So yesterday, March 31st, 2026, something pretty wild happened. Anthropic accidentally published the full internal source code for Claude Code — their most popular product to the public npm registry. And it just sat there. Anyone could download it. No hacking required.
I spent the morning reading through what people found via reddit & X, and honestly, there’s a lot to unpack here. Not just what was inside the code, but how this happened, and what it means going forward for Anthropic, for competitors, and for everyone who uses Claude Code daily.
Disclaimer: This article is purely for education. Downloading, copying, redistributing, or building on someone else’s proprietary code — even if it accidentally became public — is a violation of their license and potentially illegal. The fact that Anthropic made a mistake does not make the code yours to use. Please respect intellectual property. This piece is about understanding what happened and why it matters, not about encouraging anyone to go grab the code.
How the Leak Actually Happened
This is the part that I keep coming back to, because it’s both a normal routine and kind of embarrassing.
When you publish a JavaScript or TypeScript package to npm, your build tools often generate something called a source map file. These .map files are basically debugging helpers — they connect the minified, unreadable production code back to the original readable source. They exist so that when something breaks in production, your stack trace points to an actual human-readable line of code instead of a jumbled mess of compressed JavaScript.
The problem is, source maps are meant for development. You’re not supposed to ship them publicly with your package. A single setting in your .npmignore file or one checkbox in your bundler config keeps them out of the final package.
Someone at Anthropic forgot. Or missed it. Or maybe Claude Code’s build pipeline had a bug that slipped through review. Actually, that last part has some evidence behind it: there’s a known bug in Bun (the JavaScript runtime Anthropic uses, which they also acquired last year) where source maps are served in production mode even when the docs say they shouldn’t be. Bug report oven-sh/bun#28001, filed March 11th, still open. If Bun’s own toolchain was generating source maps it shouldn’t, Anthropic might not have even known this was happening.
Either way, version 2.1.88 of @anthropic-ai/claude-code went out to npm at around midnight UTC on March 31st.Tucked inside was a 59.8 MB file called cli.js.map. And inside that file was a reference. A direct link to a zip archive sitting on Anthropic's own Cloudflare R2 storage bucket — the same bucket the user in the tweet you probably saw found and shared.
Nobody hacked Anthropic. The file was just… there.
Twitter users started sharing the code.
A security researcher named Chaofan Shou — an intern at blockchain security firm Fuzzland — spotted the source map file, followed the link, and posted the bucket URL on X. His post got close to 10 million views. Within hours, developers had downloaded the zip, extracted it, uploaded everything to GitHub, and the repositories were getting forked thousands of times before Anthropic’s DMCA takedowns started landing.
One GitHub repo had 41,500 forks by the time I checked. Another had 30,000 stars. The code was everywhere. Anthropic pulled the npm package, but that’s kind of like closing the window after the cat got out and ran down the street.
Anthropic confirmed the whole thing in a statement: “Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”
Fine. But here’s the thing this is the second time this happened. A nearly identical source map leak occurred with an earlier version of Claude Code back in February 2025, about 13 months ago. So “rolling out measures” apparently didn’t stick the first time.
What Was Actually Inside
Around 512,000 lines of TypeScript across roughly 1,900 files. That’s the core “agentic harness” — the software wrapper that sits around the Claude model and tells it how to use tools, manage files, handle permissions, and behave as an agent. Not the model itself, not the weights, and not any user data. But the full blueprint for how Claude Code works as a product.
Some things people found inside are genuinely interesting. There’s a feature called KAIROS — after the ancient Greek word for “the right moment” — which appears 150+ times in the code. It describes a background daemon mode where Claude Code keeps working even when you’re idle. It does something called “autoDream,” where it consolidates memory, cleans up contradictions, and preps context while you’re away from your keyboard. So when you come back, the agent is ready with cleaner context. That feature isn’t live yet, but the code is fully built.
There’s also an anti-distillation system that’s kind of clever. When enabled, Claude Code silently injects fake tool definitions into API requests — “fake tools” that pollute any training data a competitor might be trying to collect by recording Claude’s API traffic. The idea being: if someone is recording API calls to train their own model on Claude’s behavior, their dataset gets poisoned with decoy info. It’s gated behind a feature flag, but the code is there.
And then there’s Buddy. Someone at Anthropic built an entire Tamagotchi-style companion pet system inside Claude Code. You get a pet whose species is determined by a hash of your user ID, with rarity tiers, shiny variants, procedurally generated stats. It’s called Buddy. It lives in a buddy/ folder. I don't know what else to say about that honestly.
There were 44 feature flags total in the code, covering features that are fully built but not shipped. Competitors can now see exactly what Anthropic’s roadmap looks like for the next several months.
The code also mentioned an upcoming model with the internal name “Capybara” — which someone at LayerX Security said looks like it might come in fast and slow variants, with a larger context window. Anthropic had a separate incident just five days earlier where 3,000 internal files accidentally became public, including a draft blog post about a model they’re calling “Mythos.” Seems like Capybara and Mythos might be the same thing, or related. Nobody’s confirmed that yet.
The Axios Problem (This One Is More Serious)
Here’s something that got a bit less attention than the source leak, but is actually the part you should care about if you installed Claude Code via npm on March 31st between midnight and about 3:30 AM UTC.
Separately from the source code leak, the axios npm package — a very common HTTP library that Claude Code depends on — was compromised during that same window. Malicious versions 1.14.1 and 0.30.4 of axios were briefly on npm, containing what appears to be a Remote Access Trojan. If your package manager pulled in either of those versions, or if you see a dependency called plain-crypto-js in your lockfile, you should treat that machine as compromised, rotate all credentials, and do a clean reinstall.
Anthropic now recommends installing Claude Code via their native installer (curl -fsSL https://claude.ai/install.sh | bash) instead of npm, specifically because npm's dependency chain is volatile and hard to fully control. That's solid advice regardless of this incident.
We will cover the story of axios and npm in a different article. Follow the page to get updated about it.
What This Means Going Forward
So what actually happens now? A few things.
The most obvious one is competitor advantage. Claude Code does about $2.5 billion in annualized revenue, with most of that from enterprise customers. Cursor, GitHub Copilot, and others are all competing in the same space. Any competitor who looks at this code now has a fairly detailed guide to how Anthropic built a production-grade AI coding agent — what tools it uses, how it handles context, how it manages long-running sessions, how it orchestrates multiple agents. You can’t un-see that.
But also, people are already building forks.
Several GitHub repositories popped up within hours advertising themselves as “open source Claude Code” or “Claude Code in Rust” or similar. Some of these will get DMCA takedowns. Some will move to jurisdictions where enforcement is harder. Some developers will strip out Anthropic’s code and just use it as inspiration for architecture decisions. The line between “learning from” and “copying” is going to get blurry fast, and Anthropic’s legal team will be busy.
The feature flag roadmap is gone. KAIROS, the anti-distillation mechanisms, Buddy — competitors can now see what Anthropic is building toward and react. A six-month product surprise becomes a two-month race. That strategic advantage doesn’t come back. Code can be refactored and security can be tightened, but competitors having a clear view of the roadmap is a different kind of problem.
There’s also the security angle. Having 512,000 lines of internal code public means security researchers good ones and bad ones will spend the next few weeks looking for exploitable patterns. The permission model, the tool-call loop, the telemetry system all of it is now readable. Anthropic will need to patch things before someone exploits something they find in there.
Two Big Leaks in One Week
The thing that makes this more than just a “oops, wrong config” story is that this happened five days after Anthropic accidentally exposed 3,000 internal files. Two separate incidents. Two different kinds of human error. Both in the same week.
The source map thing is understandable it’s a common mistake and the Bun bug may have made it worse. The CMS misconfiguration that exposed the model documentation is a different kind of problem entirely. These aren’t related technically, but together they raise a question about release hygiene at a company that’s building tools used to write and ship code at massive scale.
Anthropic sells itself partly on being a careful, safety-focused lab. That reputation depends on operational details, not just model behavior. And right now, operationally, it’s been a rough week.
What Should You Do
If you use Claude Code via npm, check your lockfile for plain-crypto-js or axios versions 1.14.1 and 0.30.4. If you find either, rotate credentials and clean reinstall. This is not optional.
Switch to the native installer. Just do it.
And if you’re a developer who downloaded the leaked source or is looking at the GitHub mirrors — understand that having access to code does not make it yours. Building something on top of it, copying architectural patterns wholesale, redistributing it: all of that is legally risky regardless of how you obtained it.
Anthropic has already sent takedown notices. More are coming.
The leak is already out. Nothing changes that. But your choices about what you do with that information are still yours to make.