[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-claude-code-leak-exposes-512k-lines-npm-en":3,"tags-claude-code-leak-exposes-512k-lines-npm-en":30,"related-lang-claude-code-leak-exposes-512k-lines-npm-en":41,"related-posts-claude-code-leak-exposes-512k-lines-npm-en":45,"series-tools-717e4d27-65a9-4a77-afa2-6e8713bfb2c9":82},{"id":4,"title":5,"content":6,"summary":7,"source":8,"source_url":9,"author":10,"image_url":11,"keywords":12,"language":18,"translated_content":10,"views":19,"is_premium":20,"created_at":21,"updated_at":21,"cover_image":11,"published_at":22,"rewrite_status":23,"rewrite_error":10,"rewritten_from_id":24,"slug":25,"category":26,"related_article_id":27,"status":28,"google_indexed_at":29,"x_posted_at":10,"tweet_text":10,"title_rewritten_at":10,"title_original":10,"key_takeaways":10,"topic_cluster_id":10,"embedding":10,"is_canonical_seed":20},"717e4d27-65a9-4a77-afa2-6e8713bfb2c9","Claude Code Leak Exposes 512K Lines on npm","\u003Cp>Anthropic says its \u003Ca href=\"\u002Fnews\u002Fclaude-code-setup-guide-researchers-en\">Claude Code\u003C\u002Fa> source was exposed because of a packaging mistake, not a breach. The leaked npm release, version 2.1.88, included a source map tied to nearly 2,000 TypeScript files and more than 512,000 lines of code.\u003C\u002Fp>\u003Cp>The detail that matters most is simple: a public package update briefly turned a private codebase into a blueprint for anyone who wanted to inspect it. Anthropic later pulled the version from npm, but the code had already spread across public mirrors and discussion threads.\u003C\u002Fp>\u003Ch2>What actually leaked\u003C\u002Fh2>\u003Cp>The problem began when \u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa> version 2.1.88 was published with a source map file. Source maps are common in JavaScript and TypeScript builds because they help developers debug compiled code, but they can also expose original source if they are shipped carelessly.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775092576540-k6ue.png\" alt=\"Claude Code Leak Exposes 512K Lines on npm\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>In this case, the source map pointed back to a very large codebase. That matters because \u003Ca href=\"\u002Fnews\u002Frtk-cuts-claude-code-token-spend-en\">Claude Code\u003C\u002Fa> is not a tiny utility. It is an AI coding assistant with internal orchestration logic, agent behavior, tool use, and IDE integration. Once the source was exposed, outside readers could inspect how those parts fit together.\u003C\u002Fp>\u003Cp>Anthropic confirmed the release was a human error and said no customer data or credentials were involved. That distinction matters, but it does not make the incident small. A code leak is still a serious event because it gives attackers and competitors a working map of internal design choices.\u003C\u002Fp>\u003Cul>\u003Cli>Leaked package version: 2.1.88\u003C\u002Fli>\u003Cli>Source footprint: nearly 2,000 TypeScript files\u003C\u002Fli>\u003Cli>Code size: more than 512,000 lines\u003C\u002Fli>\u003Cli>Status: removed from npm after discovery\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>Why security researchers paid attention fast\u003C\u002Fh2>\u003Cp>The first public flag came from security researcher \u003Ca href=\"https:\u002F\u002Fx.com\u002FrealChaofanShou\" target=\"_blank\" rel=\"noopener\">Chaofan Shou\u003C\u002Fa>, who posted on X that \u003Ca href=\"\u002Fnews\u002Fclaude-code-march-2026-update-fixes-bugs-en\">Claude Code\u003C\u002Fa> source code had been leaked through a map file in the npm registry. That post spread quickly and drew attention because it was easy to verify: the package contents themselves told the story.\u003C\u002Fp>\u003Cp>One reason this moved so quickly is that AI tooling now sits inside developer workflows, not outside them. When a coding agent leaks internals, the audience is not just curiosity-driven readers. It includes reverse engineers, prompt-injection researchers, supply-chain attackers, and teams trying to understand how agentic systems make decisions.\u003C\u002Fp>\u003Cblockquote>\"Claude code source code has been leaked via a map file in their npm registry!\" — Chaofan Shou on X\u003C\u002Fblockquote>\u003Cp>The leaked code also surfaced details about Claude Code’s internal architecture, including a memory system designed to work around fixed context limits, a tools layer for file and shell actions, a query engine for API orchestration, and multi-agent coordination for spawning sub-agents. That sort of detail is exactly what attackers want when they are testing where guardrails can be bent.\u003C\u002Fp>\u003Cp>There is a second reason researchers cared: the code leak was followed by package-abuse chatter almost immediately. Once package names and internal structure become public, attackers often try to squat related names, plant dependency confusion traps, or wait for developers to copy build instructions without checking where dependencies come from.\u003C\u002Fp>\u003Ch2>The numbers that make this leak unusual\u003C\u002Fh2>\u003Cp>This story got attention because the raw scale is hard to ignore. The leaked codebase was large enough to reveal architecture, internal prompts, and agent behavior. It was also large enough that even a casual skim could expose implementation patterns that would normally stay hidden behind compiled artifacts.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775092594213-s6nn.png\" alt=\"Claude Code Leak Exposes 512K Lines on npm\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>Some of the most interesting details reported from the code include a persistent background mode called KAIROS, a planned “dream” mode for background reasoning, and an undercover mode for open-source contributions. That last one is especially interesting because it shows how much effort went into shaping Claude Code’s behavior in public repositories.\u003C\u002Fp>\u003Cp>Here is the comparison that matters for defenders:\u003C\u002Fp>\u003Cul>\u003Cli>Anthropic said the issue was a release packaging error, while the leaked material still exposed internal source and prompts.\u003C\u002Fli>\u003Cli>The npm package was removed, yet public copies and mirrors continued to circulate.\u003C\u002Fli>\u003Cli>Security researchers saw one leak, but threat actors got a ready-made reference for fuzzing and jailbreak testing.\u003C\u002Fli>\u003Cli>Attackers also began typosquatting package names tied to the leaked internals, which raises the odds of dependency confusion attempts.\u003C\u002Fli>\u003C\u002Ful>\u003Cp>The leak also matters because it hands out implementation clues for how Claude Code manages context over long sessions. If an attacker understands how compaction, memory, and tool calls interact, they can try to craft payloads that survive longer than a normal prompt window. That is a much more practical attack path than brute-forcing generic jailbreaks.\u003C\u002Fp>\u003Ch2>Supply-chain risk did not stop at the leak\u003C\u002Fh2>\u003Cp>The code exposure would already be bad enough on its own, but it landed in the middle of a broader supply-chain mess. The article also notes that users who installed or updated Claude Code via npm on March 31, 2026, between 00:21 and 03:29 UTC may have pulled in a trojanized HTTP client tied to a separate Axios supply-chain attack.\u003C\u002Fp>\u003Cp>That means there are two different risk tracks here. One is the exposed source code. The other is the possibility that some users picked up a malicious dependency during the same window. If you are maintaining a dev environment, those are separate incidents and both deserve attention.\u003C\u002Fp>\u003Cp>For teams that installed the package during that window, the practical response is boring but necessary: downgrade to a known safe version, rotate secrets, and review recent dependency changes. If you use npm in CI, inspect lockfiles and artifact provenance before assuming the build system is clean.\u003C\u002Fp>\u003Cp>There is also a reputational angle. Anthropic had already been dealing with another internal data exposure days earlier, which makes this second incident harder to dismiss as a one-off mistake. In software security, repeat errors in the same week usually trigger a harder review of release controls, not a shrug.\u003C\u002Fp>\u003Cp>If you are wondering what this means for AI coding tools more broadly, the answer is that their attack surface is expanding faster than their operational discipline. The more agentic the product, the more places there are for source leaks, prompt exposure, dependency abuse, and hidden behavior to intersect.\u003C\u002Fp>\u003Ch2>What developers should do now\u003C\u002Fh2>\u003Cp>If your team uses Claude Code, treat this as a release hygiene lesson, not just a vendor headline. Source maps, build artifacts, and internal package names need the same review discipline as secrets and credentials. A package can be technically valid and still unsafe to publish.\u003C\u002Fp>\u003Cp>For security teams, the actionable move is to audit any npm consumption tied to AI tooling, especially if your workflows auto-install packages from lockfiles or ephemeral build steps. Also check whether your organization depends on private package names that resemble the leaked internal modules, since typosquatting is already happening.\u003C\u002Fp>\u003Cul>\u003Cli>Review recent installs of \u003Ca href=\"https:\u002F\u002Fwww.npmjs.com\u002F\" target=\"_blank\" rel=\"noopener\">npm\u003C\u002Fa> packages tied to AI tooling.\u003C\u002Fli>\u003Cli>Rotate credentials if your systems touched the suspicious install window.\u003C\u002Fli>\u003Cli>Block unexpected package-name variants in your dependency allowlists.\u003C\u002Fli>\u003Cli>Strip source maps from production releases unless you truly need them.\u003C\u002Fli>\u003Cli>Audit CI logs for any build or publish step that exposed internal paths.\u003C\u002Fli>\u003C\u002Ful>\u003Cp>For product teams building AI agents, this leak is a reminder that internal prompts and orchestration logic are part of the security boundary now. If those details escape, attackers get a better view of your control flow than they would from a normal app binary.\u003C\u002Fp>\u003Cp>Anthropic says it is putting measures in place to prevent a repeat. The real test is whether future releases keep source maps, package metadata, and internal modules out of public distribution. If not, the next mistake may expose less code but create more damage because attackers will already know where to look.\u003C\u002Fp>\u003Cp>For a related read on AI agent identity and production controls, see our coverage of \u003Ca href=\"\u002Fnews\u002Fidentity-framework-for-ai-agents\" target=\"_blank\" rel=\"noopener\">how teams are thinking about identity for AI agents\u003C\u002Fa>. That problem is getting harder, and incidents like this one make it impossible to ignore.\u003C\u002Fp>\u003Cp>The sharp question now is not whether AI coding assistants will keep shipping faster. It is whether vendors can keep their release process tighter than the attackers studying every public artifact they publish.\u003C\u002Fp>","Anthropic confirmed a packaging error exposed Claude Code source on npm, revealing 512,000+ lines and new supply-chain risks.","thehackernews.com","https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fclaude-code-tleaked-via-npm-packaging.html",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775092576540-k6ue.png",[13,14,15,16,17],"Anthropic","Claude Code","npm","source code leak","supply-chain attack","en",1,false,"2026-04-02T01:15:42.908619+00:00","2026-04-02T01:15:42.697+00:00","done","cf1d355d-1193-44c6-adeb-2fb035416312","claude-code-leak-exposes-512k-lines-npm-en","tools","cff44ea5-e67c-46bf-917a-b147287a0515","published","2026-04-09T09:00:52.735+00:00",[31,32,34,36,38],{"name":15,"slug":15},{"name":14,"slug":33},"claude-code",{"name":13,"slug":35},"anthropic",{"name":16,"slug":37},"source-code-leak",{"name":39,"slug":40},"supply chain attack","supply-chain-attack",{"id":27,"slug":42,"title":43,"language":44},"claude-code-leak-exposes-512k-lines-npm-zh","Claude Code npm 外洩 51.2 萬行","zh",[46,52,58,64,70,76],{"id":47,"slug":48,"title":49,"cover_image":50,"image_url":50,"created_at":51,"category":26},"a6c1d84d-0d9c-4a5a-9ca0-960fbfc1412e","why-gemini-api-pricing-is-cheaper-than-it-looks-en","Why Gemini API pricing is cheaper than it looks","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778869846824-s2r1.png","2026-05-15T18:30:26.595941+00:00",{"id":53,"slug":54,"title":55,"cover_image":56,"image_url":56,"created_at":57,"category":26},"8b02abfa-eb16-4853-8b15-63d302c7b587","why-vidhub-huiyuan-hutong-bushi-quan-shebei-tongyong-en","Why VidHub 会员互通不是“买一次全设备通用”","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778789439875-uceq.png","2026-05-14T20:10:26.046635+00:00",{"id":59,"slug":60,"title":61,"cover_image":62,"image_url":62,"created_at":63,"category":26},"abe54a57-7461-4659-b2a0-99918dfd2a33","why-buns-zig-to-rust-experiment-is-right-en","Why Bun’s Zig-to-Rust experiment is the right move","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778767895201-5745.png","2026-05-14T14:10:29.298057+00:00",{"id":65,"slug":66,"title":67,"cover_image":68,"image_url":68,"created_at":69,"category":26},"f0015918-251b-43d7-95af-032d2139f3f6","why-openai-api-pricing-is-product-strategy-en","Why OpenAI API pricing is a product strategy, not a footnote","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778749841805-uyhg.png","2026-05-14T09:10:27.921211+00:00",{"id":71,"slug":72,"title":73,"cover_image":74,"image_url":74,"created_at":75,"category":26},"7096dab0-6d27-42d9-b951-7545a5dddf33","why-claude-code-prompt-design-beats-ide-copilots-en","Why Claude Code’s prompt design beats IDE copilots","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778742651754-3kxk.png","2026-05-14T07:10:30.953808+00:00",{"id":77,"slug":78,"title":79,"cover_image":80,"image_url":80,"created_at":81,"category":26},"1f1bff1e-0ebc-4fa7-a078-64dc4b552548","why-databricks-model-serving-is-right-default-en","Why Databricks Model Serving is the right default for production infe…","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778692290314-gopj.png","2026-05-13T17:10:32.167576+00:00",[83,88,93,98,103,108,113,118,123,128],{"id":84,"slug":85,"title":86,"created_at":87},"8008f1a9-7a00-4bad-88c9-3eedc9c6b4b1","surepath-ai-mcp-policy-controls-en","SurePath AI's New MCP Policy Controls Enhance AI Security","2026-03-26T01:26:52.222015+00:00",{"id":89,"slug":90,"title":91,"created_at":92},"27e39a8f-b65d-4f7b-a875-859e2b210156","mcp-standard-ai-tools-2026-en","MCP Standard in 2026: Integrating AI Tools","2026-03-26T01:27:43.127519+00:00",{"id":94,"slug":95,"title":96,"created_at":97},"165f9a19-c92d-46ba-b3f0-7125f662921d","rag-2026-transforming-enterprise-ai-en","How RAG in 2026 is Transforming Enterprise AI","2026-03-26T01:28:11.485236+00:00",{"id":99,"slug":100,"title":101,"created_at":102},"6a2a8e6e-b956-49d8-be12-cc47bdc132b2","mastering-ai-prompts-2026-guide-en","Mastering AI Prompts: A 2026 Guide for Developers","2026-03-26T01:29:07.835148+00:00",{"id":104,"slug":105,"title":106,"created_at":107},"d6653030-ee6d-4043-898d-d2de0388545b","evolving-world-prompt-engineering-en","The Evolving World of Prompt Engineering","2026-03-26T01:29:42.061205+00:00",{"id":109,"slug":110,"title":111,"created_at":112},"3ab2c67e-4664-4c67-a013-687a2f605814","garry-tan-open-sources-claude-code-toolkit-en","Garry Tan Open-Sources a Claude Code Toolkit","2026-03-26T08:26:20.245934+00:00",{"id":114,"slug":115,"title":116,"created_at":117},"66a7cbf8-7e76-41d4-9bbf-eaca9761bf69","github-ai-projects-to-watch-in-2026-en","20 GitHub AI Projects to Watch in 2026","2026-03-26T08:28:09.752027+00:00",{"id":119,"slug":120,"title":121,"created_at":122},"231306b3-1594-45b2-af81-bb80e41182f2","claude-code-vs-cursor-2026-en","Claude Code vs Cursor in 2026","2026-03-26T13:27:14.177468+00:00",{"id":124,"slug":125,"title":126,"created_at":127},"9f332fda-eace-448a-a292-2283951eee71","practical-github-guide-learning-ml-2026-en","A Practical GitHub Guide to Learning ML in 2026","2026-03-27T01:16:50.125678+00:00",{"id":129,"slug":130,"title":131,"created_at":132},"1b1f637d-0f4d-42bd-974b-07b53829144d","aiml-2026-student-ai-ml-lab-repo-review-en","AIML-2026 Is a Bare-Bones Student Lab Repo","2026-03-27T01:21:51.661231+00:00"]