Anthropic Did It Again
Five days after the CMS leak, a .map file exposed 512,000 lines of Claude Code source. Same company. Different boring system. Same answer.
Five days after a CMS misconfiguration exposed Claude Mythos to anyone paying attention, Anthropic shipped Claude Code version 2.1.88 to the npm registry with a 59.8MB source map file attached.
A source map is a debugging artifact. It maps minified production code back to the original source. It is not supposed to ship to production. It is the kind of thing you catch in a build pipeline review.
Nobody caught it.
Chaofan Shou, an intern at a blockchain security firm, found it Tuesday morning by checking the npm package. The .map file pointed to a zip archive sitting on Anthropic’s own Cloudflare R2 storage bucket. He downloaded it. So did thousands of other people before Anthropic pulled it.
512,000 lines of TypeScript. Roughly 1,900 files. The full architecture of Claude Code, including things Anthropic had not announced.
Anthropic confirmed it. “This was a release packaging issue caused by human error, not a security breach.” Same statement, different system, five days later.
Here is what the source code actually revealed:
KAIROS. An autonomous daemon mode that lets Claude Code run in the background while you are idle, consolidating memory and merging observations without you watching. Not announced. Fully built.
Undercover Mode. A system specifically designed to prevent Anthropic’s internal codenames from leaking through Claude’s outputs. It did not prevent the source code from leaking through the build pipeline.
A virtual pet. Internally called Buddy. Seeded from your user ID. Species determined by a pseudorandom number generator. Shiny variants included. The word “duck” was encoded in hex to avoid internal content filters. I am not making this up.
The irony is not subtle. Anthropic built a subsystem to stop the AI from leaking internal information. Then shipped the entire source in a .map file that an intern found in thirty seconds.
The Interrogation
This is the second time this exact mistake happened. A nearly identical source map leak hit an earlier version of Claude Code in February 2025. Thirteen months later, same error, different version.
The question is not whether Anthropic can build sophisticated AI. They clearly can. The question is whether a company whose entire brand is built on responsible development has the operational discipline to match the sophistication of the product they are shipping.
Two significant accidental disclosures in five days. Both attributed to human error. Both in systems that are not the model layer. Both in the boring infrastructure nobody audited.
On the same morning the leak happened, a separate supply chain attack hit the axios npm package. Malicious versions containing a Remote Access Trojan were live between 00:21 and 03:25 UTC on March 31. The RAT used a postinstall script via a dependency called plain-crypto-js version 4.2.1. This is unrelated to Anthropic but the timing overlap creates real risk for anyone who updated Claude Code via npm that morning.
If you use Claude Code via the native installer or did not update on March 31, your risk here is informational, not operational. The leaked architecture gives competitors a blueprint. It does not give attackers access to your machine.
Try This Yourself (2 minutes)
If you updated Claude Code via npm on March 31, run this in your project root:
grep -E "axios.*(1\.14\.1|0\.30\.4)" package-lock.json
If it returns a hit, immediately run:
grep "plain-crypto-js" package-lock.json
If you find it: treat that machine as compromised. Wipe node_modules and npm cache, and rotate every API key that environment touched.
If you are clean, switch to Anthropic’s native installer going forward. That is their own recommendation.
Operator Verdict
WATCH: The leak does not affect Claude Code’s functionality. The tool still works. But every competitor now has a blueprint for how Anthropic built its most important product. If you are building in this space, read the source. It is publicly mirrored.
ACT NOW: If you updated Claude Code via npm on March 31 between 00:21 and 03:25 UTC, run the check above today. The axios supply chain attack is the real operational risk here.
ADOPT: Anthropic’s native installer over npm going forward. If you want to track what Anthropic ships without digging through release notes, I keep running notes at claudehq.app.
Find everything at aifrankly.com
Are we having fun yet!