Anthropic Claude Code npm Packaging Error Exposes 512K Lines of Source Code, Triggers Malware Lures
A misconfigured npm package exposed Anthropic's internal Claude Code source code, and within 24 hours threat actors weaponized the leak to distribute Vidar and GhostSocks malware via fake GitHub repositories.
In late March 2026, Anthropic inadvertently released the internal Claude Code source material as part of an npm package that included a large internal source map file. Although the incident stemmed from a simple packaging mistake, threat actors were quick to capitalize on the resulting attention. Only 24 hours after the leak, they were able to create fake GitHub repositories to distribute credential-stealing malware disguised as "leaked" Claude Code downloads.
The exposure occurred on March 31, 2026, when a routine npm publish for Anthropic's @anthropic-ai/claude-code package (version 2.1.88) inadvertently included cli.js.map, a 59.8 MB JavaScript source map generated by the Bun bundler. This file's embedded sourcesContent field exposed the complete original TypeScript source tree — approximately 512,000 lines of code across 1,900 files — corresponding to build artifacts hosted on a publicly accessible Cloudflare R2 storage bucket. The project's .npmignore file failed to exclude .map files from the distribution, and because Bun generates full source maps by default, the entire agentic harness powering Claude Code was shipped out.
Within hours, the leaked source was mirrored across thousands of GitHub repositories. Anthropic confirmed the incident stemmed from human error, pulled the affected package version, and issued DMCA takedown notices against the mirrors. The company assured that no customer data or credentials were exposed. This marked the second major Anthropic source-exposure incident in two months, following the "Mythos" leak, which also happened in late March and revealed internal details about an unreleased powerful AI model intended for cybersecurity use cases.
Before this leak, threat actors had been running AI-themed malware lures since at least February 2026, cycling through fake tools and repositories to attract developer interest. The Claude Code source leak on March 31 provided a high-profile and timely lure, enabling operators to rapidly repurpose their already existing infrastructure. By April 1, within 24 hours of the leak, they pivoted to impersonating "leaked" Claude Code downloads, using the incident's visibility to accelerate distribution of their infostealer payloads. The campaign uses GitHub Releases as a trusted malware delivery channel, distributing large trojanized archives such as ClaudeCode_x64.7z containing Vidar v18.7 and GhostSocks proxy malware.
The leaked codebase itself exposed several unreleased features and internal mechanisms, including KAIROS, a persistent always-running autonomous daemon mode enabling Claude Code to operate as a background agent that proactively acts on things it notices, with a 15-second blocking budget per cycle)Skip. It also revealed an Undercover Mode module that prevents the AI from displaying certain behaviors. Beyond serving as a lure, the leaked source code introduces longer-term risks including vulnerability discovery, prompt injection blueprinting, and agentic attack surface exposure.
Trend Micro researchers who analyzed the campaign noted that the Claude Code bait is part of a broader rotating lure operation active since February 2026, impersonating more than 25 software brands while delivering the same Rust-compiled infostealer payload. The campaign abuses GitHub Releases as a trusted malware delivery channel, using large trojanized archives and disposable accounts to repeatedly evade takedowns. Organizations should only approve designated installation paths for AI developer tools and should actively detect and block malicious indicators.
This incident demonstrates that security compromise is not limited to software vulnerabilities: human factors and organizational control gaps often serve as catalysts for threats and are primary drivers of material impact. The rapid weaponization of the Claude Code leak within 24 hours underscores the speed at which attackers can pivot to exploit high-profile incidents, and highlights the need for organizations to apply governance as a control plane for agentic risk.