Search

Claude Code Source Code Accidentally Leaked in NPM Package

Identity & Access Management Security
By Evan Rowe
Credit: Anthropic

Related

Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California’s Video Game Industry

California’s video game industry runs on always-on platforms, global...
Read more
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California’s Media & Entertainment Industry

California’s media and entertainment sector depends on cybersecurity leaders...
Read more
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California’s Insurance Industry

California’s insurance sector depends on cybersecurity leaders who can...
Read more
Founders, Analysts & Industry Voices

CISOs to Watch in California’s Automotive Industry

California’s automotive sector is being reshaped by electrification, connected...
Read more
Cyber threats and incidents

Minnesota Deploys National Guard Cyber Forces After Attack on Local Government Systems

What happened Minnesota deployed members of the National Guard to...
Read more

Share

What happened

Anthropic accidentally leaked the source code for Claude Code after publishing version 2.1.88 to NPM with an internal source map file that exposed the application’s underlying code. The company confirmed the incident and said no sensitive customer data or credentials were involved or exposed. According to the report, the published package included a 60 MB file named cli.js.map, which contained enough embedded source information to reconstruct the full codebase. The reconstructed source reportedly included about 1,900 files and roughly 500,000 lines of code, along with details of several Claude features. Anthropic said the issue was caused by human error during release packaging rather than a security breach, and it has started issuing DMCA notices to remove the leaked source code from online platforms.

Who is affected

The direct exposure affects Anthropic and the closed-source codebase for Claude Code. The company said no customer data or credentials were exposed, but the leaked package reportedly allowed developers to reconstruct the application’s internal source files and review undocumented product features.

Why CISOs should care

This matters because an internal release packaging error was enough to expose a large closed-source codebase through a public software distribution channel. It also shows how build and release mistakes can create immediate intellectual property exposure even when no attacker is involved and no customer data is compromised.

3 practical actions

  1. Treat packaging controls as a security control: Review release pipelines to ensure source maps, debug artifacts, and embedded source content cannot be unintentionally published in production packages.
  2. Scan public packages before release: Add pre-publication checks that identify oversized map files, embedded source content, or other artifacts that could expose internal code.
  3. Prepare for takedown and containment fast: Make sure legal, engineering, and security teams can quickly remove exposed code from public platforms and assess what internal functionality was revealed.

For more news about enterprise security issues involving software release and code exposure, click Cybersecurity to read more.

Previous article
GIGABYTE Control Center Vulnerability Could Lead to Arbitrary File Write and Remote Code Execution
Next article
Pro-Russian Hackers Pose as Ukraine’s Cyber Agency to Target Government and Business Victims
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California’s Video Game Industry

California’s video game industry runs on always-on platforms, global...
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California’s Media & Entertainment Industry

California’s media and entertainment sector depends on cybersecurity leaders...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.