🔄 Developing Story — Last updated: April 2, 2026 16:30 UTC. Anthropic has confirmed the leak and is issuing DMCA takedown notices. Security researchers have surfaced alarming findings including an undisclosed stealth mode, autonomous background agent, and a Sentry contradiction. R2 map file no longer visible via CDN browse. No CVEs assigned. No patched npm version. See Updates section below.

Updates

April 2, 2026 — 16:30 UTC

R2 map file no longer visible via CDN; lawsuit deposition detail; Sentry contradiction; official hardening guide.

R2/source map accessibility update. jsDelivr CDN currently lists @anthropic-ai/claude-code version 2.1.88 and serves cli.js, but cli.js.map is no longer visible in the public CDN browse view. This is consistent with Anthropic having revoked public access on the R2 bucket and/or CDN cache invalidation. It does not undo the exposure — public GitHub mirrors with 41,500+ forks are permanent. But it closes the original artifact retrieval path.

Sentry contradiction. The Register’s deep-dive into the leaked source identified sentry.ts, an error-reporting module that, when an unhandled exception occurs, captures: current working directory (potentially exposing project names and file paths), feature gates active, user ID, email address, session ID, and platform info. Anthropic’s public data-usage page states: “We do not currently use Sentry. When we used Sentry in the past, we did not send sensitive data like file path or PII.” The presence of sentry.ts in live production source is not necessarily a contradiction — the company may have stopped calling Sentry while leaving the module in place — but it’s a discrepancy worth flagging given its PII capture scope.

Payload Size Telemetry (undocumented). The API call tengu_api_query transmits messageLength — the JSON-serialized byte length of the system prompt, messages, and tool schemas — on every API call. This metadata is not disclosed in Anthropic’s public data-usage documentation and allows Anthropic to profile the size and complexity of every user session, even without seeing content.

Auto-updater runs every launch. autoUpdater.ts:assertMinVersion() fires on every Claude Code launch, pulling the active configuration version from Statsig/GrowthBook. This means Anthropic can remotely retire specific versions — forcing upgrades or disabling installations — without a traditional push mechanism.

Anthropic publishes official privacy hardening guide. In response to the disclosure, Anthropic published a documented list of environment variables that limit data transmission:

  • CLAUDE_CODE_DISABLE_AUTO_MEMORY=1 — disables all memory and telemetry write operations
  • CLAUDE_CODE_SIMPLE (bare mode) — strips memory and autoDream entirely
  • ANTHROPIC_BASE_URL — reroutes API calls to a private endpoint
  • ANTHROPIC_UNIX_SOCKET — routes authentication through a forwarded SSH socket

These were previously undocumented or buried. Their publication is a direct response to the privacy audit triggered by the leak.

DoD lawsuit deposition detail. In the Anthropic PBC v. U.S. Department of War et al litigation, Thiyagu Ramasamy (head of public sector at Anthropic) filed a March 20, 2026 declaration stating: “Anthropic personnel cannot, for example, log into a DoW system to modify or disable the models during an operation; the technology simply does not function that way. In these deployments, only the government and its authorized cloud provider have access to the running system.” The leaked source — particularly the remoteManagedSettings hourly poll and the auto-updater — complicates this claim for non-air-gapped deployments and is likely to feature in further filings.

CVE status. No CVEs have been assigned as of April 2. No new npm version has been released.

April 1, 2026 — 16:30 UTC

Anthropic confirms; DMCA campaign begins. Anthropic has officially confirmed the leak was accidental. Boris Cherny, head of Claude Code at Anthropic, described it as a “plain developer error” — the Bun runtime generates source maps by default and nobody added *.map to .npmignore. The company is now issuing DMCA takedown notices to GitHub mirrors. Anthropic’s CNBC statement characterized the exposure as limited to tooling code: “no user data, prompts, or customer repositories were exposed.” The original npm package v2.1.88 was quietly unpublished.

This was not the first time. A nearly identical source map leak occurred in February 2025 — making this the second such incident in 13 months. The March 31 leak also arrived just 5 days after the “Mythos” model spec leak, in which a CMS misconfiguration exposed ~3,000 internal Anthropic files including draft blog posts about unreleased models.

Security researcher findings — the code is worse than the leak. The Register and independent researcher “Antlers” have published a deep analysis of what the 512K lines actually do. Several findings warrant attention:

  • KAIROS (src/bootstrap/state.ts:72): A fully built but unshipped autonomous daemon mode. Named after the Greek concept of the opportune moment, KAIROS is designed to run persistently in the background — even when your laptop is closed. It suppresses the AskUserQuestion tool (meaning it acts without prompting), auto-backgrounds long bash commands silently, subscribes to GitHub webhook events autonomously, and operates on a 15-second blocking budget. Referenced 150+ times in the codebase. Append-only daily logs create an audit trail — but the user doesn’t control it.

  • autoDream: A separate unreleased background agent capable of reading all session transcripts. Can be disabled via CLAUDE_CODE_SIMPLE (bare mode) or CLAUDE_CODE_DISABLE_AUTO_MEMORY=1.

  • Undercover Mode (undercover.ts, ~90 lines): Activates when an Anthropic employee (USER_TYPE === 'ant') uses Claude Code on a non-internal repository. When active: strips all Co-Authored-By attribution from commits (erasing AI authorship traces), blocks any mention of internal codenames, Slack channels, or unreleased model names. The leaked code also revealed two unreleased model codenames: Opus 4.7 and Sonnet 4.8. In external builds shipped to regular users, Undercover Mode is dead-code-eliminated — you will never encounter it. The ethical concern: AI-generated code from Anthropic employees enters open-source projects with no attribution to the AI or the company.

  • CHICAGO: Internal codename for computer use / desktop control. Enables mouse clicks, keyboard input, clipboard access, and screenshots. Available to Pro/Max subscribers and Anthropic employees.

  • Persistent telemetry: Initially via Statsig (acquired by OpenAI in September 2025), now migrated to GrowthBook. On every launch, Claude Code phones home with: user ID, session ID, app version, platform, terminal type, Org UUID, Account UUID, and email address if defined. If offline, data is cached to ~/.claude/telemetry/. Anthropic can activate or deactivate feature gates mid-session.

  • Remotely managed settings (remoteManagedSettings/index.ts): For enterprise deployments, Anthropic maintains a server that can push a policySettings object, polled hourly without user interaction. These settings can set environment variables including ANTHROPIC_BASE_URL, LD_PRELOAD, and PATH — and take effect immediately via hot reload. LD_PRELOAD in particular has significant security implications.

  • 44 hidden feature flags covering 20+ unshipped features; 5 context compaction strategies; 3 subagent execution models (Fork, Teammate, Worktree); 25+ event hook system; bashSecurity.ts with 23 numbered checks gating every shell command.

Government/legal dimension. The Register also surfaced an active lawsuit: Anthropic PBC v. U.S. Department of War et al, in which Anthropic is suing the DoD for banning its AI services after the company refused to compromise model safeguards. The DoD argued Claude Code represented a supply chain threat — the source leak, including the remotely-managed settings capability and KAIROS daemon, may complicate Anthropic’s position in that litigation.

CVE status. No CVEs have been assigned as of this update. Security researchers are actively auditing the tool permission model, IDE bridge JWT implementation, and the LD_PRELOAD vector in remote managed settings.

No new npm version yet. No patched replacement for v2.1.88 has been published at time of writing beyond unpublishing the original package. Users should pin to a prior clean version.

Anthropic didn’t get hacked. Nobody brute-forced their systems or exploited a zero-day. Someone just forgot to remove a single file from their npm build configuration — and that file handed the entire Claude Code source code to anyone who knew where to look.

What Happened

On March 31, 2026, security researcher Chaofan Shou (@shoucccc) discovered that @anthropic-ai/claude-code version 2.1.88 — published the day before — contained cli.js.map: a JavaScript source map file that should never ship in a production package.

Source maps are debugging artifacts. They create a mapping between minified/bundled production code and the original human-readable source. When you ship one publicly, you’re handing anyone the ability to reconstruct your original codebase in full — comments, variable names, architecture, everything.

But this leak went deeper than a local source map. The .map file contained a reference pointing to a zip archive hosted on Anthropic’s Cloudflare R2 storage bucket — publicly accessible. That zip contained the entire unobfuscated TypeScript source.

Within hours it was downloaded, extracted, and mirrored to a public GitHub repository. That repo has since been forked 41,500+ times.

The code is out. It’s not going back in.

What Was Exposed

The numbers:

  • ~1,900 TypeScript source files
  • 512,000+ lines of code
  • ~40 built-in tools
  • ~50 slash commands
  • Full internal architecture, comments included

Key architectural details now public:

The Tool System — Claude Code’s capabilities are built as discrete, permission-gated plugins. Each tool (file read, bash execution, web fetch, LSP integration) has its own permission model. The base tool definition alone is 29,000 lines of TypeScript.

The Query Engine (46K lines) — The brain of the operation. Handles all LLM API calls, streaming, caching, and orchestration. The largest single module in the codebase.

Multi-Agent Orchestration (“Swarms”) — Claude Code can spawn sub-agents in parallel, each with isolated tool permissions. Anthropic calls these “swarms” internally.

The IDE Bridge — A bidirectional JWT-authenticated communication layer connecting the CLI to VS Code and JetBrains extensions. Now fully documented thanks to the leak.

Runtime: Claude Code runs on Bun (not Node.js), uses React with Ink for terminal UI rendering.

How a Source Map Becomes a Full Source Leak

Source maps aren’t exotic. Every JavaScript developer has used them. The problem is that most developers think of them as a local debugging tool — and they are, until you accidentally publish them to a public package registry.

The flow that caused this:

  1. Anthropic’s build system compiled TypeScript → minified JavaScript (cli.js)
  2. Build system generated cli.js.map — the debugging artifact mapping bundle back to source
  3. The map file referenced a zip archive on an R2 bucket configured with public access
  4. Someone published the npm package without removing the map file from the build output
  5. Shou downloaded the package, found the map, followed the R2 reference, downloaded the zip

This isn’t a sophisticated attack vector. Any npm package auditing tool would catch this. The failure is purely in build hygiene.

The Security Implications

For Anthropic:

  • Proprietary architecture is now permanently public — competitors can study every design decision
  • Security researchers will audit the tool permission system for privilege escalation paths
  • The JWT-based IDE bridge implementation will receive scrutiny for auth bypass vulnerabilities
  • Internal comments and naming conventions reveal strategic priorities and known limitations

The broader lesson for practitioners: Source map exposure is an extremely common mistake that affects far more than just AI companies. A 2024 Astro vulnerability followed the same pattern. The fix is trivial — add "sourcemap": false to your TypeScript/build config, or exclude *.map files from npm publish via .npmignore.

The fact that this happened at Anthropic — a company with significant security resources and a product that runs arbitrary code on developer machines — is a reminder that build pipeline OPSEC is still an afterthought for most engineering teams.

What this isn’t:

  • A breach of Anthropic’s cloud infrastructure
  • Exposure of customer data, prompts, or repositories
  • Evidence of a supply chain attack (unlike the axios incident earlier today)

This is a confidentiality failure in the classical sense — proprietary code is now public. The exploit risk comes second, as researchers dig through 512,000 lines looking for vulnerabilities in the tool permission model and IDE bridge.

Was Claude Code Already Partly Reverse Engineered?

Yes. Claude Code has been reverse engineered before — there’s an entire website (ccleaks.com) dedicated to documenting the hidden portions of Claude Code. What today’s leak provides is a fresh, verified, comment-rich snapshot of the current codebase. For anyone already studying Claude Code’s internals, this is a significant upgrade in fidelity.

Is the Map File Still Accessible?

As of publication, the situation is ambiguous. The R2 bucket reference in the map file may still be accessible, or Anthropic may have revoked public access. The npm package v2.1.88 itself may still contain the map file — npm does not allow package deletion after a window. The GitHub mirrors are permanent — 41,500+ forks ensures redundant copies exist across the entire internet.

Practically: The code is out. Accessibility of the original source is a moot point.

What Anthropic Should Do

  1. Publish a post-mortem explaining how the map file entered the build pipeline
  2. Revoke public access on the R2 bucket if still active
  3. Audit all npm packages for other accidentally shipped debug artifacts
  4. Add build pipeline checks that fail publication if *.map files are detected in the output
  5. Issue a CVE or security advisory covering any vulnerabilities discovered in the leaked code

The Bigger Picture: Two Major Incidents, One Day

March 31, 2026 has been a rough day for the npm ecosystem. The axios supply chain attack (covered here) deployed a cross-platform RAT via a compromised maintainer account. Hours later, Anthropic’s build mistake handed the world Claude Code’s source.

One was a sophisticated, pre-staged attack. The other was a human error in a build script.

Both ended with sensitive code in the hands of the public. The attack surface is wide — and it’s not always the sophisticated adversary you need to worry about.

Sources: The Register (Mar 31) · The Register — Privacy Analysis (Apr 1) · CNBC · Dataconomy — Anthropic confirms · Bloomberg · ClaudeFa.st — Full breakdown · dev.to / Gabriel Anhaia · Penligent · GitHub mirror

Follow @RedTeamGuides for coverage of this and the axios supply chain attack.