Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

Anthropic confirmed on Tuesday that internal source code for its popular AI coding assistant, Claude Code, was inadvertently published to the npm package registry as a result of a human error during a packaging process. The company moved quickly to remove the affected package versions and stated that no sensitive customer data or credentials were included in the exposed code.

What Happened

According to Anthropic, a packaging error caused proprietary source files — intended to remain internal — to be bundled with and published as part of a public npm package associated with the Claude Code toolchain.

"No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson confirmed in a statement.

The files that were unintentionally published appear to have included internal source code for the Claude Code assistant. Once identified, Anthropic unpublished the affected package versions from npm and began an internal review.

Scope of the Exposure

Anthropic's public statement describes the exposure as limited to source code rather than operational secrets, API keys, or user data. This distinction matters for assessing the downstream risk:

• What was exposed: Internal implementation code for Claude Code features
• What was NOT exposed: Customer conversation data, API keys, user credentials, private model weights, or infrastructure configuration

The code was accessible on npm — which is publicly indexed by package mirrors, caching services, and security scanners — for a window of time before removal. It is not confirmed whether third parties downloaded or archived the package contents before Anthropic acted.

Technical Background: How This Happens

npm packaging errors of this type are a known category of developer supply chain risk. Common causes include:

.npmignore / files Field Misconfiguration

When publishing a Node.js package, the content included in the tarball is controlled by:

// package.json — explicit include list
{
  "files": ["dist/", "lib/", "README.md"]
}

Or via a .npmignore file (similar to .gitignore). If these are misconfigured, the npm pack or npm publish command will bundle everything in the directory that isn't otherwise excluded — including source files, internal scripts, and development configurations.

# Check what would be published before running npm publish
npm pack --dry-run

The Risk of Accidental Exposure

Even a brief window of public availability is significant because:

• npm packages are indexed by mirrors (unpkg, jsDelivr, Verdaccio caches)
• Automated security scanners and threat intelligence platforms often archive package contents on publish
• Package diffing tools used by supply chain security vendors may retain copies
• Malicious actors actively monitor npm for newly published packages from known organizations

Implications for the AI Tools Ecosystem

While Anthropic has confirmed no customer data was exposed, the incident raises several discussion points for the broader AI developer tooling ecosystem:

Proprietary AI Tool Code

As AI coding assistants become deeply integrated into development workflows, the source code of these tools — including how they interface with models, handle prompts, and manage context — has significant competitive and security value. Accidental disclosure of this code could:

• Reveal implementation details that could inform adversarial techniques (e.g., prompt injection patterns specific to the tool's architecture)
• Expose internal APIs or interfaces not intended for public use
• Provide insight into how Claude Code processes code context for transmission to the model

Supply Chain Trust

Incidents like this underscore that even well-resourced AI companies are subject to the same operational security risks as any software organization. Users and enterprises that rely on Claude Code as a development dependency should:

• Review their dependency scanning tooling to detect unexpected source file exposure
• Ensure Claude Code is pinned to a known-good version and updated through verified channels
• Consider how sensitive code contexts sent to AI coding assistants are handled

Anthropic's Response

Anthropic responded promptly once the issue was identified:

1. Removed affected npm package versions from the public registry
2. Issued a public statement confirming the nature of the error and scope of exposure
3. Initiated an internal review of packaging processes to prevent recurrence

The company's transparency in disclosing the incident and characterizing it as a human error — rather than a security breach of external origin — is consistent with responsible disclosure practices.

Recommended Actions for Claude Code Users

For organizations using Claude Code as part of their development toolchain:

• Update to the latest Claude Code version from official Anthropic channels
• Verify package integrity using npm's built-in provenance or npm audit
• Check your dependency lock files to ensure no unexpected package versions are pinned
• Review your software composition analysis (SCA) tooling to flag any anomalies related to this incident

# Verify Claude Code package integrity
npm audit
npm ls @anthropic-ai/claude-code
 
# Pin to latest verified release
npm install @anthropic-ai/claude-code@latest

Broader Lessons

This incident serves as a reminder of best practices for publishing npm packages from any organization:

# Always dry-run before publishing to inspect what will be included
npm pack --dry-run
 
# Review the generated tarball contents
tar -tzf <package-name>.tgz
 
# Use the "files" field in package.json to explicitly whitelist what ships
# Never rely solely on .npmignore for exclusions in sensitive repos

Automated CI/CD pipelines that publish npm packages should include a packaging review step that validates the tarball contents before any publish command runs in production.

Source: The Hacker News — April 1, 2026