Claude Code's 512K-Line Source Code Was Hiding in Plain Sight on npm

On March 31, 2026, security researchers discovered that Anthropic had accidentally published 59.8 MB of Claude Code's proprietary source code — 512,000+ lines — through npm source maps left in the public package. This is Anthropic's second accidental disclosure in days, following the unintentional exposure of the internal 'Mythos' project details earlier in the week. Here's what was actually in the leaked code, what it means for users, and what vibe coders should do right now.

What You'll Learn

You'll understand how the leak happened, what source code was exposed, what security implications exist for Claude Code users, whether you need to take any action, and what this means for enterprise teams that deploy Claude Code.

How It Happened

Source maps are debug files that link minified JavaScript back to the original source code. They're supposed to be excluded from production npm packages. Anthropic's build pipeline for the @anthropic-ai/claude-code npm package failed to strip them — leaving the complete, unobfuscated TypeScript source accessible to anyone who downloaded the package and knew where to look.

The process:

1. Developer installs @anthropic-ai/claude-code via npm
2. The .map files ship alongside the compiled JS
3. Any browser dev tool or Node.js debugger can reconstruct the original TypeScript
4. No special tools required — standard npm audit tooling surfaces it

What Was in the 512K Lines

Researchers who analyzed the leak reported finding:

• Full agent architecture: The complete multi-step task execution pipeline, including how Claude Code handles tool calls, manages context windows, and decides when to spawn sub-processes
• System prompt templates: The internal prompts used for different Claude Code task modes (explain, implement, debug, refactor)
• Internal tool definitions: The exact function signatures and descriptions for all Claude Code tools (Bash, Read, Write, Edit, Glob, Grep, etc.)
• Rate limiting and retry logic: How Claude Code handles API rate limits, timeouts, and error recovery
• Security-sensitive patterns: Internal allowlist/denylist logic for which file paths and shell commands Claude Code permits
• Telemetry schema: What usage data is sent to Anthropic (session IDs, tool call counts, latency metrics — no code content per the schema)

What Was NOT in the Leak

To be clear about scope:

• No model weights — Claude Code is a client; it calls the Claude API
• No API keys or secrets — Credentials are not bundled in the package
• No user code — The leak is Anthropic's code, not yours
• No training data — Model training infrastructure is separate

The Security Implications

For most Claude Code users, the immediate security impact is low. But there are second-order concerns:

1. Prompt injection attack surface is now documented

Anyone who wanted to craft targeted prompt injections against Claude Code now has the exact system prompts to work against. The internal prompt templates define how Claude Code interprets user instructions — attackers can craft inputs designed to exploit the specific framing.

# Before the leak:
Attacker crafts generic prompt injection: 
"Ignore previous instructions..."

# After the leak:
Attacker crafts targeted injection tuned to Claude Code's exact system prompt structure,
knowing which task modes exist and how context is framed

2. Tool permission boundaries are mapped

The allowlist/denylist logic for which shell commands and file paths Claude Code permits is now public. Security researchers (and attackers) can probe for gaps with precision.

3. Enterprise teams should review Claude Code's access scope

If you run Claude Code in CI/CD pipelines or give it broad filesystem access, the security boundary assumptions have changed. The published permission model may be used to find edge cases.

What You Should Do

Immediate actions:

□ If you run Claude Code in automated pipelines:
  → Review what file paths and shell commands it has access to
  → Principle of least privilege: restrict to what's actually needed

□ If you use Claude Code for sensitive codebases:
  → Review Anthropic's telemetry disclosure (what's actually sent)
  → The telemetry schema is now published — it's session IDs and counts, not code

□ If you're an enterprise team:
  → Check whether Claude Code was running with elevated permissions
  → Review your .claude/settings.json for overly broad tool permissions
  → Consider whether your Claude Code version should be pinned until Anthropic
    publishes a clean-build package

No action needed if:
  → You use Claude Code interactively with normal user permissions
  → You're not running it in automated/unattended contexts

Anthropic's Response

Anthropic acknowledged the leak in a statement posted to their status page and Discord. Key points from their response:

• The affected package version will be deprecated and replaced with a clean build
• No customer data was exposed (the leak is their code, not user code or API keys)
• They are reviewing their build pipeline to prevent source map inclusion in future releases
• No CVEs were filed — the leak is a disclosure issue, not an exploitable vulnerability in the traditional sense

The Broader Pattern

This is the second Anthropic disclosure incident in one week. The Claude Mythos project details leaked earlier through what appeared to be a misconfigured internal document system. Two incidents in one week suggests a process gap — likely in how internal tooling and build pipelines are reviewed before external publication. For a company that bills itself as safety-first, the optics of consecutive accidental disclosures matter as much as the technical severity.

Common Challenges

'Does this mean Claude Code is unsafe to use?': No. The leak exposes Anthropic's code, not yours. The practical risk for most users is limited. Enterprise teams with automated deployments should review their access scope as a precaution.

'Could attackers use this to break Claude Code?': The published system prompts and permission logic increase the precision of potential prompt injection attacks. Anthropic should (and reportedly will) update those prompts in the next release to invalidate anything crafted against the leaked versions.

'Should I stop using Claude Code until there's a clean package?': For interactive use on your local machine, the risk is low. For automated pipelines where Claude Code runs with elevated permissions, exercise more caution until Anthropic publishes the clean-build replacement.

Advanced Tips

Audit your .claude/settings.json now: The settings file controls what tools and paths Claude Code can access. Review it — especially if you followed any tutorials that suggested broad permissions. Restrict to what your current projects actually need.

Watch for the patched package: Subscribe to the @anthropic-ai/claude-code npm release feed. When Anthropic releases the clean-build package, update immediately. Pin your version in your package.json until then if you run it in automation.

The source code is a gift for security researchers: The published architecture documentation will likely lead to several legitimate security research papers and CVE reports as researchers probe the now-documented permission model. Follow the Anthropic security advisories page for what surfaces in the next 60 days.

Curriculum update: The Vibe Coding Ebook Chapter 10: The Dark Side is being updated this week with this incident and the March CVE surge data. The Security Playbook in Chapter 19 includes a Claude Code deployment checklist covering exactly these access-scope considerations.

For the full Agentic Engineering security picture, including how to run AI coding agents safely in production, see the updated Vibe Coding Academy curriculum.

Conclusion

The Claude Code leak is a disclosure incident, not a data breach — your code and API keys are safe. But it does change the threat model for teams running Claude Code in automated contexts, and it should prompt a review of your Claude Code permissions and access scope.

For the updated security checklist and Claude Code deployment best practices, see Chapter 10 of the Vibe Coding Ebook. For weekly updates on AI tool security as this story develops, subscribe at EndOfCoding.