My phone buzzed at 7:42 AM on April 1st—security researcher Chaofan Shou’s X post about Anthropic’s Claude Code source leak staring back at me, coffee going cold.
Anthropic Claude Code source leak. That’s the phrase buzzing everywhere now. On March 31, 2026, version 2.1.88 of their @anthropic-ai/claude-code npm package ballooned to 59.8 MB. Why? A source map slipped in, packing 513,000 unobfuscated TypeScript lines from 1,906 files. Their full agent architecture—exposed.
A single punchy screw-up. Bun’s packaging glitch, no .npmignore file. Boom—everything shipped.
Chaofan spotted it, posted on X. Hours later, mirrors on GitHub, tens of thousands of forks. You can’t unring that bell.
What the Hell Was Actually Leaked?
Orchestration logic laid bare. Exact paths for exploits. Two CVEs slapped on it quick:
CVE-2025-59536 — Remote code execution via malicious repository configs CVE-2026-21852 — API key exfiltration through hooks and MCP (Model Context Protocol) servers
That’s straight from the reports. Attackers poring over it now can recreate those bugs in their sleep. Trivially reproducible, they say. And who knows what’s forked into private repos already?
Here’s my take, after two decades watching Valley fumbles—this reeks of rushed AI agent hype. Anthropic’s pushing Claude Code hard, promising autonomous dev agents that “understand your codebase.” But internals like this? They’re scripting gold for blackhats. Remember the 2018 EventStream npm hijack? 873 projects infected overnight. This one’s fatter prey: AI-specific logic, ripe for targeting agent-heavy pipelines.
And the timing. Oh boy.
That Axios Trojan Coincidence — Or Perfect Storm?
Same day, March 31, between 00:21 and 03:29 UTC, axios npm got trojaned with a RAT. Remote Access Trojan, pulling keys, commands—nasty stuff. If your CI/CD fired npm install in that window, alongside Claude Code? Double whammy.
Coincidence? Sure. But in supply chain hell, coincidences kill. Zscaler ThreatLabz broke it down: the RAT phoned home, exfiltrated whatever it touched. Bloomberg hit it April 1st. Hacker News lit up.
Developers integrating Claude Code—think GitHub hooks, MCP servers for context passing—now prime targets. That leaked source maps the attack surface perfectly.
Look. I’ve seen PR spin after spin: “Isolated incident, fixed now.” Anthropic yanked the source map in latest version. Good. But the horse bolted. Forks everywhere. And here’s my unique angle—no one else calling this out yet—this mirrors the 2020 SolarWinds breach, but npm-flavored for AI devs. Back then, nation-states hid in updates. Today? Open-source agent code, democratized for script kiddies. Bold prediction: copycat CVEs in indie AI tools by summer. Who’s making money? Attackers, obviously. Anthropic? Stock dip, maybe. Devs? Cleaning up.
But. Enough doom-scrolling. Action time.
What Should You Do, Yesterday?
Audit npm logs for March 31. Hunt axios versions from that window—check hashes against reports.
Scan repos using Claude Code. Hooks, MCP configs—primary vectors. Tools like Trivy or Snyk, fire ‘em up.
Update to latest Claude Code. Source map’s gone, but trust? Shaky.
And broader: .npmignore in every project. Obfuscate agents. Segment AI tools from prod pipelines. I’ve yelled this since the early Twilio breaches—supply chain’s the weak link, always.
Why Does This Hit AI Devs Hardest?
Claude Code’s pitched as your coding sidekick—agents cloning repos, running tests, iterating. Leaked guts show how: orchestration via those hooks, context via MCP. Attackers replay RCE? Your agent’s theirs. Exfil keys? Billing nightmare.
Skeptical vet here—AI agents sound magical, but they’re just brittle scripts on steroids. Hype sells subscriptions. Reality? Leaks like this expose the plumbing. Who profits? Anthropic’s investors, chasing that agent moat. Us? Dodging bullets.
Deeper dive: leaked files detail prompt chaining, tool invocation—stuff competitors would kill for. Forks mean reverse-engineering Claude’s edge. OpenAI watching? You bet.
Lessons from 20 Years of Valley Leaks
This ain’t new. 2014 Heartbleed: open source bit everyone. 2021 Codecov bash uploader hack: CI/CD toast. Pattern? Rush to ship, skip basics. Anthropic’s no dummy—Claude’s sharp—but scaling agents means scaling slop.
Prediction: npm audits mandatory in AI stacks by 2027. Or regret it.
Short version? Wake up. Secure your chain.
🧬 Related Insights
- Read more: 6 Hours to 8,000 Lines: The AI Pipeline That Nailed a Live Artemis II Tracker
- Read more: Offline-First POS: Saving Singapore Hawker Stalls from WiFi Woes
Frequently Asked Questions
What caused the Anthropic Claude Code npm source leak?
Bun packaging error plus missing .npmignore shipped the 59.8 MB source map with 513K lines.
Did the axios RAT affect Claude Code users?
Possible—trojan active hours before leak went public. Check logs if you installed March 31.
Are Claude Code CVEs exploitable now?
Yes, leaked source makes RCE via repo configs and key exfil via hooks/MCP trivial for attackers.
