On March 31, 2026, Anthropic accidentally exposed ~500,000 lines of Claude Code’s internal source code via a misconfigured npm package. A separate, concurrent supply-chain attack on the axios npm package also occurred. No user data or API credentials were leaked, but developers who updated Claude Code via npm during a specific time window may be at risk.
Actions to take now:
- Check your npm install time
- Audit your package lockfile for malicious axios versions
- Rotate your Anthropic API key
- Switch to the native Claude Code installer.
Lets dive deeper!
What Happened, in Plain English
If you use Claude Code — Anthropic’s AI-powered coding assistant — you’ve probably seen the news. On March 31, 2026, a routine update to the Claude Code npm package accidentally shipped with a debugging file that pointed directly to the full source code of the tool, sitting on Anthropic’s own cloud storage with no access controls.
Within hours, a security researcher named Chaofan Shou spotted the exposed file and shared it publicly. The code was quickly mirrored to GitHub, forked tens of thousands of times, and is now permanently in the public domain — DMCA takedowns notwithstanding.
Anthropic confirmed the incident and attributed it to human error in the release packaging process, not a cyberattack. The company stated that no customer data or credentials were involved.
However, there is a second, more directly dangerous incident that overlapped with the leak: a supply-chain attack on the axios npm package, which is a dependency that Claude Code uses. This is where the real, immediate risk for everyday users lies.
This article walks you through everything you need to do, step by step, in order of urgency.
🔑 Key Takeaways
- This was a packaging error, not a hack — no model weights, user data, or credentials were exposed.
- A concurrent axios npm supply-chain attack (separate incident) is the real user-facing threat.
- The leaked source code reveals unreleased features and product roadmap details.
- Anthropic confirmed the incident and is rolling out measures to prevent recurrence.
- Claude Code’s core functionality remains safe to use after following the steps in this guide.
Understanding What Is (and Isn’t) at Risk
What Was NOT Exposed
- Your API keys or credentials
- Any user data or conversation history
- The underlying Claude AI model weights
- Anthropic’s server infrastructure or cloud systems
What WAS Exposed
- ~500,000 lines of Claude Code’s TypeScript source code
- Internal feature flags for unreleased capabilities
- Product roadmap details competitors can now study
- The internal architecture and orchestration logic of Claude Code
The Concurrent Axios Supply-Chain Attack (Your Biggest Risk)
Separate from the source code leak, a malicious version of the axios npm package appeared in the public registry between 00:21 and 03:29 UTC on March 31, 2026.
Axios is a widely used HTTP library that Claude Code depends on. The malicious versions (1.14.1 and 0.30.4) contain a Remote Access Trojan (RAT) that can compromise your local machine.
|
Immediate Steps to Take — In Order of Priority
Step 1: Check Whether You Are in the Risk Window
The first thing to determine is whether you updated Claude Code during the affected time window. Here’s how to check:
- Open your terminal.
- Run the following command to see when your Claude Code package was last modified:
| # Check install timestamp
ls -la $(npm root -g)/@anthropic-ai/claude-code # Or check your local project ls -la node_modules/@anthropic-ai/claude-code |
- If the timestamp falls between 00:21 UTC and 03:29 UTC on March 31, 2026, proceed immediately to Step 2.
- If you updated outside this window or have not updated recently, you are not affected by the axios attack — but still follow Steps 3 and 4 as good hygiene.
Step 2: Audit Your Package Lockfile for the Malicious Axios Versions
If you were in the risk window — or if you want to be safe regardless — check whether the malicious axios versions are present in your project:
- Open your package lockfile. Depending on your package manager, this will be package-lock.json (npm), yarn.lock (Yarn), or bun.lockb (Bun).
- Search for the following version strings:
| # Search for malicious axios versions
grep -r “axios” package-lock.json | grep -E “1\.14\.1|0\.30\.4” # Also check for the malicious dependency grep -r “plain-crypto-js” package-lock.json yarn.lock |
- If either of these versions appear — or if plain-crypto-js appears — you have a compromised environment. Treat your machine as potentially compromised and take the following actions:
- Do not run further npm installs or any code from the affected project.
- Immediately rotate any credentials or API keys that were accessible from that machine (see Step 3).
- Run a security scan using your preferred tool (e.g., npm audit, Snyk, or your organization’s security tooling).
- Consider isolating the machine from your network until it has been inspected.
Step 3: Rotate Your Anthropic API Key
Even though Anthropic confirmed that no API keys were directly exposed in either incident, rotating your key is a recommended precaution — especially if you were in the risk window or if your machine may have been compromised by the axios attack.
- Go to the Anthropic Developer Console at console.anthropic.com.
- Navigate to API Keys in your account settings.
- Create a new API key.
- Update your environment variables, .env files, or any CI/CD secrets with the new key.
- Delete or revoke the old API key.
- Monitor your API usage dashboard for any anomalous activity over the next few days.
| 💡 Good Practice
While you’re in the console, take a moment to review your API usage logs. Look for any unusual call volumes, unexpected model usage, or activity at unexpected times. This is especially worth doing if your key was used in an automated pipeline. |
Step 4: Uninstall the npm Version and Switch to the Native Installer
The npm distribution of Claude Code is the channel through which both the source code leak and the axios attack occurred. Anthropic now recommends using their native installer instead. Here’s how to make the switch:
- Uninstall the npm version:
| npm uninstall -g @anthropic-ai/claude-code |
- Visit anthropic.com/claude-code and download the native installer for your operating system.
- Verify the installer’s checksum if one is provided.
- Install and test that Claude Code works correctly with your new API key.
If you must continue using npm for workflow reasons, pin your installation to a verified safe version:
| # Pin to last known safe version
npm install -g @anthropic-ai/claude-code@2.1.86 |
Step 5: Adopt a Zero-Trust Posture for Claude Code in New Environments
Now that Claude Code’s internal architecture, hook orchestration logic, and permission system are publicly known, attackers can craft malicious repositories specifically designed to exploit Claude Code’s behavior. Going forward:
- Never run Claude Code inside a freshly cloned or untrusted repository without manually inspecting the .claude/config.json file and any custom hooks defined within it.
- Treat any repository that defines Claude Code hooks as code that will run with your permissions — review it the same way you would review a shell script.
- Be especially cautious with MCP server configurations inside repositories. The leaked code revealed the exact orchestration logic for MCP servers, which attackers can now study to craft more convincing malicious setups.
- If you use Claude Code in CI/CD pipelines, audit your pipeline configuration and ensure API keys are stored securely with minimal required permissions.
What the Leaked Source Code Actually Revealed
While the security steps above are the priority, it is worth understanding what was in the leaked code — both for context and because some of it is genuinely interesting.
Unreleased Features in the Code
Researchers who reviewed the leaked source identified several feature flags for capabilities that are fully built but not yet publicly available:
- Session Memory: The ability for Claude to review what it did in its most recent session and carry forward learnings to the next conversation — a significant step toward persistent memory.
- Persistent Background Mode: A mode that keeps Claude Code running and working even when the user is idle or has stepped away.
- Remote Access: The ability to control Claude Code from a mobile phone or a different browser, which has reportedly already been partially rolled out.
Anti-Distillation Mechanisms
The leaked code contains a feature called ANTI_DISTILLATION_CC — a mechanism that injects fake tools into Claude’s context to make it harder for third parties to distill or replicate Claude Code’s behavior by studying its API calls. This is an active countermeasure against competitors who might try to reverse-engineer Claude Code’s capabilities by observing its outputs.
Evidence of Capybara (the Next Major Model)
The leaked code provided further confirmation that Anthropic is preparing to launch a new model internally called Capybara — a tier above Opus that is expected to come in fast and slow variants, with a significantly larger context window. This aligns with the earlier CMS leak from March 26.
Why This Keeps Happening
This is not the first time Claude Code’s source code has been exposed in this way. A nearly identical source map leak occurred in February 2025. The root cause on both occasions appears to be the same type of error: a debugging artifact (a source map file) being accidentally included in a production npm package.
The specific mechanism this time involves Bun, the JavaScript runtime that Anthropic acquired at the end of 2025 and that Claude Code is built on. A known Bun bug — reported on March 11 and still open at the time of the incident — causes source maps to be served even in production mode. Whether this bug was the direct cause is being investigated, but the overlap is notable.
The broader lesson, as software engineer Gabriel Anhaia noted in his analysis, is that a single misconfigured .npmignore or files field in a package.json can expose everything. For a company of Anthropic’s scale, shipping the same class of packaging error twice is a release hygiene problem that requires process fixes, not just technical ones.
FAQ
Q: Was my Claude.ai account or conversation data affected?
A: No. Anthropic confirmed that no user data, conversation history, or credentials were exposed in either incident. This was a source code packaging error, not a breach of Anthropic’s servers or user-facing systems.
Q: Do I need to change my Claude.ai password?
A: No, not unless you use the same password elsewhere and practice good password hygiene as a general rule. This incident did not expose account passwords.
Q: Should I stop using Claude Code entirely?
A: No. Once you have followed the steps above — especially rotating your API key and switching to the native installer — Claude Code is safe to continue using. The core functionality is unaffected.
Q: What is a source map and why did it cause this?
A: A source map is a debugging file that maps minified, bundled production code back to the original human-readable source code. It is invaluable during development but should never be included in a production release. Including it in Claude Code’s npm package was the error that made the source code accessible to anyone who downloaded the update.
Q: Why is the leaked code still available online despite DMCA takedowns?
A: Once code is published to GitHub and forked tens of thousands of times, the copies spread faster than takedowns can remove them. This is a well-known limitation of DMCA enforcement in the open-source ecosystem.
Q: What is the Capybara model and when will it be released?
A: Capybara is Anthropic’s internal codename for an upcoming model that appears to be a tier above the current Opus. Details emerged from both the March 26 CMS leak and the March 31 source code leak. Anthropic has not announced an official release date.
Related Posts
Anthropic Code Leak Explained: What Was Exposed, How It Happened, and Why It Matters
Trump vs Anthropic: The Real Reason Behind the US Government AI Ban
Anthropic Launches Claude Sonnet 4.6 with stronger coding and 1Million Token Context Window
Anthropic Opens Bengaluru Office as India Emerges as Claude’s No.2 Market
