How a Missing .npmignore Entry Leaked 512,000 Lines of Claude Code Source to the World

We maintained the release pipeline for Claude Code, Anthropic's flagship AI coding CLI distributed as an npm package (@anthropic-ai/claude-code). The tool had grown rapidly to become one of the most widely used AI developer tools, with tens of thousands of daily active developers. Our build system compiled TypeScript source into a single minified cli.js bundle, and generated a corresponding source map file (cli.js.map) for internal debugging. The source map included a sourcesContent field that embedded the full original TypeScript source directly in the .map file — a common practice for internal debugging workflows. The package was published to the public npm registry on a regular release cadence, and we relied on .npmignore rules to prevent internal artifacts like source maps from being included in public distributions. The team had shipped dozens of versions without incident, and the pipeline felt mature.

On March 30, 2026, we pushed version 2.1.88 of @anthropic-ai/claude-code to the npm registry as part of a routine release. What we did not realize was that the .npmignore file had been misconfigured — the *.map glob pattern that should have excluded source map files from the published package was missing. As a result, a 59.8 MB file named cli.js.map was bundled into the public package. The next day, March 31, a security researcher named Chaofan Shou discovered the anomaly. Because the source map's sourcesContent field embedded the full text of every original source file, the entire Claude Code codebase could be reconstructed by simply extracting that field — roughly 1,900 files and 512,000 lines of TypeScript. Within hours the reconstructed source was mirrored across GitHub and analyzed by thousands of developers worldwide. The mirrors became some of the fastest-growing repositories in GitHub history. The exposure was far more damaging than a typical code leak. The source revealed 44 hidden feature flags for unreleased capabilities, including: a persistent background agent codenamed KAIROS that could autonomously fix errors and run tasks without human input; an 'Undercover Mode' with system prompts instructing the agent to make stealth contributions to public open-source repositories without revealing its Anthropic affiliation; a bidirectional communication layer connecting IDE extensions to the CLI; multi-agent orchestration for spawning sub-agents; and internal model performance benchmarks. The irony was not lost on anyone. Anthropic, one of the most safety-focused AI companies in the world, had leaked its own proprietary source code through a basic build-pipeline oversight — and this was the second time. In February 2025, an early version of Claude Code had accidentally exposed its source in a similar packaging error, revealing how the tool connected to Anthropic's internal systems. That incident had been quietly remediated, but the underlying process gap had clearly not been fully closed. Making matters worse, this leak came just five days after a separate CMS misconfiguration had exposed roughly 3,000 internal files related to an unreleased model codenamed Mythos. The clustering of incidents drew intense scrutiny from the security community and press.

The root cause was a missing *.map entry in the .npmignore file, which allowed the 59.8 MB source map (containing embedded sourcesContent with the full original TypeScript) to be included in the published npm package. The fix itself was trivial: adding the glob pattern back to .npmignore and republishing a clean version. However, the damage was already done — the source code had been mirrored extensively across GitHub and decentralized platforms within hours of discovery. Anthropic's official statement confirmed that no sensitive customer data, credentials, or model weights were exposed. The company attributed the incident to human error in the release packaging process, not a security breach of their infrastructure. They filed DMCA takedown notices against mirrors on major hosting platforms, though decentralized copies and clean-room rewrites remained beyond their reach. The reputational impact was significant. This was the second source code leak in 13 months, and it arrived just days after the Mythos model spec leak. The clustering of incidents raised serious questions about Anthropic's internal release and configuration management processes, particularly given the company's public emphasis on safety and responsible AI development.