Claude Code Leak: What Went Wrong at Anthropic?

In a major blow to the AI pioneer, Anthropic’s flagship AI coding tool had its secrets laid bare for the world to see. 

The accidental leak of the source code behind Claude Code was not the result of a security incident, but rather a simple “human error”.

Claude Code, Anthropic’s premier AI coding tool – relied upon by many to turn their ideas into functioning applications without having to write code – is part of the Claude AI suite that serves more than 300,000 enterprise customers. 

Giving developers, engineers and most of the internet an active roadmap into the internal workings of its coveted flagship tool, a post on X with an active link to the code was viewed by millions. 

The incident came as the company plans an IPO, which is expected in October this year. 

“No sensitive customer data or credentials were involved or exposed,” reads the statement from Anthropic, as reported by CNBC.

“This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”

Roadmap to the leak

Reports emerged on Tuesday (31 March) that version 2.1.88 of Anthropic’s Claude Code npm package contained what is called a source map file. 

This large file – usually used by developers for debugging purposes – laid out the roadmap to reconstruct much of the otherwise private TypeScript source.

In a matter of hours, a swarm of developers shared and mirrored portions of the code across GitHub and other public platforms. The culprit was a 59.8 MB JavaScript source map unintentionally bundled in the npm release.

The exposed code relates to the Claude Code command‑line interface and tooling – not the underlying AI model. 

Copyright questions

The code leak is the second major incident this week to plague Anthropic. Previously the firm saw internal or pre-release assets exposed, which were left in a publicly-accessible system. 

A Fortune report noted: "Anthropic has inadvertently revealed details of an upcoming model release, an exclusive CEO event and other internal data, including images and PDFs, in what appears to be a significant security lapse."

Before the dust had settled on the previous leak, the company was hit with the next wave that spurred a curious copyright debate online. 

Community posts emerged implicating developers as they claim to have used AI to rewrite the Anthropic source code into different programming languages. 

The copyright implications of the leak stem from the fact that the exposed TypeScript is legally protected intellectual property. Some also question the intellectual property rights in the age of AI. 

Even though the npm release contained only a source map rather than the raw code, the map enabled reconstruction of the entire codebase. Any reproduction, distribution or derivative work – including community attempts to rewrite the code in Python or use AI to translate it – could potentially infringe Anthropic’s copyright.