HomeseparatorAI Security

The Claude Code Leak: What CISOs and Security Teams Should Do

Avatar photo
Author
,
Technical Reviewers
Updated: April 6th, 2026
8 mins read
Claude Code Leak

On March 31, 2026, a routine npm publish turned into pure chaos. A 59.8 MB JavaScript source map file meant for internal debugging was pushed along inside the Claude code package version 2.1.88.

A researcher, Chaofan Shou (@Fried_rice), yanked that file within hours and publicly disclosed the Claude code Leak on X. Within the next few hours, the whole internet’s nerds had mirrored, de-obfuscated, and gone through more than 513,000 lines of TypeScript across 2000+ files.

Anthropic kind of let the genie out of the bottle without knowing how to put it back in.

Anthropic said “a release packaging issue caused by human error, not a security breach.” That statement is technically accurate, but insufficient given the severity of the Claude source code leak.

This was the second recent slip for Anthropic within a week. A few days earlier (around March 26), an unsecured CMS/cache leak exposed a draft blog post about an unreleased powerful model called Claude Mythos (also internally “Capybara”), described as a “step change” in capabilities with major cybersecurity implications.

Safeguard your AI models and ML pipelines from data poisoning and adversarial threats.

Explore Astra AI Pentest
character

What the Claude code leak revealed

Before the Claude code leak, outsiders had only a fragmented, superficial understanding of Claude’s internals, which made successful attacks harder. Following the public release of the full annotated codebase, attackers now have access to a detailed architectural blueprint of Claude’s prompt processing, memory management, security boundaries, and unreleased features. This Claude source code leak dramatically lowered the bar for targeted attacks.

Key highlights of the Claude code leaked files:

  • Unreleased/planned features (via ~44 feature flags):
    • KAIROS: Always-on background daemon/agent that watches, logs, and acts proactively (with limits to avoid interference).
    • autoDream / dreaming: Background memory consolidation while idle, turning observations into facts.
    • ULTRAPLAN: Offloads complex planning to a remote, powerful model (e.g., Opus variant) for deeper thinking.
    • Tamagotchi-style “pet”/Buddy: A reactive virtual companion with species, stats (including CHAOS/SNARK), hats, etc. This indicates Anthropic is exploring the emotional engagement space and gamified user interaction.
  • Undercover Mode” for Anthropic staff contributing to open-source repos stealthily (hiding AI involvement).
  • Code tracking user frustration (profanity, “this sucks,” etc.). Anti-distillation measures and permission/safety systems.
  • Architecture insights: Agent loops, tool systems (bash, file ops, etc.), prompt construction/caching, security boundaries, and performance tweaks. It shows the “moat” is often in the harness/infrastructure around the model, not just the model itself.
  • Slash commands and UI: ~85 built-in slash commands and a custom terminal renderer.
  • Memory and state management: Three-layer self-healing memory architecture (e.g., MEMORY.md, CLAUDE.md, handling with global/project/local rules), persistent context, auto-compaction, and background consolidation.
Claude code leak

What are the security risks of the Claude source map leak?

The immediate security risk from the Claude code leak was none, and the harm here was that there was too much information for adversaries about Claude. Attackers can now craft prompt-injection payloads specific to survive Claude Code’s context compaction phase, potentially persisting a backdoor across an arbitrarily long session without the user ever seeing a trust prompt.

In simple terms, attackers can now fuzz exactly how data flows through Claude Code’s pipeline.

Even more damning: the leak instantly weaponized two pre-existing vulnerabilities now tracked as CVE-2025-59536 and CVE-2026-21852. These allow RCE and API-key exfiltration through nothing more exotic than a malicious repository config, a tampered .claude/hooks directory, or a poisoned MCP server.

Before March 31, exploiting these required reverse-engineering the minified bundle. After the Claude source code leak, any moderately skilled red teamer or opportunistic script kiddie can read the exact validation logic, craft bypasses, and ship them inside a convincing “Claude code leaked files” lure.

Luring curious people through GitHub

As the saying goes, curiosity kills the cat. Within 24 hours of the Claude code leak, security researchers identified GitHub repositories (notably one under idbzoomh) posing as official mirrors, complete with a “Claude Code – Leaked Source Code.7z” release containing a Rust dropper that installs Vidar v18.7, an infostealer, and the GhostSocks proxy.

Claude code leak

The lure ranked near the top of Google results for “Claude code leaked files.” Threat actors updated the malicious ZIP multiple times in a single day. This is a textbook supply-chain attack.

At the same time, in parallel, an Axios-related npm campaign was already dropping RATs, and attackers simply layered the Claude code leak brand on top.

What should be learned from the Claude code leak?

The Claude code leak is an example of how human error in a build pipeline can expose an entire company’s crown jewels. It proves that even the most advanced and sophisticated teams are still vulnerable to silly mistakes.

​Security teams can prevent these types of disasters with automated secret scanning in CI/CD pipelines or by introducing strict access controls and thorough manual review before every release. Firedrills and tabletop exercises that rehearse a full leak should become standard for sensitive companies like Anthropic.

After this Claude code leak, every organization should immediately:

  • Implement strict CI/CD release gates.
  • Make every build pass automated checks or manual review to strip unauthorized packages or data.
  • Separate internal and public codebases with a strict access control policy.
  • Enforce strict data classification tagging.
  • Have an IR playbook specifically designed for Code Leaks.

Think AI security is too complex to manage? Explore how Astra simplifies testing for models, data, and infrastructure.

Explore Features
character

Implementing these measures could avoid a single human packaging mistake from a company-wide catastrophe. For organizations handling frontier AI, the release pipeline must be treated with the same level of paranoia and rigor as model training infrastructure.

How Astra Security Can Help You

The Claude code leak has significantly increased the risk surface for both individual users and companies building on Anthropic’s platform. Astra Security AI penetration testing can help you to proactively address these risks by simulating threat actor behavior on your Claude-powered products and integrations.

​Our combination of manual pentesting and advanced automated scanning can identify threats and attack vectors in your product based on recent CVEs, prompt injection, assess guardrails, etc.

Whether you’re running Claude Code directly or have built custom agents, workflows, or applications on top of Claude, our pentest gives you clear visibility into how resilient your current setup actually is.

​We are confident that our AI penetration testing will significantly strengthen your reputation and build greater trust among users and stakeholders, as many remain highly concerned about the Claude code leak.

No other pentest product combines automated scanning + expert guidance like we do.

Discuss your security
needs & get started today!

Schedule your call
character

Final Thoughts

The internet is keeping Anthropic’s Claude code source map leak forever. That is the nature of the internet; once out, information is permanently out. Anthropic’s “human error in packaging” explanation is true, but understates the impact after their second slip in a week.

The more important question is what the industry builds differently in response to the Claude source code leak. If the answer is “better secret management in our npm publish script,” we will have learned very little from a very expensive lesson.

Also, everyone should implement a workaround (until patches are available) for the exploited vulnerabilities in Claude and monitor the IOCs to prevent cyber intrusions through Claude.

Source:

  1. https[:]www.zscaler.com/blogs/security-research/anthropic-claude-code-leak
  2. https[:]venturebeat.com/ai/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know

Hand-picked articles for you

Gen AI pentesting
AI Security

Gen AI Pentesting: A Technical Guide for Security Teams

Avatar photo
Keshav Malik
June 3rd, 2026
AI security tools
AI Security

Top 9 AI Security Tools in 2026 [Comprehensive Guide]

Avatar photo
Sanskriti Jain
January 12th, 2026
CTO’s guide to AI security, LLM & model safety.
AI Security

What is AI Security? The CTO’s Guide to Securing LLMs & Models

Avatar photo
Shikhil Sharma
January 8th, 2026

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Psst! Hi there. We're Astra.

We make security simple and hassle-free for thousands of businesses worldwide.

Our security products include a vulnerability scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

Speak to Sales Get a Pentest
earth

Made with ❤️ in USA  India

Copyright © 2026 ASTRA IT, Inc. All Rights Reserved.

Privacy Policy Terms of Service Report a Vulnerability