Security researcher Chaofan Shou posted one line on X on March 31, 2026: "Claude code source code has been leaked via a map file in their npm registry."
That's it. No screenshot. No thread. Just one line.
Within hours, a GitHub repo with the full source had over 1,100 stars and 1,900 forks. Reddit threads started calling it "Christmas morning for competitors." Developers were reading Anthropic's internal codebase like it was a public docs page.
And here's the thing. It wasn't a hack. No elaborate breach. No zero-day exploit. An Anthropic engineer forgot to add one pattern to a .npmignore file.
That's it.
512,000 lines of TypeScript. 1,906 files. A 59.8MB source map bundled into a public npm package. All of it accessible to anyone who typed npm i @anthropic-ai/claude-code.
You've probably done this install a hundred times. i have too. You run the install, move on, never look inside node_modules. Nobody expects to find a company's entire internal codebase sitting there. But that's exactly what happened.
And this wasn't even the first time. Anthropic made the same mistake in early 2025. Same file type. Same oversight. Different version.
What a .map file is
i used to think source maps were just a dev tool. Something your browser uses to show readable stack traces when things crash. You compile TypeScript down to JavaScript, the map file points errors back to the original source. Useful in development. Supposed to stay out of production builds.
What actually happens is the .map file's sourcesContent field holds every original TypeScript file. Not a reference to it. The actual code, inline. When Anthropic published version 2.1.88, the cli.js.map file came along for the ride.
Anyone who installed the package had 512,000 lines of TypeScript sitting in their local directory. Most people wouldn't look. One researcher did.
Chaofan Shou pulled it out using a reverse-engineering tool. Someone else mirrored it to GitHub immediately after. Some developers used Claude Code itself to extract its own source. That level of irony is hard to beat.
One missing line in .npmignore. That's all it took.
The fix is not complicated. Add *.map to your ignore file before publishing. Done. This is known. It has a known fix. And Anthropic had already lived through this exact lesson once in 2025.
What was inside
Here's a question people always ask: what did the leak actually expose?
Not model weights. Not training data. This matters. Claude's actual intelligence was not in this repo. What leaked was the CLI tool. The shell you interact with when you type claude in your terminal.
But the CLI wasn't empty.
The codebase had 44 hidden feature flags. 20 of them were fully built but never shipped. Not in planning. Not halfway done. Compiled and sitting behind flags set to false in the public build.
Here's a sample of what was already built:
Background agents running 24/7 with GitHub webhooks and push notifications
One Claude orchestrating multiple worker Claudes with restricted toolsets
Cron scheduling for agents with create, delete, and list operations
Voice command mode with its own CLI entrypoint
Browser control via Playwright, not the web_fetch shortcut, an actual browser
Agents that can sleep and self-resume without any user prompt
Persistent memory across sessions with no external storage dependency
This reads like a product roadmap. A very aggressive one.
The first time i saw this list i thought someone was making it up. But it's in the code. These aren't slide deck ideas. Someone built them.
The stuff that made people uncomfortable
Most coverage focused on the cool unshipped features. But a few things in the leak made security teams visibly nervous.
The telemetry system doesn't just collect usage stats. It tracks user frustration signals. Including profanity. So if you've ever typed something angry at your terminal while Claude was running, there's a chance that got logged somewhere at Anthropic.
There was also something called "Undercover Mode." It lets Claude contribute to open-source repos without leaving any signal that an AI was involved. No attribution. No AI signature.
And there was an internal flag named "YOLO." It bypasses safety checks for shell commands. The name is not subtle.
The developers reading this were excited. The security teams reading this were not. Those are two different groups with two different reactions.
With the full source public, researchers can now audit how Claude handles terminal permissions in detail. CVE-2026-21852, a vulnerability that let malicious repos exfiltrate API keys before a user clicked Trust, had already been patched. But knowing the codebase makes finding the next one faster.
The part no one is writing about
The model codename buried inside the source is "Capybara." Three tiers of it.
i don't know why that's funny to me but it is. Anthropic builds some of the most capable AI systems in the world. Their internal codename for the next model family is a large South American rodent famous for being completely unbothered by everything.
There's something true about that. The capybara became an internet meme because it just sits there, calm, while birds land on it and crocodiles chill nearby. Maybe that's what Anthropic wants. A model that handles whatever gets thrown at it without flinching.
Or maybe someone just liked the animal. Either way, the name is public now. People are going to call it Capybara whether Anthropic likes it or not.
What this actually means
Most coverage treated this like a catastrophe. Some posts called it Anthropic's worst day. A few people on Reddit said competitors should be celebrating.
Here's what i actually think.
The CLI code is not the competitive moat. The models are. Seeing how Claude Code's orchestration logic works does not let you reproduce the intelligence behind it. The routing, the tool system, the prompts, yes, those are out now. But OpenAI and Google were not waiting on a source map to understand how agentic CLIs are built.
But this happened twice. Same file type. Same oversight. One year apart.
That's not bad luck. That's a process problem.
Companies shipping AI tools at this speed often skip steps that slower software teams treat as basic. A proper pre-publish checklist would have caught this both times. The .npmignore check is not obscure. It's in every npm publish guide. It takes five minutes.
Most security incidents don't need a hacker. They need a developer in a hurry.
Someone on Reddit asked if this made Claude Code less trustworthy as a tool. Honest answer: probably not. The product still works the same way it did on March 30th. Your code still runs. Your agents still do what they did before.
What's different is you can now read the playbook. All the features Anthropic was quietly building while staying silent about them are sitting in a GitHub repo with nearly 2,000 forks.
The 24/7 background agents are coming. The persistent memory is coming. The Capybara model is coming.
We just found out ahead of schedule.