Anthropic accidentally published the full, unobfuscated source code for Claude Code — its fastest-growing product — inside an npm package. Version 2.1.88 of the CLI included a source map file (cli.js.map) containing the complete TypeScript codebase, normally distributed only in obfuscated form.
A post on X sharing a link to the code amassed more than 21 million views within hours. Anthropic scrambled to pull the npm package and issued takedown requests to remove copies from GitHub — then had to scale those efforts back after the removals hit more repositories than intended. The leak also exposed unreleased features, turning a packaging mistake into a broader product and trust problem.
"No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson said. "This was a release packaging issue caused by human error, not a security breach."
The timing is brutal. This is Anthropic's second major data blunder in under a week — coming right after the Claude Mythos leak we covered on March 28, when nearly 3,000 unpublished internal documents were found in a publicly accessible database. An AI safety company that keeps leaving doors unlocked is becoming a pattern.
Why it matters
Claude Code is not a side project. Its run-rate revenue had swelled to more than $2.5 billion as of February, making it one of the most commercially important AI coding tools on the market. The source code leak gives competitors — OpenAI, Google, xAI — a direct look at how Anthropic built the tool that's been eating into their developer market share.
Beyond competitive intelligence, the leak raises a harder question about Anthropic's internal controls. The company's entire brand is built on safety, reliability, and careful engineering. Two unforced data exposures in one week undermines that positioning at exactly the moment enterprises are deciding which AI coding tools to standardize on.
For developers who use Claude Code, the immediate risk is low — no customer data or credentials were exposed. But for Anthropic as a business, the reputational cost is real and compounding.
Also in the news
- NASA launched Artemis II — the first crewed lunar flyby in over 50 years. Four astronauts are on a 10-day journey around the Moon aboard the Orion spacecraft, testing systems for eventual lunar landing missions.
- SpaceX confidentially filed for its IPO, codenamed "Project Apex." With 21 banks lined up and a target valuation of $1.75 trillion, it's set to be the largest stock market debut in history, expected in June.
- Google warned quantum computers could crack encryption sooner than expected, publishing research showing elliptic-curve cryptography may be vulnerable with fewer qubits than previously projected.
- Iran's IRGC threatened Nvidia, Apple, and other tech companies with attacks amid escalating tensions, adding a new geopolitical risk dimension to the semiconductor supply chain.