What caused the Anthropic Claude Code source leak?

A Bun packaging error plus missing .npmignore shipped the 59.8 MB source map in v2.1.88.

How to check if axios RAT hit my project?

Audit npm install logs from March 31, 00:21-03:29 UTC for axios versions; scan for RAT indicators like unexpected network traffic.

Is Claude Code safe to use now?

Update to latest version—source map's gone—but audit configs for exposed hooks or MCP risks from the leak.

🤝 Community & Governance

Anthropic's Epic Oops: 513K Lines of Claude Code Leaked on npm, Handing Attackers the Keys

Imagine the full blueprint of Anthropic's Claude Code agent — 513,000 lines of TypeScript — dumped accidentally on npm for the world to grab. Hackers forked it thousands of times before the fix.

theAIcatchup Apr 10, 2026 3 min read

npm package page showing Anthropic Claude Code source map leak with 513K lines exposed

⚡ Key Takeaways

Anthropic leaked 513K lines of Claude Code source via npm due to packaging error, exposing RCE and key exfil vulns. 𝕏
Coinciding axios RAT attack amplifies risks for March 31 installs — audit immediately. 𝕏
This accelerates push for secure-by-design AI agents, mirroring past supply chain shocks like Heartbleed. 𝕏

Published by

theAIcatchup

Community-driven. Code-first.

#AI agent security #AI agent vulnerabilities #AI security #Anthropic Claude #Anthropic npm #Anthropic security #Claude Code leak #axios RAT #npm security #npm supply chain #npm-leak #supply chain attack

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Dev.to

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

LayerX Tricks Claude into Building Malware — Guardrails Crumble Fast

Anthropic's Claude Saga: Leaks, Bans, and Enterprise Power Moves

Anthropic's Mythos Preview Digs Up a 27-Year OpenBSD Time Bomb

Fairwords NPM Worm Steals Credentials, Hijacks Your Other Packages, and Jumps to PyPI

Stay in the loop