, a fascinating window into the future of agentic AI, or a reminder that the most sophisticated AI systems in the world can be undone by a missing line in a config file — one thing is certain:

The future of Claude Code looks very, very impressive. And now, everyone knows it.

Found this useful? Share it with your dev team. And maybe go check your .npmignore right now.