On March 31, 2026, security researcher Chaofan Shou discovered that Anthropic accidentally shipped an entire unobfuscated codebase—512,000 lines of TypeScript source code across 1,906 files—to the public npm registry via a misconfigured package. A 59.8 MB debug source map file included in the @anthropic-ai/claude-code npm package pointed directly to a publicly accessible Cloudflare R2 storage bucket containing the full Claude Code architecture. Anthropic confirmed the incident the same day, classifying it as a release packaging issue caused by human error. Critically, this represents the second identical source map leak from Anthropic in 13 months (previous incident: February 2025), indicating systemic gaps in build process controls and package publishing safeguards.

What Happened

On March 31, 2026, Anthropic released version 2.1.88 of the @anthropic-ai/claude-code npm package as part of its Claude Code product offering. The package build process inadvertently included a debug artifact—a .map source map file—that was never intended for public distribution.

Incident Timeline:

1. Build Process (March 2026): Anthropic compiled Claude Code TypeScript source into minified JavaScript. The TypeScript compiler generated a .map debug file as part of normal compilation.

2. Storage Upload (March 2026): The .map debug file was uploaded to Anthropic's Cloudflare R2 storage bucket with public read access permissions—a critical configuration error.

3. Package Publishing (March 31, 2026): The @anthropic-ai/[email protected] package was published to npm. Due to missing .npmignore rules or incorrect files field configuration in package.json, the .map file was included in the published tarball.

4. Discovery (March 31, 2026): Security researcher Chaofan Shou examined the npm package contents and found the .map file, which contained a direct URL to the public R2 storage bucket.

5. Extraction (March 31, 2026): Downloading the URL revealed a zip archive containing the full Claude Code source: 1,906 TypeScript files totaling 512,000 lines of code.

6. Public Distribution (March 31, 2026): GitHub mirrors of the leaked source received 41,500 forks within hours, ensuring permanent distribution across the internet.

7. Acknowledgment (March 31, 2026): Anthropic confirmed the leak and classified it as an operational error, not a security breach. No immediate remediation details were provided.

Repeat Offense: This is the second time Anthropic leaked Claude Code source via the same vector. A nearly identical source map leak occurred in February 2025, suggesting that the root cause analysis and remediation from that incident did not result in systemic process improvements.

What Was Taken

Confirmed Exposure:

• Source Code Volume: 512,000 lines of TypeScript source code
• File Count: 1,906 TypeScript files
• Package Contents: Complete Claude Code architecture including:
• All tool implementations and slash command definitions
• Internal system architecture and design patterns
• API integration points and external service calls
• Error handling and debugging mechanisms
• Dependency graph and third-party library usage
• Build and deployment configuration details
• Development comments and code documentation

NOT Exposed (Confirmed by Anthropic):

• Customer data
• API credentials or authentication tokens
• Model weights or training data
• Encryption keys or security material
• User PII or account information

Architecture Intelligence Now Public:

Attackers and competitors now have access to: - Claude Code's internal plugin and tool system - Exact implementation of command parsing and execution - Integration patterns with Claude API - Performance optimization techniques - Error recovery mechanisms - Testing infrastructure and test coverage - Build pipeline and release processes

Why It Matters

This incident reveals critical vulnerabilities in AI company operational security and supply chain practices:

1. Repeat Failure Pattern:
2. Same type of leak occurred in February 2025 (13 months prior)
3. Suggests root cause analysis from first incident was incomplete or ineffective
4. No systemic changes implemented to prevent recurrence

5. Questions about organizational learning and incident response follow-through

6. Source Code as Strategic Asset:

7. Claude Code source now reveals Anthropic's engineering practices and architecture decisions
8. Competitors can identify optimization techniques and feature implementations
9. Security researchers can audit code for vulnerabilities

10. Attackers can identify attack surfaces before they are patched

11. Supply Chain Risk:

12. npm package published to millions of developers
13. Developers installing @anthropic-ai/[email protected] have permanent access to source code
14. Risk: developers may fork compromised versions, creating persistent attack surface

15. 41,500 GitHub forks mean source code is now permanently distributed

16. Build Process Controls Failure:

17. Indicates missing automation in build pipeline to detect and prevent source code in packages
18. .npmignore or files field configuration was not validated before publishing
19. No automated checks to ensure debug artifacts are excluded from releases

20. Suggests developers can publish packages without security review

21. Public Cloud Misconfiguration:

22. Cloudflare R2 bucket was configured with public read access
23. Indicates lack of default-deny access controls on cloud storage
24. No monitoring or alerts for public data access patterns

25. Suggests reactive rather than proactive security posture

26. Trust and Reputation Impact:

27. Customers and partners relying on Anthropic code now have confidence concerns
28. Questions about the security of other Anthropic products and build processes
29. Competitors now have detailed architectural knowledge
30. Developers who installed package may face security concerns about their own applications

The Attack Technique

Not a Traditional Attack—Process Failure

This incident is not a cyberattack but rather a systemic operational security failure in Anthropic's release engineering:

Root Cause: Misconfigured Package Publishing

1. TypeScript Compilation: TypeScript compiler generates .js (minified) and .js.map (debug) files. .map files are essential for development but dangerous in production packages.

2. Missing Exclusion Rules: .npmignore file (or files field in package.json) did not exclude *.map files. No build process validation to detect debug artifacts before publishing. Developers likely unaware that .map file was being included in tarball.

3. Storage Bucket Misconfiguration: Cloudflare R2 bucket created with public read access (likely default or copy-paste from example). No access control list (ACL) restricting to internal IPs only. No monitoring or alerting on public data access patterns.

4. URL Inclusion in Package: Source map file contains hardcoded URL: https://r2.anthropic.com/... URL directly accessible without authentication. Trivial for any developer to extract full source archive.

5. No Integrity Checking: No automated verification that released package contains only intended artifacts. No scanning for credentials or sensitive data in releases. No diff comparison between expected and actual package contents.

Why Detection Failed:

• No automated build checks to validate package contents
• No security scanning of npm packages before publishing
• No monitoring of public storage bucket access
• No validation that source maps are excluded from releases

What Organizations Should Do

Immediate Actions (Next 48 Hours):

1. Audit all build and release processes for similar exposures — Review all npm packages, Docker images, and artifacts for debug/source files. Scan recent releases for .map, .pdb, .debug, source code files. Identify any public storage buckets (S3, R2, GCS, Azure Blob) with debug artifacts. Revoke or restrict public access to any cloud storage containing source code. Notify users of packages that may have included debug artifacts.

2. Implement automated build validation — Add pre-publish checks to npm package pipeline: scan for .map, .ts, .tsx files. Fail the build if debug artifacts are detected in release packages. Enforce .npmignore file with explicit denials: *.map, *.ts, *.tsx, .env*. Use tools like npm pack --dry-run to verify package contents before publishing.

3. Implement cloud storage security controls — Audit all cloud storage buckets (S3, R2, GCS, Azure) for public read access. Implement default-deny access control lists (ACLs) on all buckets. Require explicit allowlisting of IP ranges or IAM roles for access. Enable access logging and CloudTrail monitoring on all buckets. Set up alerts for any public read access attempts.

Medium-Term (Next 2 Weeks):

1. Establish supply chain security SLAs — Require code review of all build configuration changes (package.json, .npmignore, etc.). Mandate security approval before any first-time npm package publication. Implement automated SBOM (Software Bill of Materials) generation and scanning. Require signed releases: GPG signing of npm packages to prove authenticity.

2. Implement package scanning and validation — Use tools like npm audit, snyk, or socket.dev to scan packages for common issues. Integrate security scanning into CI/CD pipeline; block releases that fail scanning. Scan for: credentials, hardcoded API keys, source maps, executables, large files. Generate provenance attestation (SLSA) for all releases.

3. Conduct root cause analysis and systemic improvements — Investigate why February 2025 leak did not result in systemic fixes. Identify all process gaps that allowed repeat incident. Document lessons learned and update security training for engineers. Implement post-incident review requirements: no release without follow-up validation.

Key Takeaway

Anthropic's repeated source map leak in identical fashion demonstrates a fundamental failure in organizational learning and process improvement. The first leak in February 2025 should have triggered systemic changes to build automation, package validation, and access controls. The recurrence 13 months later suggests these changes were not implemented. Organizations must establish mandatory post-incident verification requirements: no incident is closed until systemic controls prevent recurrence.

Sources: Anthropic Leaked 512,000 Lines of Claude Code via a Misconfigured npm Package