Anthropic Leaks Its Own AI Code Again
Anthropic accidentally published half a million lines of Claude Code source code to a public registry, marking the second major security failure in under a month for the AI safety company.
Anthropic accidentally published 500,000 lines of its flagship Claude Code source code to a public npm registry on March 31 – the second time in under a year the AI safety-focused company has exposed its proprietary software. Security researcher Chaofan Shou discovered the 59.8MB source map file attached to version 2.1.88 of the @anthropic-ai/claude-code package, revealing roughly 512,000 lines of readable TypeScript code across 1,900 internal files.
The leak exposed 44 hidden feature flags for unshipped capabilities and a subsystem ironically named "Undercover Mode" designed to prevent Claude from revealing internal information. The exposed code included a Tamagotchi-style AI pet called "Buddy" with 18 species and rarity tiers, a background daemon called "KAIROS" for continuous operation, and a multi-agent orchestration system where one Claude instance directs multiple workers.
This marks Anthropic's second major security failure in four weeks. On March 26, the company left approximately 3,000 unpublished CMS assets publicly accessible, including draft materials about an unreleased model codenamed "Capybara" or "Mythos." Internal benchmarks showed that Capybara prototype had a false claims rate of 29 to 30 percent, up from 16.7 percent in earlier versions.
"Earlier today, a Claude Code release included some internal source code," an Anthropic spokesperson told The Register. "No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach." The company stated it is implementing measures to prevent recurrence.
Security experts argue the pattern reveals fundamental operational failures. "Usually, large companies have strict processes and multiple checks before code reaches production, like a vault requiring several keys to open," said Roy Paz, senior AI security researcher at LayerX Security. "At Anthropic, it seems that the process wasn't in place and a single misconfiguration or misclick suddenly exposed the full source code."
The March 31 incident follows a similar Claude Code source leak in February 2025, which Anthropic quietly patched without public acknowledgment. The coinciding pattern of basic security lapses contradicts Anthropic's branding as the safety-first AI lab commanding premium enterprise pricing with $19 billion in annualized revenue.
While no customer data or model weights were compromised, the exposure provides malicious actors with blueprints to exploit Claude's architecture. The leak revealed permission-gated tool systems, file access patterns, and internal service endpoints that could facilitate targeted attacks.
The March 31 npm leak occurred the same day the axios JavaScript package was compromised with a Remote Access Trojan, highlighting broader supply chain risks. Developers installing or updating Claude Code via npm may have unknowingly imported malware alongside the leaked source code.
Market reactions to Anthropic's security failures have been severe. Following the March 26 CMS exposure, cybersecurity stocks declined. The Global X Cybersecurity ETF shed 6.1 percent, erasing approximately $14.5 billion in market capitalization in a single trading session.
Enterprise clients relying on Claude Code's platform now face questions about Anthropic's development practices. The company's repeated attribution to "human error" appears increasingly implausible given multiple security incidents within weeks.
Internal documents exposed in the CMS leak revealed preparations for an invite-only CEO retreat in the United Kingdom where Anthropic CEO Dario Amodei was scheduled to attend.
Software engineer Gabriel Anhaia noted the technical simplicity of the leak. "A single misconfigured .npmignore or files field in package.json can expose everything," he wrote on DEV Community. The source map file referenced a ZIP archive hosted on Anthropic's Cloudflare R2 storage bucket, making the entire codebase downloadable.
Within hours of the March 31 discovery, the source code was archived to GitHub repositories that accumulated over 1,100 stars and thousands of forks before Anthropic initiated DMCA takedowns. The internet's archival nature ensures the code remains accessible despite removal efforts.
The repeated security failures undermine confidence in Anthropic's ability to safeguard sensitive enterprise deployments. As companies increasingly integrate AI tools into critical workflows, the exposure of internal architectures, tool permissions, and agent systems creates unknown attack vectors.
Anthropic's safety-focused branding, which commands premium pricing over competitors, now faces scrutiny as basic operational security protocols appear absent. The pattern suggests systemic cultural issues rather than isolated mistakes, with enterprise customers left questioning whether their investment is built on secure foundations.