Anthropic shipped a source map in its Claude Code npm package, exposing 512,000 lines of code
On March 31, 2026, Anthropic published version 2.1.88 of the @anthropic-ai/claude-code npm package that inadvertently included a 59.8 MB JavaScript source map file (cli.js.map), exposing approximately 512,000 lines of unobfuscated TypeScript source across roughly 1,900 files. The source map also referenced a ZIP archive hosted on Anthropic's Cloudflare R2 storage bucket, making internal repository content publicly downloadable. Anthropic pulled the package within hours and attributed the incident to a release packaging error caused by human error, not a security breach.
A 59.8 MB source map file accidentally bundled into a public npm package handed the world 512,000 lines of Anthropic's own source code on every install.
Key facts
- What
- On March 31, 2026, Anthropic published version 2.1.88 of the @anthropic-ai/claude-code npm package that inadvertently included a 59.8 MB JavaScript source map file (cli.js.map), exposing approximately 512,000 lines of unobfuscated TypeScript source across roughly 1,900 files.
- Incident date
- Mar 31, 2026
- Who
- Anthropic
- Failure mode
- Data Leakage
- AI surface
- Code Assistant
- Severity
- High
What happened
On March 31, 2026, Anthropic released version 2.1.88 of the @anthropic-ai/claude-code npm package that included a 59.8 MB source map file (cli.js.map) containing approximately 512,000 lines of readable, commented TypeScript source across roughly 1,900 files. Security researcher Chaofan Shou spotted the exposure and posted about it on X, where the post accumulated over 21 million views. Within hours, the leaked code was mirrored across multiple GitHub repositories, revealing internal feature flags, unreleased capabilities such as KAIROS and Undercover Mode, internal model codenames, and the full bash security validation architecture. Anthropic pulled the npm package within hours and issued a statement calling it a release packaging issue caused by human error, then began filing DMCA takedowns against GitHub mirrors.
What broke inside the model
- 01 · TriggerA request triggers retrieval or context loading.
- 02 · Model stepThe context pulls in another user's content.
- 03 · Control gapNo boundary enforces isolation at the moment of output.
- 04 · FailurePrivate data crosses into the response.
- 05 · ConsequenceOne user sees another's data, and disclosure follows.
One user's content crosses the retrieval boundary into another's response.
The Bun build tooling used by Anthropic generates source maps by default, and the release team failed to add a *.map exclusion to the .npmignore file or restrict the files field in package.json. The resulting cli.js.map file contained a sourcesContent JSON array embedding every original TypeScript source file, and it referenced a ZIP archive on Anthropic's internal Cloudflare R2 bucket that anyone with the URL could download. Without a build-time check to strip debug artifacts before publishing, the entire internal codebase traveled through the standard npm publish pipeline into the public registry.
What it cost
Sources
Cite this entry
https://failureindex.ai/failures/anthropic-shipped-source-map-claude-codeAI Failure Index. "Anthropic shipped a source map in its Claude Code npm package, exposing 512,000 lines of code" (FI-0099). Realm Labs. https://failureindex.ai/failures/anthropic-shipped-source-map-claude-code (indexed Jun 4, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0099. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
- AI Detection & Response (AIDR)
Realm can detect when a response is about to emit data that falls outside the bounds of the current user and context, and block or redact it inline, at the moment of generation rather than after the data has left.