Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms
Summary
Anthropic confirmed that Claude Code's source code was accidentally leaked through an npm package (a JavaScript library repository) containing a source map file, exposing nearly 2,000 TypeScript files and over 512,000 lines of code. The leaked code revealed internal features like a self-healing memory architecture and a stealth mode for making hidden contributions to open-source projects, creating security risks because attackers can now study how the system works to bypass its safeguards. Additionally, users who downloaded the affected version between specific times on March 31, 2026 may have received a trojanized HTTP client (compromised software) containing malware.
Solution / Mitigation
Anthropic stated it is 'rolling out measures to prevent this from happening again.' Users who installed or updated Claude Code via npm on March 31, 2026 between 00:21 and 03:29 UTC are advised to immediately downgrade to a safe version and rotate all secrets (regenerate passwords and access keys).
Classification
Affected Vendors
Related Issues
Original source: https://thehackernews.com/2026/04/claude-code-tleaked-via-npm-packaging.html
First tracked: April 1, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 95%