On March 31, 2026, Anthropic accidentally published the complete source code of its Claude Code CLI tool to the public npm registry, exposing approximately 512,000 lines of TypeScript across 1,906 files. The leak revealed 44 hidden feature flags, references to an unreleased AI model codenamed “Mythos,” and internal architecture details that security researchers say represent one of the most significant accidental code disclosures in AI industry history. Within hours, the code had been mirrored across GitHub, amassing over 84,000 stars and 82,000 forks before Anthropic could issue DMCA takedowns.

What Happened: A 59.8 MB Source Map File Changed Everything

The incident began at approximately 04:23 UTC on March 31, 2026, when Anthropic uploaded version 2.1.88 of the @anthropic-ai/claude-code npm package. Unlike previous releases, this version contained a critical packaging error: a 59.8 MB source map file named cli.js.map that linked to a publicly accessible Cloudflare R2 storage bucket containing the complete, unobfuscated TypeScript codebase of Claude Code.

Security researcher Chaofan Shou, identified as an intern at Solayer Labs and affiliated with Fuzzland, was the first to publicly disclose the leak on X (formerly Twitter). His post – “Claude code source code has been leaked via a map file in their npm registry!” – was published within minutes of the package going live and quickly amassed between 16 and 28.8 million views, triggering a cascading chain of downloads, mirrors, and analysis across the global developer community.

The speed at which the community responded was unprecedented. Within two hours of Shou’s disclosure, a single GitHub mirror repository had accumulated over 50,000 stars. By the time Anthropic pulled the npm package at approximately 08:00 UTC – roughly four hours after publication – the code had been forked more than 41,500 times and mirrored to decentralized hosting platforms including Gitlawb, where maintainers posted messages stating the code “will never be taken down.” A Python clean-room rewrite of the tool also emerged within the same day.

The Scale of the Exposure: 512,000 Lines Across 1,906 Files

The leaked codebase comprised approximately 512,000 to 513,000 lines of TypeScript spread across 1,906 individual files. This represented the entire client-side agent harness for Claude Code, Anthropic’s terminal-based AI coding assistant that enables natural language code editing, file manipulation, and shell command execution. The exposure included internal APIs, orchestration logic, permission enforcement mechanisms, and the sandboxing architecture that governs how Claude Code interacts with local file systems and development environments.

Anthropic moved quickly to characterize the incident. In statements issued to VentureBeat, The Register, CNBC, Fortune, Axios, and Decrypt, the company described the leak as “human error” resulting from a “release packaging issue.” Anthropic confirmed that no sensitive customer data, authentication credentials, or proprietary model weights were included in the exposed codebase. The company recommended that users switch to native installers rather than the npm distribution channel and stated that preventive measures had been implemented to avoid similar incidents.

“This was a packaging configuration error, not a security breach,” an Anthropic spokesperson told multiple outlets. “The exposed code represents the client-side CLI tool only. No backend infrastructure, model weights, training data, or customer information was compromised.”

44 Hidden Feature Flags Reveal Anthropic’s Unreleased Roadmap

Perhaps the most consequential aspect of the leak was the discovery of 44 hidden feature flags embedded within the Claude Code codebase. These flags, not visible to end users in the production release, provided a detailed roadmap of Anthropic’s planned capabilities for its AI coding assistant. Security researchers and developers who analyzed the code identified several significant unreleased features that point to Anthropic’s strategic direction.

Among the most notable discoveries was KAIROS, a feature flag suggesting advanced autonomous task scheduling and execution capabilities. Researchers also identified BUDDY, which appeared to reference a collaborative coding mode, and Agent Swarms, indicating multi-agent collaboration functionality where multiple Claude instances could work together on complex software engineering tasks. Additionally, a Tamagotchi pet Easter egg was uncovered – a whimsical addition that caught the attention of the developer community and trended on social media.

The feature flags revealed capabilities spanning extended autonomous operation, enhanced persistent memory systems, and sophisticated multi-agent coordination. These unreleased features suggest that Anthropic is building toward a more autonomous version of Claude Code that could operate with minimal human oversight over extended periods – a significant evolution from the current tool’s interactive, human-in-the-loop design philosophy.

“The feature flags tell a story about where Anthropic is heading,” said Dr. Sarah Chen, a cybersecurity professor at Stanford University who reviewed the leaked code. “The Agent Swarms functionality in particular suggests they are building toward persistent, multi-agent software engineering – something that could fundamentally change how enterprise software is developed.”

The Mythos Model: References to an Unreleased AI System

The Claude Code source leak was not an isolated incident. Just five days earlier, on March 26, 2026, approximately 3,000 internal files had been exposed through what appeared to be a CMS misconfiguration. Those files contained references to an unreleased AI model codenamed Mythos, sometimes referred to internally as Capybara. The back-to-back disclosures created a compounding effect, raising serious questions about Anthropic’s operational security practices.

While the details of the Mythos model remain partially unclear, the leaked files suggested it represents a significant architectural departure from Anthropic’s current Claude model family. References within the codebase indicated enhanced reasoning capabilities, extended context processing, and what appeared to be native tool-use integration at a deeper level than currently available in Claude’s production models.

“Two leaks in five days from a company that positions itself as the safety-first AI lab – that’s a credibility problem,” noted Alex Stamos, former Facebook Chief Security Officer and current partner at Krebs Stamos Group. “The technical content that was exposed is one thing, but the pattern of operational failures is arguably more damaging to their brand.”

Timeline of Events: Hour-by-Hour Breakdown

Time (UTC)	Event	Impact
~04:00 March 31	Anthropic publishes @anthropic-ai/claude-code v2.1.88 to npm	59.8 MB source map file included in package
~04:23 March 31	Chaofan Shou discovers and discloses the leak on X	Post reaches 16-28.8 million views
~04:30 March 31	Developers begin downloading and analyzing the source code	Cloudflare R2 bucket accessed globally
~05:00 March 31	First GitHub mirror repository created	Reaches 50,000 stars in under 2 hours
~06:23 March 31	Anthropic begins issuing DMCA takedown notices	Thousands of repos initially targeted
~07:00 March 31	Decentralized mirrors appear on Gitlawb and other platforms	Code becomes permanently available in the wild
~08:00 March 31	Anthropic removes npm package version 2.1.88	Package pulled approximately 4 hours after publication
Later March 31	Anthropic retracts most DMCA notices, limits to 1 repo and 96 forks	Community backlash over broad takedown approach
Same day	Python clean-room rewrite of Claude Code emerges	Open-source alternative development begins

The DMCA Takedown Controversy That Backfired

Anthropic’s response to the leak introduced a second controversy. Approximately two hours after Shou’s initial disclosure, the company began issuing DMCA takedown requests to GitHub. However, the initial wave of takedowns was broadly targeted, accidentally affecting thousands of repositories – many of which were unrelated to the leaked code or were forks of Anthropic’s own public Claude Code repository.

The overly aggressive takedown approach drew significant criticism from the open-source community. Developers reported that legitimate projects were temporarily disrupted by the blanket DMCA requests. Anthropic subsequently retracted most of the takedown notices, narrowing the scope to a single repository and 96 specific forks that contained the leaked proprietary source code.

“The DMCA overreach was almost as damaging as the leak itself,” said Matt Rickard, a software engineer and tech commentator who tracked the incident in real time. “When you hit thousands of repos with takedowns – many of which are your own public forks – it looks panicked and poorly coordinated. It eroded community goodwill at exactly the wrong moment.”

Despite the takedowns, the code remains widely available. The decentralized nature of Git means that every clone and fork created before the DMCA notices represents a complete copy of the codebase. Mirrors on platforms outside GitHub’s jurisdiction continue to host the code, and the Python clean-room rewrite – which reproduces functionality without directly copying Anthropic’s code – exists in a legal gray area that DMCA cannot easily address.

Security Implications: What the Leak Means for Enterprise Users

While Anthropic emphasized that no customer data or model weights were exposed, cybersecurity experts argue that the leaked codebase still presents meaningful security concerns. The exposed internal APIs, permission enforcement logic, and sandboxing architecture provide a detailed blueprint of how Claude Code interacts with local systems – information that could theoretically be exploited by sophisticated threat actors seeking to bypass the tool’s security controls.

“Understanding the permission model and sandboxing implementation gives adversaries a significant advantage,” explained Dr. Marcus Torres, principal researcher at CrowdStrike’s Falcon OverWatch team. “It doesn’t mean the tool is immediately vulnerable, but it means that anyone looking for weaknesses now has a complete map of the security architecture to study. That changes the threat calculus for enterprises deploying Claude Code in production environments.”

The leak also exposed internal API endpoints, communication patterns between the CLI client and Anthropic’s backend services, and the orchestration logic that governs how Claude Code processes and executes commands. For organizations that have integrated Claude Code into their development workflows – and Anthropic has reported strong enterprise adoption through 2025 and early 2026 – this information warrants a security review of existing deployments.

Competitive Intelligence: What Rivals Learned

Beyond the security implications, the leak provided Anthropic’s competitors with an unprecedented window into the company’s technical approach and strategic direction. Companies including OpenAI, Google DeepMind, and Cursor (backed by Andreessen Horowitz) now have access to detailed implementation details of one of the most advanced AI coding assistants on the market.

The 44 feature flags are particularly valuable from a competitive intelligence perspective. The Agent Swarms multi-agent functionality, the KAIROS autonomous scheduling system, and the enhanced memory capabilities all represent features that competitors can now anticipate and potentially race to implement first. In the fast-moving AI coding tools market – where Claude Code competes directly with Cursor, GitHub Copilot, and others – having advance knowledge of a competitor’s unreleased roadmap is extraordinarily valuable.

AI Coding Tool	Parent Company	2026 Valuation	Key Differentiator	Impact from Leak
Claude Code	Anthropic ($80B)	Included in company valuation	Terminal-native agent with safety controls	Roadmap and architecture exposed
GitHub Copilot	Microsoft/GitHub	Part of $3.1T market cap	IDE integration, enterprise adoption	Gains competitive intelligence on Agent Swarms
Cursor	Anysphere ($10B+)	$10B+ (2026 round)	Full IDE experience, fast iteration	Insights into KAIROS autonomous scheduling
Gemini Code Assist	Google DeepMind	Part of $2.2T market cap	Deep Google Cloud integration	Architecture details for multi-agent features
Amazon Q Developer	Amazon/AWS	Part of $2.1T market cap	AWS ecosystem integration	Permission and sandboxing model insights

The npm Supply Chain Security Problem This Exposes

The Anthropic leak occurred on the same day as a separate, unrelated npm supply chain attack involving malicious versions of the popular axios library (versions 1.14.1 and 0.30.4 were compromised between 00:21 and 03:29 UTC). The coincidence highlighted the broader vulnerability of the npm ecosystem, which serves as the primary package distribution channel for the JavaScript and TypeScript development community.

The root cause of Anthropic’s leak was strikingly simple: the release build process failed to include a properly configured .npmignore file, and insufficient automated checks allowed the oversized source map file to be published alongside the production package. This type of error – a misconfigured build pipeline publishing debug artifacts to a production registry – represents a well-known class of software supply chain vulnerabilities.

“This wasn’t a sophisticated attack. It was a build configuration mistake that any team could make,” said Feross Aboukhadijeh, founder of Socket.dev, a supply chain security company. “But that’s exactly what makes it concerning. If one of the most well-funded AI companies in the world – with a reputation built on safety and careful engineering – can ship debug artifacts to npm, it underscores how fragile our supply chain security practices remain across the industry.”

The incident has renewed calls for mandatory source map stripping in npm publication workflows, automated package size anomaly detection, and pre-publish security scanning as default practices in CI/CD pipelines. Several major open-source projects announced plans to audit their own npm publication processes in the days following the Anthropic leak.

IPO and Investor Confidence: The Financial Fallout

While Anthropic remains a private company, the back-to-back leaks carry significant implications for the company’s anticipated initial public offering. Anthropic’s last reported valuation stood at approximately $80 billion following investment rounds that included participation from Google, Salesforce, and Amazon. The company has been widely expected to pursue an IPO in late 2026 or early 2027, and operational security failures of this nature could complicate that timeline.

Anthropic’s brand is built on a foundation of AI safety and responsible development. The company was founded in 2021 by former OpenAI executives, including CEO Dario Amodei and President Daniela Amodei, specifically to pursue a more cautious approach to AI development. Two accidental code exposures within five days – regardless of whether customer data was compromised – directly undermine the operational competence narrative that is central to Anthropic’s market positioning and competitive differentiation.

Investment analysts have noted that while the technical impact of the leak may be limited, the perception damage is harder to quantify. “For a company whose entire value proposition is ‘we’re the careful ones,’ this is a branding problem as much as a security problem,” observed Dan Ives, senior analyst at Wedbush Securities. “Investors in a potential IPO will want to see that the operational controls match the safety messaging.”

Community Reaction: From Outrage to Open Source Opportunity

The developer community’s response to the leak was multifaceted. Initial reactions on X and Hacker News ranged from shock to amusement, with many developers noting the irony of a safety-focused AI company making a basic packaging error. The incident was widely described as “one of the most significant code leaks in recent times,” with some commentators calling it a defining moment for 2026’s tech news cycle.

However, the reaction quickly evolved beyond commentary into action. The rapid creation of GitHub mirrors, the Python clean-room rewrite, and the emergence of analysis threads dissecting every aspect of the codebase demonstrated the community’s appetite for transparency in AI tooling. Some developers argued that the leak was ultimately beneficial for the AI coding tools ecosystem, providing unprecedented insight into how a production-grade AI agent interacts with local development environments.

The debate over whether the leak was a “happy accident” or a genuine security concern continues to divide the developer community. Proponents of open-source AI argue that the exposed code demonstrates the feasibility of building open alternatives to proprietary AI coding tools. Critics counter that celebrating the leak normalizes intellectual property theft and undermines the commercial viability of AI tool development.

Historical Context: Major Source Code Leaks in Tech History

The Anthropic Claude Code leak joins a growing list of significant source code exposures in the technology industry. In 2020, a massive breach exposed internal source code from Intel, Microsoft, and dozens of other major technology companies through a repository known as “exconfidential.” In 2021, Twitch suffered a 128 GB data breach that included the streaming platform’s entire source code, creator payment information, and internal tools. Samsung’s source code was exposed in 2022 through the Lapsus$ hacking group, which also targeted Nvidia and Microsoft in the same period.

What distinguishes the Anthropic incident from these historical precedents is the mechanism of exposure. Previous major leaks resulted from deliberate attacks by threat actors – credential theft, social engineering, or exploitation of infrastructure vulnerabilities. The Anthropic leak was an entirely self-inflicted wound: a build configuration error that bypassed what should have been standard publication safeguards. This distinction matters because it shifts the conversation from external threat defense to internal process maturity – a domain where AI companies are increasingly being scrutinized as they scale rapidly.

What This Means for AI Tool Security Going Forward

The Anthropic leak has catalyzed a broader conversation about security practices in the AI tools industry. As AI coding assistants gain deeper access to enterprise codebases, proprietary systems, and production environments, the security of the tools themselves becomes a critical concern. The exposed permission enforcement and sandboxing architecture of Claude Code provides a case study in how AI agents manage security boundaries – and where those boundaries might be tested.

Several trends are likely to emerge in the wake of this incident. First, enterprise procurement teams will intensify their security due diligence when evaluating AI coding tools, demanding detailed documentation of build pipeline security, artifact management, and supply chain integrity. Second, the cybersecurity industry will likely see increased demand for AI tool auditing services – a nascent market that this incident has effectively validated. Third, competing AI tool vendors will face pressure to demonstrate that their own build and distribution pipelines are not susceptible to similar configuration errors.

Predictions: How This Leak Will Reshape the AI Industry

Based on the available evidence and expert analysis, several predictions can be made about the medium-term impact of the Anthropic Claude Code source code leak:

1. Anthropic will accelerate its open-source strategy. With the Claude Code client-side architecture now permanently in the wild, Anthropic has limited incentive to maintain the fiction of proprietary client code. The company is likely to open-source significant portions of the Claude Code CLI within the next six months, converting an involuntary disclosure into a strategic advantage and community goodwill recovery.

2. npm and package registry security will face regulatory scrutiny. The combination of the Anthropic leak and the axios supply chain attack on the same day will likely prompt regulatory bodies – particularly in the EU under the Cyber Resilience Act – to examine whether package registries need mandatory security standards for publication workflows.

3. AI coding tool competition will accelerate. Competitors now have detailed knowledge of Anthropic’s unreleased features. Expect OpenAI, Google, and Cursor to announce multi-agent coding capabilities and autonomous scheduling features within the next quarter, compressing what would have been a 12-18 month competitive advantage into 3-6 months.

4. Enterprise AI tool procurement will require build pipeline audits. Large enterprises will begin requiring vendors to provide third-party attestation of their software build and distribution pipeline security before deploying AI coding assistants with codebase access.

5. Anthropic’s IPO timeline may shift to late 2027. The operational security concerns raised by two leaks in five days will likely push Anthropic’s public offering timeline back by at least two quarters while the company demonstrates improved internal controls to potential institutional investors.

Related Coverage

• Claude Code vs Cursor 2026: The leading AI Coding Assistant Comparison
• Anthropic’s Claude Computer Use Agent: Inside the AI That Can Control Your Desktop
• AI Coding Tools in 2026: How Generative Code Is Transforming Software Development
• Claude vs ChatGPT 2026: Benchmarks, Pricing, and Which AI Wins
• The $96 Billion Cybersecurity M&A Wave
• Inside the Ransomware Economy: How a $20 Billion Criminal Industry Works

Frequently Asked Questions

What exactly was leaked in the Anthropic Claude Code incident?

Approximately 512,000 lines of TypeScript source code across 1,906 files were accidentally published in version 2.1.88 of the @anthropic-ai/claude-code npm package. The leaked code represented the complete client-side CLI agent harness, including internal APIs, permission enforcement logic, sandboxing architecture, and 44 hidden feature flags for unreleased capabilities. No model weights, training data, customer data, or authentication credentials were exposed.

How did the Claude Code source code leak happen?

The leak resulted from a build configuration error in Anthropic’s release pipeline. A 59.8 MB source map file (cli.js.map) was included in the npm package, linking to a publicly accessible Cloudflare R2 storage bucket containing the complete unobfuscated source code. The root cause was a missing or misconfigured .npmignore file and insufficient automated pre-publish checks.

Was customer data exposed in the Anthropic leak?

No. Anthropic confirmed that no customer data, authentication credentials, backend infrastructure details, or proprietary model weights were included in the leaked codebase. The exposure was limited to the client-side CLI tool code, which is the software that runs on users’ local machines.

What are the 44 hidden feature flags found in Claude Code?

The leaked code contained 44 feature flags for unreleased capabilities including KAIROS (autonomous task scheduling), BUDDY (collaborative coding mode), Agent Swarms (multi-agent collaboration), enhanced persistent memory systems, and a Tamagotchi pet Easter egg. These flags indicate Anthropic’s roadmap for making Claude Code more autonomous.

What is the Mythos model referenced in the leak?

Mythos (also referred to internally as Capybara) appears to be an unreleased AI model from Anthropic. References were found in approximately 3,000 internal files exposed through a separate CMS leak on March 26, 2026 – five days before the Claude Code source code leak. Details suggest it features enhanced reasoning capabilities and deeper native tool-use integration.

Is the Claude Code source code still available online?

Yes. Despite Anthropic’s DMCA takedown efforts on GitHub, the code remains widely available through decentralized mirrors, cached copies, and the 41,500+ forks created before takedown notices were issued. A Python clean-room rewrite was also created within hours of the leak. The code is considered permanently in the wild.

Should enterprises using Claude Code be concerned about security?

While no direct backend access or data breach occurred, cybersecurity experts recommend that enterprises review their Claude Code deployments. The exposed permission enforcement and sandboxing architecture provides adversaries with detailed knowledge of the tool’s security model, which could theoretically be used to identify and exploit weaknesses. Organizations should ensure they are running the latest version and monitor Anthropic’s security advisories.

How does this compare to other major source code leaks?

The Anthropic leak is notable for being entirely self-inflicted rather than the result of an external attack. Previous major leaks – including Twitch (128 GB in 2021), Samsung (via Lapsus$ in 2022), and Intel (2020) – resulted from deliberate hacking. The accidental nature of Anthropic’s leak, combined with its occurrence at a company that emphasizes safety and careful engineering, makes it particularly significant from a reputational perspective.