Claude Code source code leaked by Anthropic: Here’s what we know
Follow Us
I like to imagine someone at Anthropic realising, just a little too late, that Claude Code had essentially hit “reply all” on the internet. One minute it’s quietly helping developers write lines of code and the next, half a million lines of its own are out there for everyone to read. It wasn’t a hack or some crazy data breach, just a basic human error.
SurveyAlso read: Anthropic confirms Claude Code source code leak, says no user data exposed
On March 31, a debugging file called a source map was accidentally bundled into version 2.1.88 of the Claude Code npm package. Source maps are internal tools that connect compiled code back to its original source which makes it useful for developers but catastrophic when shipped publicly. The file pointed to a zip archive sitting on Anthropic’s Cloudflare R2 storage that anyone could simply just right click and download. Security researcher Chaofan Shou spotted it first and posted about it on X. The post racked up nearly ten million views within hours.
What was inside?
Also read: Claude Code’s computer use: How it works and what it can do on your Mac
The source map contained around 1,900 TypeScript files and over 500,000 lines of code covering the full architecture of Claude Code, its LLM API call engine, tool-call loops, streaming responses, retry logic, token counting, and permission models. The codebase was mirrored across GitHub as soon as people found the leak, with one repository getting tens of thousands of stars before Anthropic could pull the package.
Anthropic confirmed the leak and kept its statement brief. “Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”
It is true that no customer data, model weights or credentials were leaked but the leak did expose Anthropic’s detailed internal roadmap. The code contained dozens of feature flags for capabilities that are fully built but not yet shipped, giving rivals a clear picture of where Anthropic is taking its most commercially important product. Claude Code’s annualised recurring revenue stood at $2.5 billion as of February, with enterprise clients driving 80 percent of that figure.
The timing makes it worse. This was Anthropic’s second major data blunder in under a week, coming days after Fortune reported that nearly 3,000 internal files had been left in a publicly accessible cache, including a draft blog post detailing an upcoming model known internally as Mythos and Capybara. The code has since been pulled and not available to users unless you know the right places to look in.
Also read: Vivo X200T vs Motorola Signature: Which is the best phone under Rs 60,000
