Anthropic Claude Code Leak

Keypoints

• On March 31, 2026 a 59.8 MB .map file in the npm package @anthropic-ai/claude-code v2.1.88 exposed ~513,000 lines of TypeScript across 1,906 files, including a ZIP of original sources hosted on Anthropic infrastructure.
• Exposed components include agent orchestration (LLM calls, tool-call loops), permission/execution hooks, Model Context Protocol integrations, persistent memory/background agents, telemetry/encryption internals, and build/dependency details; model weights, safety pipelines, and user data were not exposed.
• The leak was rapidly downloaded from Anthropic’s Cloudflare R2 bucket, mirrored to GitHub, forked tens of thousands of times, and is now available across hundreds of public repositories despite some DMCA takedowns.
• The public code availability increases supply chain and local-host risks: trojanized forks, backdoors, credential/API key exfiltration, and weaponization of known CVEs (e.g., CVE-2025-59536, CVE-2026-21852) that enable arbitrary shell execution or data theft.
• Zscaler ThreatLabz discovered malicious GitHub repositories (publisher idbzoomh) using the leak as a lure; releases include a ZIP named “Claude Code – Leaked Source Code (.7z)” containing ClaudeCode_x64.exe, which drops Vidar v18.7 (stealer) and GhostSocks (proxy).
• The campaign is actively updated and mirrored across accounts, increasing exposure via Google search and GitHub, and overlaps with a concurrent malicious Axios npm supply-chain incident on March 31 that raised the risk for developers updating packages that day.
• Recommendations: implement Zero Trust and segment critical app access, do not download/build/run leaked code, verify sources via Anthropic official channels, avoid local execution of agents on untrusted code, scan workstations/repos for suspicious processes, and wait for vendor patches.