- An Anthropic employee accidentally leaked the Claude Code source via an npm map file
- The leak exposed 1,900 TypeScript files containing 500K+ lines of code, which were quickly displayed on GitHub.
- Anthropic confirmed that no customer data was exposed, citing a packaging error among recent vulnerabilities such as ShadowPrompt and Cloudy Day.
An Anthropic employee accidentally leaked the source code for one of the most popular Artificial Intelligence (AI) assistants – Claude Code.
Security researcher Chaofan Shou wrote on X, saying “Claude Code’s source code has been uploaded via a map file to their npm registry!” The tweet itself has been viewed over 30 million times so far, and the numbers are rising rapidly, showing just how popular the app is.
However CNBC says the leak of the part, Registration it claims to contain the “full source code of an AI coding tool”.
The article continues below
Anthropic seals the leak
The Internet reacted as the Internet usually reacts – quickly and without regret, quickly supporting the leak in the GitHub repository which, by now, has been deleted tens of thousands of times.
In a GitHub upload, the leak was attributed to a reference to unknown TypeScript source code in a mapping file included in Claude Code’s npm package. The reference pointed to a .ZIP file sitting in Anthropic’s Cloudflare R2 repository that contained 1,900 TypeScript files containing more than 500,000 lines of code, complete libraries of slash commands, and built-in tools.
Anthropic has since confirmed the news, saying this was not the act of an evil person, or a third party, but a coincidence:
“No relevant customer data or information was affected or exposed,” an Anthropic spokesperson said in a statement to CNBC. “This was an issue with the release packages caused by human error, not a security breach. We are taking steps to prevent this from happening again.”
It’s been a busy few weeks for Anthropic. The company has raised a few eyebrows with the speed with which it has been sending updates and new features, even sparking a huge debate on Reddit, where users argued that the company was still using its product.
“They’re getting bigger and bigger,” said one person.
While introducing new features quickly is admirable, cybersecurity seems to be the flip side of the coin. In the last 10 days alone, we have had many stories about Claude being at risk of early vaccination and similar attacks. On March 27, 2026, security researchers at Koi Security discovered a critical flaw in the Claude Code Google Chrome extension that enabled zero-click attacks.
Speed at the expense of security?
Called ShadowPrompt, the vulnerability could have allowed malicious actors to reveal sensitive information.
A few days earlier, on March 19, security researchers Oasis reported finding three vulnerabilities in Claude that, when used together, create a complete chain of attack – from the delivery of targeted victims to the processing of deep data. Researchers have called it Cloud Day and he dutifully revealed to Anthropic that he quickly talked about it.
Users don’t seem to care much, however, and on the same day ShadowPrompt was discovered, Anthropic was forced to shut down its infrastructure after hours to deal with the increased demand.
“To manage the growing demand for Claude we are adjusting time limits of 5 hours for Free/Pro/Max rates during peak hours. Your weekly limits remain unchanged”, said Thariq Shihipar, engineer working on Claude Code, in a post on X.
The best antivirus for all budgets
Follow TechRadar on Google News and Add us as a favorite resource to get our expert news, opinions, and views on your feeds. Be sure to click the Follow button!
And of course you can too Follow TechRadar on TikTok for news, reviews, unboxings in video format, and get updates from us on WhatsApp again.
#Anthropic #confirms #leaked #Claude #Code #source #code #spilling #biggest #secrets