Anthropic Claude Code CLI Source Exposed Through npm Source Map
Anthropic's proprietary Claude Code CLI source code was exposed after npm package version 2.1.88 reportedly shipped with a misconfigured source map that pointed to unobfuscated TypeScript files hosted on Anthropic-controlled infrastructure. Researcher Chaofan Shou publicly disclosed the issue, and the exposed archive was said to contain the full src/ directory—nearly 1,900 files and more than 512,000 lines of code—covering core engine logic, tools, commands, internal feature flags, and multi-agent coordination components.
The leaked material was quickly archived, posted to a public GitHub repository, and widely forked, enabling outside analysis of the CLI's internal memory architecture, validation mechanisms, API client logic, OAuth 2.0 authentication flows, and permission enforcement. Anthropic said the exposure resulted from a human packaging error rather than a breach and stated that no sensitive customer data or credentials were leaked, while the incident still raised intellectual property and security concerns because it revealed detailed implementation and architectural information about the product.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Anthropic reportedly withholds Mythos Preview and launches Project Glasswing
According to the new reference, Anthropic decided on 2026-04-07 not to publicly release Claude Mythos Preview after internal testing revealed unexpectedly strong offensive cyber capabilities. The article says Anthropic instead granted access to a private 'Project Glasswing' coalition of 12 organizations, backed by $100 million in usage credits.
Malicious GitHub repos use Claude Code leak to spread malware
After the March 31 Claude Code source exposure, Zscaler identified malicious GitHub repositories repackaging the leaked material and offering a ZIP archive with a Rust-based dropper. The payloads included Vidar v18.7 and GhostSocks, and one repository reportedly ranked highly in Google search results for "leaked Claude Code," increasing developer compromise risk.
Critical Claude Code vulnerability is publicly reported after source leak
Within days of the public exposure of Claude Code source, a critical vulnerability in Claude Code was reportedly publicly disclosed. The report framed this as evidence that the leaked code enabled attackers and researchers to systematically audit the agentic tool for exploitable flaws.
Public data store exposes Anthropic Mythos and Capybara model details
Anthropic reportedly had an unsecured public data store that exposed development information about its upcoming Mythos and Capybara AI models. The exposed material included internal characterizations of Capybara as more powerful than Opus and warnings that its cyber capabilities could outpace defenders if misused.
Anthropic asks GitHub to restore legitimate forks hit by broad DMCA action
After a leak-focused DMCA notice triggered GitHub to disable about 8,100 forked repositories, including many legitimate forks of Anthropic's public repository that did not contain leaked code, Anthropic said the broad removals were unintentional. The company asked GitHub to limit enforcement to the 96 specifically identified fork URLs and restore the other affected repositories.
Anthropic recommends native installer after npm leak and Axios supply-chain scare
After removing the exposed Claude Code npm package, Anthropic reportedly advised users to prefer its native installer over npm. The guidance came amid concern that a separate compromise of Axios npm versions 1.14.1 and 0.30.4 may have affected some Claude Code npm installs during a narrow March 31 UTC window.
Typosquatted npm packages appear after Claude Code leak
Following the public exposure of Claude Code source, typosquatted npm packages were published that mimicked related package names, creating potential dependency confusion and follow-on supply-chain attack risk. The activity was reported as a secondary escalation after the original packaging error.
Anthropic says it automated deployment steps after Claude Code leak
Anthropic's Boris Cherny said the Claude Code source exposure was caused by a manual deployment step that should have been automated. He added that the company has since implemented automation improvements to help prevent a similar packaging mistake from happening again.
Anthropic says leak was a packaging error, not a breach
Anthropic stated that the exposure resulted from a human packaging mistake rather than a security breach. The company also said no sensitive customer data or credentials were exposed.
Anthropic reportedly issues DMCA takedown over mirrored Claude Code leak
After the exposed Claude Code source was mirrored on GitHub, Anthropic reportedly sent a DMCA takedown request seeking removal of the leaked material. This represented a follow-on response to the accidental npm source-map exposure and subsequent public archiving of the code.
Leaked Claude Code source is mirrored and widely analyzed
After the disclosure, the exposed Claude Code source was archived, uploaded to a public GitHub repository, and widely forked. Developers and researchers began examining the leaked codebase, including its internal memory architecture and validation mechanisms.
Researcher publicly discloses Claude Code source exposure
On March 31, 2026, researcher Chaofan Shou publicly reported that the @anthropic-ai/claude-code npm package exposed the full Claude Code source through a .map file and downloadable archive. The disclosure highlighted leaked architectural details, internal tools, slash commands, feature flags, and authentication-related logic.
Anthropic publishes Claude Code v2.1.88 with exposed source map
Anthropic released Claude Code CLI version 2.1.88 to npm with a packaging error that included a source map file. The map reportedly pointed to unobfuscated TypeScript source hosted on Anthropic-controlled storage, exposing nearly 2,000 files and more than 512,000 lines of code.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
29 references tracked. Mallory keeps watching after this page renders.
Why game theory failed to predict the two biggest AI events of 2026 - and my framework didn’t | by Berend Watchus | Apr, 2026 | OSINT Team
osintteam.blog
Open sourceClaude Code Leak Explained: How Claude Code Works, Why It Matters, and What Developers Can Learn | by Faisal Feroz | InfoSec Write-ups
infosecwriteups.com
Open sourceClaude Code's Full Source Code Leaked Via .map File in Anthropic's npm Registry
vulnu.com
Open sourceClaude Code's innards revealed as source code leaked online • The Register
go.theregister.com
Open sourceThe Claude Code Source Leak: fake tools, frustration regexes, undercover mode, and more | Alex Kim's blog
alex000kim.com
Open sourceAnthropic mistakenly leaks its own AI coding tool’s source code, just days after accidentally revealing an upcoming model known as Mythos
tech.yahoo.com
Open sourceAnthropic accidentally exposes Claude Code source code • The Register
theregister.com
Open source������ ���� �������������� Claude Code ��-�� �������� � NPM-������ map-�����
opennet.me
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Vulnerabilities in Anthropic Claude Code Enable Code Execution and API Key Exfiltration
Security researchers disclosed multiple vulnerabilities in **Anthropic’s Claude Code** AI coding assistant that could enable **arbitrary command execution** and **exfiltration of Anthropic API credentials** when developers clone/open a malicious repository. Check Point Research reported the issues abuse Claude Code configuration and initialization paths—particularly **project hooks** (e.g., untrusted `.claude/settings.json`), **Model Context Protocol (MCP) servers**, and **environment variables**—to trigger shell command execution and data theft. Anthropic’s advisory for **CVE-2026-21852** describes a project-load flow where a crafted repo can set `ANTHROPIC_BASE_URL` to an attacker-controlled endpoint, causing Claude Code to send API requests **before** the trust prompt is shown, potentially leaking the user’s API key. The disclosed issues include two high-severity code-injection paths (CVSS **8.7**) and one information-disclosure flaw (CVSS **5.3**): a consent-bypass/hook-based injection issue fixed in *Claude Code* **1.0.87** (Sept 2025), **CVE-2025-59536** fixed in **1.0.111** (Oct 2025), and **CVE-2026-21852** fixed in **2.0.65** (Jan 2026). Separate coverage framed Anthropic-related developments as market-moving, noting investor attention around Anthropic’s AI code-security tooling; however, the actionable security impact in this reporting is the risk that simply opening an attacker-controlled repository can lead to **RCE** and **credential leakage**, reinforcing the need to treat untrusted repos and tool initialization behaviors as a supply-chain and developer-workstation risk.
May 7, 2026
Anthropic Leak Exposes Claude Mythos and Thousands of Internal Assets
Anthropic confirmed that an internal data exposure revealed details about **Claude Mythos**, an unreleased AI model the company described in leaked draft materials as its most capable system to date. The leak surfaced through an unsecured, publicly searchable cache tied to a content management system misconfiguration, which reportedly failed to mark uploaded files as private before storing them in a publicly accessible data lake. Exposed materials included a draft blog post, PDFs, images, release-related content, and information about an exclusive CEO-level event. Reports said the exposure involved nearly **3,000 unpublished assets** and included internal language stating that Anthropic had assessed Claude Mythos as posing **unprecedented cybersecurity risks**. Anthropic said the model is real and is being tested by early-access customers, but it had not disclosed whether anyone beyond journalists accessed the data or what remediation steps were taken. The incident has intensified scrutiny of the company’s data governance, access controls, and broader safety claims around pre-deployment evaluation of advanced AI systems.
Apr 7, 2026
Fake Claude Code GitHub Repos Spread Vidar Infostealer and GhostSocks
Threat actors used fake GitHub repositories themed around Anthropic's leaked **Claude Code** source to distribute malware to users searching for the exposed codebase. Researchers at Zscaler ThreatLabz said one repository, operated by user **`idbzoomh`**, promoted a supposed Claude Code leak with "unlocked enterprise features" and no restrictions, while search-engine optimization helped it rank for queries such as **"leaked Claude Code."** Victims who downloaded the offered archive received a Rust-based executable, **`ClaudeCode_x64.exe`**, instead of source code. The executable acted as a dropper for the **Vidar** information stealer and the **GhostSocks** proxy malware. The lure followed Anthropic's accidental exposure of a **59.8 MB** JavaScript source map in an npm package, which revealed roughly **513,000 lines** of unobfuscated TypeScript across **1,906 files** and exposed internal logic and security-related details. Zscaler also identified a second similar repository believed to be tied to the same actor, indicating an ongoing campaign that reportedly reached tens of thousands of users and mirrors recent malware delivery efforts built around fake developer-tool downloads.
Apr 4, 2026