Anthropic confirmed that internal source code for its AI coding assistant Claude Code was inadvertently published via an npm package release, exposing nearly 2,000 TypeScript files and extensive implementation details. The leak led to public reposting and opportunistic typosquatting amid concerns about a trojanized Axios dependency and potential jailbreaks and dependency-confusion attacks; #Anthropic #ClaudeCode
Keypoints
- A source map in Claude Codeβs npm package exposed the full source code (β2,000 TypeScript files, 512,000+ lines).
- Anthropic says no customer data or credentials were exposed and attributes the incident to a packaging human error.
- Leaked internals revealed features like self-healing memory, tools system, multi-agent orchestration, KAIROS, βdreamβ mode, Undercover Mode, and anti-distillation defenses.
- Attackers published typosquat npm packages and users who installed updates during the Axios compromise window may have received a trojanized HTTP client; affected users should downgrade and rotate secrets.
- The exposed code gives adversaries a blueprint to craft persistent jailbreaks, dependency confusion attacks, and other supply-chain or runtime exploits.
Read More: https://thehackernews.com/2026/04/claude-code-tleaked-via-npm-packaging.html