AI explains the world
Claude Code Source Leak: Packaging Error, Structural Outflow, and the Question of Operational Excellence
On 31 March 2026, the complete source code of Claude Code ended up in an npm package. Copilot's analysis: mechanism, timeline, press reception, community reaction, and root cause hypotheses — with the conclusion that the structural outflow weighs heavier than the data outflow.
Replications with other models
To surface model bias, reviews are replicated with different AI systems.
Show original prompt (for replication)
TOPIC: Claude Code's source code was leaked. Research on the web: facts, timeline, Anthropic reactions, German & international press, community reception, brainstorming vs empirical explanations, final assessment.
Transparency note: This analysis was produced by GitHub Copilot (GPT-4o, Microsoft/OpenAI) — a direct competitor of Anthropic, whose product is analysed here. This potential conflict of interest is hereby disclosed. Editorial review was conducted by Lukas Geiger (LG).
1. Fact Check
Yes — the leak is confirmed. According to consistent reports and an Anthropic spokesperson statement, internal Claude Code source code was unintentionally made public.
Primary source: CNBC reports that Anthropic confirmed the leak and classified it as a “release packaging issue caused by human error, not a security breach.” Anthropic stated: “No sensitive customer data or credentials were involved or exposed.”
Technical mechanism: A source map file in the npm package (version 2.1.88) allowed reconstruction of the complete TypeScript source code — approximately 500,000 lines in about 1,900 files.
2. Brainstorming: How and Why Could This Happen?
Plausible Causes in the “Normal” Error Space
- Build/release pipeline misconfiguration: Source maps or debug artefacts not removed from the publish artefact (e.g. wrong
.npmignore, wrong bundler flag, wrong CI target) - Human-in-the-loop error: An engineer publishes an internal build profile (debug instead of prod), or a hotfix bypasses checks
- Insufficient release gates: No automated scanner checking for
.map, unminified sources, unusual package sizes, or “forbidden paths” - Monorepo/artefact leakage: Internal paths/workspaces are included during packaging
”Why” in the Sense of Contextual Pressure
- Time pressure/feature race: Claude Code is a competitive product — release frequency high, risk increases
- Organisational growth: Rapidly growing teams create ownership gaps (“who actually checks the publish artefact?”)
Unlikely but Conceivable Possibilities
- Deliberate leak by insider: Motive: open-source ideology, frustration, career signal, or “force transparency”
- “Plausible deniability” leak: Deliberate “oversight” to externalise community feedback/reverse engineering — with simultaneous legal distancing
- Supply chain/CI compromise: Attacker manipulates build output (Anthropic says “no breach”, but without published forensics it remains a residual hypothesis)
- Third-party release automation bug: A tool/action/plugin publishes wrong assets
3. Timeline
| Timepoint | Event |
|---|---|
| 31.03.2026 | Publication of Claude Code npm version 2.1.88; includes a source map enabling source code access |
| 31.03.2026 | Security researcher Chaofan Shou makes the find public (X post seen millions of times) |
| 31.03.2026, shortly after | Snapshots/mirrors appear on GitHub; community begins analysis/“dissection” |
| 31.03.2026 | Anthropic confirms the incident to media and classifies it as packaging error; affected npm version removed/replaced |
| 01–02.04.2026 | Secondary wave: articles about “what’s in the code”, rewrites/derivatives, legal/ethical debates |
4. Anthropic’s Reactions
Official Core Statements
“No sensitive customer data or credentials were involved or exposed.”
“This was a release packaging issue caused by human error, not a security breach.”
“We’re rolling out measures to prevent this from happening again.”
Observable Actions
- Takedown/replacement: The affected npm version was removed and replaced with a cleaned version
- Communication line: Minimisation of security narrative (“no breach”), focus on customer/credential protection and process improvement
5. German Press
“Embarrassing fail”/mishap frame: t3n emphasises the “fail” character, names source map in npm registry, scale (500k+ lines) and the spokesperson line “human error.”
Technical frame: heise explains source maps as mechanism, roughly classifies tool architecture (Bun/React/Ink etc.) and describes rapid removal of the package version.
Behind-the-scenes/community frame: Business Insider Deutschland describes the “sharing party”, rebuilds/derivatives and the dynamic that Anthropic reacted quickly but the spread was socially/technically no longer containable.
6. International Coverage
- US Business/Tech: CNBC focuses on confirmation, competitive implications and reach of the X post
- Security press: The Hacker News emphasises mechanism (source map), scope (thousands of files/500k+ LOC) and follow-on effects like typosquatting/dependency confusion risks
7. Community Reception (X, Reddit, Discord)
X / Twitter
- Dominant explanation: “Source code leaked via a map file in their npm registry” — the source map is cited as the trigger
- Meta-debate: “Available ≠ Open Source” — warnings against licence violations when copying/redistributing
- Much mockery/“shitpost” culture alongside serious threads
- Key cluster: Packaging error (debug artefact/source map) as standard explanation; “now you can rebuild it” — rebuilds/derivatives as immediate reaction
8. Brainstorm List vs. Empirical Explanations
What is empirically strongly supported
- Packaging/release error + human error is both claimed by Anthropic and technically consistently described by multiple media
- Rapid removal/replacement of affected version is reported
- No customer data/credentials according to Anthropic
What remains possible but unproven
- CI/supply chain compromise: Not supported in core sources; Anthropic denies “security breach” but without published forensics it remains a residual hypothesis
- Insider/intent: No substantial evidence — remains speculative
What appears empirically as “follow-on explanation”
- Mirror/fork explosion, rebuilds, legal grey zones: Prominent in coverage of community reactions
- Security aftershocks (typosquatting/dependency confusion): Prominent in security media
9. Conclusion
Most likely is a classic release engineering error (source map/debug artefact) under time pressure — and that is exactly what Anthropic says too.
The real damage is less “data outflow” than structural outflow: architecture, prompting/tooling design, internal feature flags — precisely what competitors and attackers need. Security media additionally point to secondary risks (typosquatting/dependency confusion) that are often worse than the original leak because they hit users in the follow-up phase.
And psychologically: a company strongly positioned on “safety/operational excellence” is judged more harshly for such mishaps — the community reacts not only technically but also normatively (“closed source, but sloppy” vs. “finally transparency”).
Sources
- CNBC — Anthropic leaks part of Claude Code’s internal source code
- The Hacker News — Claude Code Source Leaked via npm Packaging Error
- Business Insider DE — Anthropic publishes source code
Editorial note (Um:bruch)
Copilot’s analysis is solid and methodically clean. Its strongest contribution is the emphasis on secondary risks (typosquatting/dependency confusion), which are absent from Claude’s analysis and represent an important aspect for the overall assessment. Copilot is more reserved on community depth (no Reddit upvote numbers, no Undercover Mode detail) and avoids the DMCA analysis that forms a focus in the Claude analysis. Notable: Copilot explicitly names the “plausible deniability leak” hypothesis — a thought that Claude’s analysis subsumes under “de facto open sourcing.” The parallel analysis by Gemini is also available.
Source verification (2026-04-05): Transparency note on the competitive conflict of interest (Copilot/Microsoft/OpenAI analysing an Anthropic product) added retroactively at the beginning of the article.