Claude Code source code leaked, Anthropic DMCA takedown of 8,100 GitHub repositories

Anthropic confirmed on March 31 that the npm package version v2.1.88 of the Claude Code CLI tool exposed about 512,000 lines of source code due to a packaging and bundling error during release. Anthropic then submitted a DMCA copyright protection notice to GitHub, resulting in a total of 8,100 repositories being forcibly banned from public access.

Root cause of the leak: Bun bundler’s default behavior led to a complete exposure without any-code cracking

The fundamental reason behind this incident left the developer community stunned: the Bun bundler’s default behavior is to generate Source Map debugging files, and there were no steps in Anthropic’s entire release process to disable or exclude this file. The purpose of a Source Map is to map the compressed production code back to the original TypeScript code. This file directly points to a publicly accessible ZIP archive in Anthropic’s own Cloudflare R2 storage bucket—completely without any hacker techniques required.

After the issue was discovered by Chaofan Shou, an intern researcher at blockchain security company Fuzzland, they posted direct links to the storage bucket on the X platform. Within a few hours, numerous mirrored repositories appeared on GitHub, and some had already accumulated tens of thousands of stars before the DMCA notice took effect.

Technically, it would have been possible to prevent this incident by adding the corresponding entries to the .npmignore file, or by configuring the files field in package.json. Anthropic confirmed to VentureBeat that this was a “release packaging issue caused by human error,” and stated that it is taking measures to prevent recurrence.

However, this is the second time the same mistake has happened. In February 2025, an earlier version of Claude Code also experienced an almost identical Source Map leakage event, and Anthropic subsequently submitted its first DMCA notice in April 2025.

What was leaked: 1,900 files expose multiple unreleased secret features, including KAIROS

The exposed set of roughly 1,900 TypeScript files covers the tool’s execution logic, permission architecture, the memory system, telemetry, and feature flags. Community members quickly extracted telemetry data, toggled hidden feature flags, and wrote “clean-room” restructured versions using Python and Rust. The most notable unreleased features are as follows:

KAIROS: a continuously running background guardian process that monitors files, logs events, and executes a memory integration workflow called “Dreaming” when idle

BUDDY: a terminal pet feature with 18 species (including a capybara), with attributes such as DEBUGGING (debugging), PATIENCE (patience), and CHAOS (chaos)

COORDINATOR MODE: allows a single agent to generate and manage multiple parallel work agents

ULTRAPLAN: schedules remote multi-agent planning meetings of 10 to 30 minutes

Two leaks in one week: Broad questions raised about Anthropic’s release standards

This incident was not an isolated event. Just five days earlier, on March 26, Anthropic leaked about 3,000 internal documents due to a CMS configuration error. Those documents included details of the unreleased “Claude Mythos” model as well, and were also attributed to human error. With two major unexpected leaks occurring back-to-back in less than a week, outside observers began raising systematic questions about this AI company, which broadly assists with code development and release, regarding its release standards.

Anthropic confirmed that this incident did not involve the leakage of sensitive customer data, credentials, model weights, or reasoning infrastructure. The core Claude model was not affected. However, the technical blueprint for building a competing product to Claude Code has now been significantly lowered in terms of barriers.

Also worth noting: on the same day, between 00:21 and 03:29 UTC, a supply-chain attack targeting the axios package also occurred on npm at the same time. Anthropic advised installing or updating Claude Code’s developer-reviewed dependencies within this time window and rotating credentials, and suggested that going forward, users should prioritize using the official native installer rather than npm.

FAQ

Why can the Claude Code source code be obtained in full without any hacking?

The Source Map files generated by the Bun bundler by default directly point to a publicly accessible ZIP archive in Anthropic’s own Cloudflare R2 storage bucket. Anyone only needs to access this public link to download the full TypeScript source code. The entire process does not involve any technical intrusion.

After DMCA takedown of 8,100 repositories, has the source code completely disappeared?

No. Even though GitHub took down the relevant repositories based on the DMCA notice, the leaked source code has circulated across multiple platforms in the form of archives, mirrors, and restructured versions. Completely erasing it—almost—impossible. Anthropic’s DMCA actions limited direct propagation, but the technical blueprint has already spread widely.

What real security impact does this incident have on Claude Code users?

Anthropic confirmed that no user data, credentials, or models were leaked. However, if developers install or update Claude Code via npm between March 31, 00:21 and 03:29 UTC, they should review dependencies and rotate credentials, because during the same period npm also experienced a supply-chain attack targeting the axios package.