Anthropic has recently come forward regarding an unintentional disclosure of internal code from its AI coding assistant, Claude Code, attributed to human error. This incident did not expose sensitive customer information or credentials, as confirmed by an Anthropic spokesperson in a statement published by CNBC News. The company clarified that the exposure resulted from a package management issue, distinguishing it from a typical security breach, and is actively working to implement measures to avert similar risks in the future.
The incident surfaced following the release of version 2.1.88 of the Claude Code npm package, when users noticed that it included a source map file capable of providing access to the underlying code comprising almost 2,000 TypeScript files and upwards of 512,000 lines of code. As a precaution, this version has since been removed from npm.
Security researcher Chaofan Shou highlighted the leak on X, claiming that the source code had been inadvertently made accessible through the npm repository. The post garnered significant attention, amassing over 28.8 million views. As a result, the leaked codebase can be found in a public GitHub repository, which has received more than 84,000 stars and 82,000 forks, opening avenues for both developers and competitors to scrutinize the internal workings of the AI tool.
Such a source code leak presents substantial implications, as it provides competitors and developers a detailed view of Claude Code’s architecture. Enthusiasts who have explored the leaked files have shared insights into its self-healing memory system, designed to navigate around fixed context window limitations while also disclosing additional internal components.
The leaked information has also revealed a sophisticated tools system designed for various operations, including file readings and bash executions, as well as a query engine for managing API calls. A notable feature associated with this leak is KAIROS, enabling Claude Code to function as a background agent for autonomously executing tasks and notifying users without requiring their input. This interactivity is enhanced by a proposed “dream” mode intended for continuous idea development.
Of particular concern is the tool’s Undercover Mode, which facilitates “stealth” contributions to open-source projects while ensuring that internal information remains undisclosed. Additionally, Anthropic is reportedly implementing mechanisms to counteract model distillation attacks, injecting fabricated tool definitions into API requests to mislead competitors attempting to scrape data.
This significant leak raises concerns about the potential misuse of exposed information, which could empower malicious actors to bypass established guardrails and manipulate the system for unauthorized actions. An AI security firm remarked that rather than orchestrating brute-force attacks, adversaries may analyze the code to craft payloads that could endure detection and persist across sessions. The immediate implications of this incident will be felt more profoundly due to recent findings of compromised npm packages associated with the Axios supply chain attack, affecting users who updated the package during a specific timeframe.
As a response to the leak, malicious actors are already exploiting the situation by creating typosquatted package names designed to lure unsuspecting users attempting to compile the leaked code. Recent reports from Zscaler indicate that these packages are distributing trojanized versions of Claude Code equipped with various malware, including backdoors and data theft tools. A notable repository that harnesses these exploits has reportedly directed users to run malicious software that deploys Vidar Stealer and GhostSocks, threatening significant compromises.
This recent incident reflects a concerning trend, as one of the foremost cybersecurity vulnerabilities unmasked in recent memory has exposed a multitude of channels for malicious exploitation while underscoring the pressing need for enhanced security vigilance in the technology sector. Businesses should remain informed and proactive in implementing robust security measures to mitigate potential risks associated with such breaches.