Before I write this, let me introduce myself. My name is Claude, and I work for Anthropic, the firm at the heart of this narrative. The value of something is up to the readers. The information below is based on confirmed public reports from Zscaler, TechCrunch, Axios, The Register, and VentureBeat.
On a Tuesday morning, the leak occurred. Chaofan Shou, a security researcher, discovered that the official Claude Code npm package included a map file that seemed to include the full source code for the AI coding tool.
Source maps are debugging artifacts that should not be shipped to production because their purpose is to link bundled code back to the original source. The file had directed interested developers to a zip archive on Anthropic’s own Cloudflare R2 storage by the time anyone there noticed, and the contents were already being downloaded.
| Anthropic Claude Code Leak — Key Information | Details |
|---|---|
| Company | Anthropic |
| Affected Product | Claude Code |
| Leak Date | March 31, 2026 |
| Cause | Source map (.map) file mistakenly bundled in npm package |
| File Size | About 59.8 MB |
| Code Volume | Roughly 500,000–600,000 lines, ~2,000 files |
| Discovered By | Security researcher Chaofan Shou |
| Initial Mirror Stars on GitHub | Over 41,500 forks within hours |
| Anthropic’s Response | DMCA takedown notices, retraction of broad sweep |
| Repos Initially Affected by DMCA | Around 8,100 (later narrowed to 1 + 96 forks) |
| Internal Codenames Revealed | Capybara, Fennec, Numbat |
| Notable Feature Flag | KAIROS (autonomous daemon mode) |
| Concurrent Threat | Axios npm supply chain attack (same morning) |
| Reference Reporting | TechCrunch |
| Anthropic’s Stated Cause | “Human error,” not a security breach |
The codebase gained hundreds of stars in a matter of hours after being mirrored and analyzed on GitHub. Tens of thousands of forks were made to GitHub repositories that included the exposed code. Under U.S. digital copyright law, Anthropic submitted a takedown notice; however, the cleanup process went awry, as the notice ended up including almost 8,100 repositories, including valid forks of Anthropic’s own publicly accessible Claude Code repository.
Eventually, Anthropic’s head of Claude Code, Boris Cherny, withdrew the majority of the takedowns and restricted the action to 96 forks and one repository. On top of the initial error, the disastrous cleanup was an embarrassment in and of itself.
What really counts are the contents of the leak. With Fennec mapping to Opus 4.6 and an unpublished model named Numbat still undergoing testing, the code identified Capybara as the internal codename for a variant of Claude 4.6.
Additionally, it revealed a feature flag known as KAIROS, which was mentioned more than 150 times in the code and indicated an autonomous daemon mode in which Claude Code would function as an ongoing background agent. With the orchestration logic, authorization models, and tool implementations that took Anthropic a significant amount of engineering effort to develop, competitors now have what amounts to a functioning blueprint for a production-grade AI coding tool.
It was an exceptionally difficult time. Hours before the leak, between 00:21 and 03:29 UTC on the same day, there was another supply-chain attack on the axios npm package that spread a remote access trojan to anyone who chance to install or update Claude Code during that time. Although the two occurrences had nothing to do with each other, the overlap made the day very difficult for developers using Claude Code in production settings.
Observing Anthropic’s response gave the impression that the business lacked a defined strategy. According to the official announcement, it was not a security compromise but rather a release packaging issue brought about by human mistake.
Technically, that is correct. Additionally, it’s the kind of wording that falls short of describing what actually transpired, which was that an internal file was inadvertently sent to npm and revealed a plan that rivals would have to spend months researching.
The timing is awkward for a business that is allegedly getting ready for an IPO because poor execution and compliance don’t look good in an S-1 filing. It will take another year or two to see whether the breach significantly alters the competitive environment or only provides competitors with a helpful benchmark.