CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Accidental disclosure of Anthropic's Claude Code closed-source implementation via NPM package

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Anthropic accidentally exposed the closed-source implementation of its Claude Code AI coding assistant through a packaging error in an NPM release. The leak occurred when version 2.1.88 of Claude Code included a 60 MB source map file (`cli.js.map`) containing approximately 1,900 files and 500,000 lines of internal source code. No customer data or credentials were involved. The exposed code has since propagated widely on platforms like GitHub, prompting Anthropic to issue DMCA takedown notices. The incident stemmed from a human error during release packaging, not a security breach, and Anthropic is implementing measures to prevent recurrence. The disclosed code reveals undocumented features, including a "Proactive mode" for 24/7 autonomous coding and a "Dream" mode for background problem-solving, along with details of Claude-exclusive functionality.

Timeline

  1. 01.04.2026 03:32 1 articles · 1h ago

    Claude Code closed-source implementation exposed via NPM packaging error

    Anthropic’s closed-source Claude Code AI coding assistant had its internal source code (1,900 files, 500,000 lines) accidentally exposed via version 2.1.88 of its NPM package due to inclusion of a 60 MB `cli.js.map` file containing embedded source content. The exposure was caused by human error during packaging, not a security breach. Anthropic has since issued DMCA takedowns for the leaked code and is implementing controls to prevent recurrence.

    Show sources
    Open in new tab

Information Snippets

  • Anthropic accidentally published the internal source code for its closed-source Claude Code AI assistant in version 2.1.88 of the NPM package.

    First reported: 01.04.2026 03:32
    1 source, 1 article
    Show sources

  • The leak occurred via a 60 MB source map file (`cli.js.map`) included in the NPM package, which contained approximately 1,900 files and 500,000 lines of source code when reconstructed due to the `sourcesContent` field embedding full file contents.

    First reported: 01.04.2026 03:32
    1 source, 1 article
    Show sources

  • Anthropic confirmed the exposure was a packaging error caused by human error and not a security breach, with no customer data or credentials exposed.

    First reported: 01.04.2026 03:32
    1 source, 1 article
    Show sources

  • The exposed code has spread across GitHub and other platforms, leading Anthropic to issue DMCA infringement notifications to remove it.

    First reported: 01.04.2026 03:32
    1 source, 1 article
    Show sources

  • The disclosed source code reveals undocumented features such as a "Proactive mode" for continuous autonomous coding and a "Dream" mode for background problem-solving.

    First reported: 01.04.2026 03:32
    1 source, 1 article
    Show sources

  • Anthropic is investigating a separate bug causing faster-than-expected exhaustion of usage limits in Claude Code, affecting Pro, Max, and Personal plans.

    First reported: 01.04.2026 03:32
    1 source, 1 article
    Show sources

  • Users reported usage limits being reached in minutes rather than hours of interaction, with Anthropic prioritizing this as a top issue as of March 31, 2026.

    First reported: 01.04.2026 03:32
    1 source, 1 article
    Show sources