On March 31, 2026, Anthropic accidentally published 512,000 lines of Claude Code’s source code in an npm package. A single missing .npmignore entry bundled a 59.8 MB source map exposing the entire TypeScript codebase to anyone who installed the update. Within hours, the leaked code spawned a GitHub repository that hit 100,000 stars in 24 hours—the fastest-growing repo in GitHub history.
While Anthropic insists no customer data was compromised, the incident is a wake-up call for every developer publishing to npm. If an AI safety company can accidentally ship their entire source code, so can you.
How a Missing .npmignore Line Exposed 512,000 Lines of Code
The leak happened because of a packaging configuration error. Anthropic’s build process used Bun, which generates source maps by default. Source maps are development aids that link minified production code back to readable source files—but they also contain the sourcesContent property, which embeds the entire original source code.
The problem: *.map files weren’t excluded in .npmignore, and the files field in package.json didn’t restrict what got published. Result: a 59.8 MB source map containing 1,900 files and 512,000 lines of TypeScript shipped to npm’s public registry in package version 2.1.88.
Anthropic’s official statement: “No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach.”
The company is right that it wasn’t a breach—but the mistake reveals a systemic gap. Developers routinely update .gitignore to exclude files from source control but forget .npmignore, which controls what ships to npm. That mismatch is how secrets, internal tools, and yes, entire codebases end up published.
Why Developers Made It GitHub’s Fastest-Growing Repository
Security researcher Chaofan Shou discovered the leak and published the source to GitHub. What happened next was unprecedented: a clean-room rewrite called Claw-Code hit 50,000 stars in two hours and crossed 100,000 stars in 24 hours. By April 9, the repository had 84,000 stars and 82,000 forks—obliterating the previous record set by OpenClaw, which took weeks to reach 100,000 stars.
Why the frenzy? The leaked code exposed unreleased features like KAIROS (a 24/7 background daemon), ULTRAPLAN (30-minute deep planning sessions offloaded to a remote model), and COORDINATOR_MODE (multi-agent orchestration with shared memory). Developers got a rare look at how a production AI coding agent actually works under the hood—permission systems, IDE bridges, multi-agent coordination, and self-healing memory architecture.
Anthropic initially issued DMCA takedown notices, then retracted them after realizing they’d targeted thousands of unrelated repositories by mistake. That botched response only amplified the story.
Five npm Security Lessons Every Developer Should Apply
The Claude Code leak isn’t just a cautionary tale—it’s a checklist. Here’s what to do before your next npm publish.
1. Add *.map to .npmignore
Source maps bundle your original source code in the sourcesContent property. Unless you’re intentionally publishing them (rare), add this line to .npmignore:
*.map
*.map.js2. Use Allowlisting, Not Denylisting
Instead of trying to block every sensitive file, explicitly allow only what you want published via the files field in package.json:
{
"files": [
"dist/**",
"README.md",
"LICENSE"
]
}Allowlisting is structurally safer because it can’t accidentally include new files added later.
3. Run npm pack –dry-run Before Publishing
Inspect what’s actually going into your tarball:
npm pack --dry-runThis shows exactly which files will ship. Review it manually every time.
4. Monitor Artifact Size in CI/CD
If your bundle jumps from 5 MB to 60 MB between builds, that’s not a metric—it’s a blocker. Automate size checks in your publish pipeline to catch packaging errors before they go live.
5. Disable Source Maps in Production Builds
Set sourceMap: false in production build configs, or upload source maps privately to observability tools like Sentry instead of bundling them in public packages.
The Concurrent Axios Attack: Same Day, Same Ecosystem
March 31, 2026 was a bad day for npm. While Anthropic was dealing with their accidental leak, attackers compromised Axios—a package with over 100 million weekly downloads—and published malicious versions 1.14.1 and 0.30.4 containing a cross-platform remote access trojan (RAT). The attack window was 00:21 to 03:15 UTC.
Check if you’re affected:
grep -r "1.14.1\|0.30.4\|plain-crypto-js" package-lock.jsonIf that command returns matches, assume full compromise and rotate all credentials immediately.
The Claude Code leak and Axios attack were separate incidents, but their timing underscores the same point: npm’s supply chain is under constant attack. Whether it’s accidental leaks or deliberate malware, every npm install is a trust decision.
What to Do Now
Review your .npmignore files and add explicit allowlists to package.json. Run npm pack --dry-run on your existing packages to see what you’ve already shipped. If you published a package in the last year and haven’t checked, there’s a non-zero chance you leaked more than you intended.
The lesson here isn’t “Anthropic screwed up”—it’s “this can happen to anyone.” Packaging configuration is easy to get wrong, and the consequences are permanent. Once code hits npm’s public registry, it’s public forever.
For comprehensive npm security best practices, review the OWASP NPM Security Cheat Sheet.
