Claude Code Source Code Leaked? Here’s what it contains

On March 31, 2026, Anthropic accidentally exposed the entire source code of Claude Code through a misconfigured source map file in their npm package. Within hours the codebase was archived across multiple public GitHub repositories with thousands of stars and forks.

This guide tells you exactly what happened, what was exposed, what was not, and what you need to do about it.

‍

LowCode Agency has been selected by Anthropic as a certified Claude Partner, one of a curated group of firms validated to deploy Claude in real enterprise operations. See what that means for businesses building AI systems.

‍

Key Takeaways

• This is a confirmed real incident: on March 31, 2026, Claude Code's TypeScript source code became publicly accessible through an accidental npm packaging mistake, not a targeted attack.
• The Claude AI model was not exposed: model weights, training data, and core AI infrastructure are not part of this leak and cannot be extracted from what was exposed.
• You cannot run Claude from the leaked code: the source code alone produces nothing without the model weights and infrastructure that power Claude's intelligence.
• API users and SaaS builders face no direct risk: this exposure does not compromise your API keys, your data, or applications built on Claude.
• Downloading the leaked code carries legal risk: the code remains Anthropic's intellectual property regardless of how it became publicly accessible.

‍

AI App Development

Your Business. Powered by AI

We build AI-driven apps that don’t just solve problems—they transform how people experience your product.

Let's talk

‍

‍

Was Claude Code Actually Leaked or Is This a Rumor?

This is confirmed real. On March 31, 2026, security researcher Chaofan Shou discovered that Claude Code's entire source code was accessible through a source map file in Anthropic's npm package.

The leaked codebase spans 1,900 TypeScript files and over 512,000 lines of code.

• Confirmed by independent researchers: two separate security researchers independently discovered and documented the exposure within hours of it becoming accessible, with multiple technical analyses published the same day.
• Archived to public GitHub repositories: the leaked source was mirrored to multiple public repositories, accumulating over 1,100 stars and 1,900 forks within hours of discovery before removal efforts began.
• A packaging mistake, not a hack: this was not a targeted attack or security breach; it was an accidental build configuration error that included source map files in the published npm package.

This is not a rumor, a reverse-engineered approximation, or a misidentified open-source project. It is Anthropic's actual proprietary CLI source code exposed through an accidental publishing error.

‍

‍

What Exactly Was Exposed in the Claude Code Source Leak?

The Claude Code CLI source code was exposed. The Claude AI model was not. Understanding this distinction is the most important step in separating genuine concern from viral panic.

• 785KB main.tsx entry point: the primary TypeScript file containing Claude Code's core CLI logic, custom React terminal renderer, and primary application structure.
• 40+ permission-gated tools: each capability including file reading, bash execution, web fetch, and LSP integration exists as a discrete tool; the base tool definition alone spans 29,000 lines.
• 46,000-line query engine: handles all LLM API calls, streaming, caching, and orchestration between Claude Code and Anthropic's model endpoints.
• Multi-agent orchestration system: the architecture that coordinates multiple AI agents working together within a single Claude Code session.
• Unreleased features: the source exposure revealed features not yet publicly announced including an internal mode called Kairos and a companion system called Buddy with per-user character generation.

What was not exposed is equally important: Claude's model weights, training data, training pipelines, and the core AI infrastructure that produces Claude's reasoning capability are entirely absent from this leak.

‍

How Did the Claude Code Source Code Leak Happen?

The leak came from a source map file accidentally included in Anthropic's published npm package. This is a known and common packaging mistake in JavaScript and TypeScript development.

• Source map files explain the problem: when TypeScript compiles to production JavaScript, build tools generate .map files that map bundled code back to original source lines for debugging purposes.
• Bun generates source maps by default: Claude Code uses Bun as its bundler, which generates source maps automatically unless explicitly disabled; the .npmignore or bundler configuration was not set to exclude them.
• The .map file pointed to an R2 bucket: the published source map referenced unobfuscated TypeScript sources hosted in Anthropic's R2 storage bucket, making the full source snapshot publicly downloadable by anyone who followed the reference.
• Ironic internal failure: the source code reveals that Claude Code contains a system called Undercover Mode specifically designed to prevent internal codenames from appearing in git commits; the entire source then shipped in a .map file, reportedly generated by Claude itself.

The mechanism is straightforward and the mistake is reproducible by any team that does not explicitly audit what their npm package publishes before release.

‍

Has Anthropic Confirmed or Responded to the Leak?

Anthropic has not issued a specific public statement about the Claude Code source map leak as of March 31, 2026.

The exposure was independently confirmed by multiple security researchers and covered by major developer publications within hours of discovery.

• Pattern consistent with previous Anthropic incidents: earlier in March 2026, Anthropic acknowledged a separate data exposure where internal CMS content including details about Claude Mythos became publicly accessible through a misconfigured content management system.
• Prior response context: when the CMS leak was disclosed, Anthropic attributed it to human error in CMS configuration and clarified that the exposed materials did not involve core infrastructure, AI systems, or customer data.
• Standard company silence on active incidents: organizations typically take hours to days before issuing formal statements on active security disclosures while they assess scope, remove accessible content, and prepare an accurate response.

The absence of an immediate statement does not indicate the severity of the incident in either direction. The technical facts of the exposure are confirmed independently of any Anthropic response.

‍

Is the Leaked Claude Code Source Actually Usable?

The leaked source code is readable and analyzable but not executable as a standalone Claude system. You cannot download it and run Claude.

• Model weights are completely absent: Claude's intelligence comes from billions of parameters trained across massive datasets; none of that is in a CLI tool's TypeScript source code.
• Infrastructure is not included: the API endpoints, compute infrastructure, safety systems, and model serving architecture that make Claude function are not part of what was exposed.
• Training pipeline is entirely separate: the processes that produce Claude's capabilities are independent of the tool that interfaces with it; the source code is the client, not the AI.
• You can analyze the architecture: the leaked code reveals how Claude Code is structured, how it communicates with Claude's API, and how its tool system works, but reveals nothing about how Claude itself reasons or generates outputs.

Running Claude requires the model weights and infrastructure that Anthropic controls. The source code alone is an empty shell without the AI that makes it valuable.

‍

Is This a Real Leak or a Technical Misunderstanding?

This is a genuine proprietary source code exposure caused by a packaging error. It is not a misidentified open-source project or a fabricated claim.

• Source maps are source code: many developers and non-technical observers do not understand that .map files in npm packages can contain or reference complete original source code; this creates confusion between intentional open-source releases and accidental exposures.
• Different from reverse-engineered projects: reverse-engineered projects approximate behavior from external observation; this leak contains Anthropic's actual TypeScript implementation as it exists in their internal codebase.
• Not the same as system prompt exposure: system prompt leaks reveal the instructions given to a model; source code leaks reveal the software wrapper around that model; both are sensitive but they expose different things.

The confusion in coverage comes from conflating the CLI tool source code with the Claude AI model itself, which are fundamentally different components of a system that happens to carry the same brand name.

‍

Is It Safe to Download or Use the Leaked Claude Code Files?

No. Downloading and using the leaked files carries both legal risk and security risk that make it inadvisable regardless of curiosity or technical interest.

• Legal risk is real: the source code is Anthropic's intellectual property; downloading, using, or distributing it without authorization creates legal exposure under copyright law regardless of how it became publicly accessible.
• Malware risk in secondary repositories: when genuine leaks go viral, malicious actors rapidly publish fake mirrors containing malware; repositories claiming to host the leaked code that appeared after the initial discovery should be treated as high-risk.
• Phishing risk from surrounding activity: major security incidents generate waves of phishing attempts targeting developers who search for related content; links shared in developer communities, Discord servers, and social media around this incident should be verified carefully.

The technical interest in the architecture is legitimate. The risk of acting on that interest by downloading the files outweighs the value for most developers.

‍

Does This Leak Affect Developers and Businesses Using Claude?

For the vast majority of Claude API users, SaaS builders, and businesses using Claude in production, this incident has no direct operational impact.

• API keys are not exposed: the leaked source code contains the architecture for how Claude Code uses API keys but does not expose any actual API keys belonging to Anthropic or any user.
• Your data is not at risk: customer data processed through Claude's API is handled at the model infrastructure layer, not in the CLI tool layer that was exposed.
• Claude's capabilities are unchanged: the model itself is unaffected; Claude continues to function at the same capability level with the same safety properties regardless of the CLI tool source exposure.
• Applications built on Claude are unaffected: SaaS products, AI agents, and Claude-powered workflows built on the API operate independently of the CLI tool whose source was exposed.

The incident affects Anthropic's competitive position regarding CLI architecture more than it affects the security or functionality of anything their customers have built.

‍

Can Someone Recreate Claude from the Leaked Source Code?

No. Recreating Claude from the leaked source code is not technically feasible. The source code is the interface layer, not the intelligence layer.

• Model weights are the irreplaceable component: Claude's reasoning, knowledge, and capabilities exist entirely in the trained model weights that took enormous compute resources to produce; these are not in the source code and cannot be derived from it.
• Training pipeline is entirely separate: reproducing Claude would require access to training data, compute infrastructure, alignment techniques, and the training pipeline itself; none of these are exposed.
• The CLI is just an API client: Claude Code is sophisticated software for managing interactions with Claude's API; owning its source code is equivalent to owning the source code of a web browser without owning the internet.
• Architecture knowledge does not transfer capability: understanding how Claude Code orchestrates tools, manages context, and handles multi-agent workflows does not provide any capability to reproduce the model that executes the actual intelligence.

Anyone claiming the leaked source enables Claude replication either misunderstands the architecture or is deliberately misrepresenting what the leak contains.

‍

Why Do AI Leaks Go Viral Even When the Risk Is Overstated?

AI leaks generate disproportionate coverage because most audiences conflate the software tools built around AI models with the AI models themselves.

• Code and intelligence are conflated: non-technical audiences hear that Claude Code's source code leaked and assume Claude's intelligence was exposed; the distinction between a CLI tool and a language model is not intuitive without technical background.
• 512,000 lines sounds significant: large numbers create the impression of a major breach regardless of what those lines actually contain; most readers cannot evaluate whether 512,000 lines of CLI TypeScript represents a serious AI security incident.
• Viral mechanics reward urgency over accuracy: social media posts about AI leaks accumulate engagement faster than corrections; the initial viral claim reaches far more people than the accurate technical explanation published hours later.

The Claude Mythos leak earlier in March 2026 followed the same pattern: a genuine disclosure that was significantly different in nature and risk from how it was initially described across social media.

‍

Claude Code vs Claude Model vs API: What Most People Get Wrong

Claude Code, the Claude AI model, and the Claude API are three separate components that share a brand name but serve completely different functions.

‍

‍

‍

• Claude Code is the tool: the CLI that developers use to interact with Claude from their terminal; its source code was what leaked on March 31, 2026.
• Claude the model is the intelligence: the trained language model containing billions of parameters that produce Claude's reasoning and outputs; entirely separate from the CLI tool.
• The API is the connection layer: the endpoints and authentication infrastructure that connect Claude Code and other applications to the model; not part of the leaked source.

Mixing these three components is the source of almost every misleading claim about what the March 31 leak actually means.

‍

How to Verify Any AI Leak Before Believing the Claims

Most AI leaks are either misidentified open-source code, reverse-engineered approximations, or genuine minor exposures described as catastrophic breaches. A simple verification framework prevents unnecessary panic.

• Does it include model weights? A genuine AI model leak requires the trained parameters; if weights are absent the model itself is not leaked regardless of what else is included.
• Can it run independently? Genuine leaks of functional AI systems can execute without connecting to external infrastructure; if the exposed code requires API calls to a third-party service the model itself is not exposed.
• Is the source credible and verified? Anonymous GitHub repositories and social media posts claiming AI leaks are high-risk for misidentification and malware; wait for independent technical verification before treating any claim as confirmed.
• Is there a technical analysis, not just a headline? Credible incident reporting includes specific file names, architecture descriptions, and technical detail that can be evaluated; viral claims without technical specificity are almost always exaggerated.
• Has the company responded? Official statements, even brief ones acknowledging investigation, add meaningful signal; complete silence from the affected company on a major claimed breach is a flag worth noting.

‍

What Should You Do Right Now About the Claude Code Leak?

The right response depends on your relationship with Claude Code and your role in the developer ecosystem.

• If you are a developer using Claude Code: no immediate action is required; continue using the tool normally as the exposure does not affect its functionality, your API keys, or any data you have processed through it.
• If you are a business using Claude in production: focus on your vendor's response rather than viral coverage; Anthropic's core infrastructure, customer data, and model capabilities are unaffected by this CLI source exposure.
• If you are curious about the architecture: read the technical analyses published by security researchers who examined the code responsibly rather than downloading repositories that may contain malware alongside the legitimate leaked content.
• If you publish npm packages: use this incident as a prompt to audit your own publishing configuration; run npm pack --dry-run before every release to verify exactly what files are included in your distributed package.

Claude Code Channels and the broader Claude product ecosystem continue to operate normally regardless of this source code exposure.

‍

Conclusion

The Claude Code source code exposure on March 31, 2026 is a genuine incident caused by an accidental npm packaging error, not a targeted attack. What leaked is the TypeScript source of a CLI tool, not the Claude AI model, not the training data, and not the infrastructure that makes Claude work.

The practical impact on developers, API users, and businesses using Claude in production is minimal. The architectural insight the leak provides is significant.

The legal and security risk of downloading the exposed files is real. Separate the three before acting on any claims you encounter about what this incident means.

‍

AI App Development

Your Business. Powered by AI

We build AI-driven apps that don’t just solve problems—they transform how people experience your product.

Let's talk

‍

‍

Want to Build AI Systems With Security and Architecture Built In?

At LowCode Agency, we are a leading AI development studio and a certified member of Anthropic's Claude Partner Network. Anyone can connect an API and call it an AI product.

What we bring to every engagement is the architecture discipline and security thinking that separates AI systems that work reliably in production from ones that break under real operational conditions.

• Security-first architecture: we design data access controls, governance layers, and permission systems before writing a single line of AI logic, not as an afterthought when enterprise requirements surface later.
• Production-grade AI agents: our AI agent development service builds autonomous systems designed for real operational load, not demos that work once and fail under real usage.
• Claude-powered and beyond: we build on Claude as a certified partner but also work across OpenAI, Gemini, and open-source models depending on what the system actually requires.
• RAG systems built for accuracy: our RAG development service connects AI to your company knowledge with the retrieval architecture that prevents hallucination at production scale.
• AI consulting before you build: our AI consulting service maps your highest-ROI AI opportunities and identifies the security and architecture decisions that determine whether the system holds up long term.

We have shipped 350+ products across 20+ industries. Clients include Medtronic, American Express, Coca-Cola, and Zapier.

If you want AI built with the architecture and security that the incident above proves most teams skip, let's talk.