Anthropic Code Leak on npm Exploited to Spread Malware, Security Researchers Warn

Anthropic made a costly human error last week. The AI company accidentally leaked its own Claude Code source code online.

The leak happened through a simple npm packaging mistake, giving hackers free access to their model’s training data and other things that have no business being public.

Why Claud Code’s Source Code Got Exposed

Anthropic released version 2.1.88 of Claude Code on npm. The package contained a source map file that exposed nearly 2,000 TypeScript files. That’s over 512,000 lines of internal code.

The company confirmed it was human error. “No sensitive customer data or credentials were involved,” a spokesperson told CNBC News. Anthropic is now rolling out measures to prevent this from happening again.

Security researcher Chaofan Shou was actually the first to notice the leak and shared it on X. His post’s gone viral, pulling in more than 28.8 million views. The leaked codebase is now up on GitHub, open to everyone, and it’s got over 84,000 stars already.

Leaked Code Reveals Interesting Things About Claud Code

Developers have been digging through the exposed code. They found some fascinating internal features.

Claude Code has a “self-healing memory architecture” that works around the model’s fixed context window. There’s also a multi-agent orchestration system that spawns “sub-agents” to handle complex tasks.

The most intriguing find is “Undercover Mode.” This feature lets Claude make “stealth” contributions to open-source repositories. The system prompt explicitly says: “You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.”

Anthropic also built anti-distillation controls that inject fake tool definitions into API requests. This poisons training data if competitors try to scrape Claude Code’s outputs.

Hackers Strike Immediately

The leak gave bad actors a blueprint for breaking Claude Code’s guardrails. AI security firm Straiker believes that with the leaked source code, attackers can now study exactly how data flows through its four-stage context management pipeline.

But the more immediate danger came from typosquat attacks. A user named “pacifier136” published five fake npm packages like “audio-capture-napi” and “url-handler-napi.” These empty stubs could turn malicious anytime.

Security researcher Clément Dumas explained the tactic on X: “Right now they’re empty stubs, but that’s how these attacks work – squat the name, wait for downloads, then push a malicious update.”

The situation got even worse. Zscaler found threat actors seeding trojanized Claude Code versions with backdoors and data stealers. One fake leak repository tricks users into running a Rust-based dropper that deploys Vidar Stealer and GhostSocks.

Vidar Stealer grabs credentials and crypto wallets. GhostSocks proxies network traffic for attackers. It’s the same payload combo seen in a March “OpenClaw Windows” campaign.

Trend Micro says cybercriminals are now using GitHub Releases as a sneaky way to spread malware. They put together huge archives stuffed with trojans, and they use disposable accounts so they don’t get shut down right away. This trick lets them slip past most security teams and keep doing their thing.

What You Should Do Now

If you did an installation or update of Claude Code via npm on March 31 between the hours of 00:21 & 03:29 UTC, you just got a trojanized HTTP client containing a remote access trojan.

Downgrade to a safe version immediately. Rotate all your secrets and credentials. And be very careful about any “official-looking” Claude Code forks on GitHub.

The Target source code sale on the dark web serves as a stark reminder that leaked or stolen code can have long-lasting consequences, attackers study it for vulnerabilities, sell it to other criminals, and use it to plan future attacks, making source code protection a critical priority for every company.