Anthropic Accidentally Leaked Claude Code Source, Then Swept GitHub With Takedowns

A single missing configuration line cost Anthropic one of the most embarrassing source code disclosures in recent AI industry history, then set off a legal overreach the company spent days trying to walk back.

On March 31, 2026, Anthropic pushed version 2.1.88 of its @anthropic-ai/claude-code package to the npm registry. Bundled with the routine update was a 59.8 MB JavaScript source map file that had no business shipping with a production release. The root cause traced back to a missing .npmignore exclusion rule: the Bun bundler Anthropic used generates source maps by default, and without an explicit instruction to strip the file before publishing, it went live. Security researcher Chaofan Shou spotted the exposure within hours. What the source map unlocked was substantial: 1,900 files and more than 512,000 lines of the application's internal TypeScript source, including system prompts, orchestration logic, and 44 hidden feature flags covering at least 20 features Anthropic had not publicly announced.

The competitive damage was immediate. Rivals could study Claude Code's architecture and unreleased feature roadmap in detail. The subtler risk, security experts warned, was to the model's safety posture itself. Zahra Timsah, co-founder and CEO of i-GENTIC AI, noted that once internal flags and system prompts are exposed, "you are no longer dealing with a black box." When the precise implementation of safety guardrails becomes visible, probing or circumventing them grows considerably easier.

Anthropic pulled v2.1.88 and attributed the exposure to "a release packaging issue caused by human error, not a security breach," releasing v2.1.89 on April 1 as a clean replacement. But the source map was already spreading. The company then compounded the problem by filing DMCA takedown notices against GitHub repositories hosting the leaked files. GitHub executed the notice against its entire fork network, disabling approximately 8,100 repositories in a single sweep. Included in the mass takedown were legitimate forks of Anthropic's own publicly hosted Claude Code repository, accounts that had never touched the leaked source map at all. Anthropic later acknowledged the action had reached more repositories than intended, retracted the bulk of the notices, and narrowed enforcement to repositories directly hosting the leaked material.

The takedown failed on its primary objective. Within hours, developers were reposting the source converted to Python and Rust, formats that DMCA notices tied to the original TypeScript files could not easily reach. The Streisand effect intensified attention on the leaked material precisely because of the aggressive response, and the episode exposed a structural problem with GitHub's DMCA enforcement: the platform's fork network architecture means a single notice can cascade to thousands of repositories, including ones with no connection to the underlying infringement.

For developers currently relying on Claude Code tooling, the exposure of internal routing logic and prompt scaffolding means any application built on undocumented Claude Code behaviors should be treated as potentially unstable; Anthropic may alter those internals as part of remediation. Zscaler's ThreatLabz team advised scanning local environments for unexpected npm packages and exercising caution with new Claude Code releases while the security review remains ongoing. Anthropic designated its native installer, a standalone binary, as the preferred alternative to the npm package because it bypasses the npm dependency chain where the error originated. Teams maintaining their own npm packages should audit .npmignore and package.json file field configurations immediately: a missing exclusion for .map files is precisely the mistake that triggered this incident.

The disclosure lands at an acutely sensitive moment. Anthropic is widely reported to be targeting a public market debut near a $350 billion valuation, and the week's events raised pointed questions about whether the company's release engineering practices match the trust demands of the enterprise and government markets it is pursuing.