Claude Code leak via npm

Security researcher Chaofan Shou publicly flagged the exposure on X (formerly Twitter) on March 31, 2026, after inspecting the published package for @anthropic-ai/claude-code. (github.com) The leak vector was a bundled source map (cli.js.map) published with the npm package that included original TypeScript content and referenced an r2.dev object URL used to host the artifacts. (penligent.ai) The affected npm artifact is tied to release v2.1.88, which Anthropic’s changelog shows was published on March 30, 2026. (penligent.ai) Multiple community mirrors and extraction repos appeared within hours, with at least one archived mirror accumulating more than a thousand stars and thousands of forks as developers cataloged the reconstructed code. (dev.to) Researchers and community breakdowns that catalogued the reconstruction call out unreleased and internal systems revealed in the artifacts—named pieces include BUDDY (an AI “pet”), KAIROS (persistent assistant mode), ULTRAPLAN, a 46K‑line Query Engine, and a multi‑agent coordinator architecture. (github.com) This incident echoes a prior exposure pattern: an earlier sourcemap-related leak surfaced in February 2025 and Anthropic has previously used takedowns against public mirrors and reverse‑engineering reposts. (binance.com) Operational risk vectors highlighted by the post‑mortems include client behavior that auto‑loads local.env files and historical supply‑chain attack modes against npm (e.g., an Aug 2025 postinstall malware campaign that weaponized agent workflows), both of which materially increase the chance that exposed client code leads to credential or telemetry abuse. (knostic.ai)