On March 31, a significant security oversight by Anthropic led to the accidental release of a 59.8 MB source map file in version 2.1.88 of the @anthropic-ai/claude-code npm package. This incident exposed 512,000 lines of unobfuscated TypeScript code across 1,906 files. The leaked code included a comprehensive permission model, all bash security validators, 44 unreleased feature flags, and details of upcoming models not yet announced by Anthropic. Security researcher Chaofan Shou publicly shared this discovery on X at around 4:23 UTC, and it quickly spread to mirror repositories on GitHub.
Anthropic confirmed the leak resulted from human error during packaging, though they clarified that no customer data or model weights were compromised. Despite efforts to contain the situation, the damage was already done. The Wall Street Journal reported that Anthropic filed copyright takedown requests, which temporarily removed more than 8,000 copies and adaptations of the code from GitHub. However, an Anthropic spokesperson explained to VentureBeat that the takedown’s scope was intended to be narrower: “We issued a DMCA takedown against one repository hosting leaked Claude Code source code and its forks. The repo named in the notice was part of a fork network connected to our own public Claude Code repo, so the takedown reached more repositories than intended. We retracted the notice for everything except the one repo we named, and GitHub has restored access to the affected forks.”
Meanwhile, developers have been using other AI tools to replicate the functionality of Claude Code in various programming languages, with these new versions gaining rapid circulation. The situation was further complicated by the release of malicious versions of the axios npm package, which contained a remote access trojan, coinciding with the source map leak. Teams that updated or installed Claude Code via npm between 00:21 and 03:29 UTC on March 31 might have inadvertently downloaded both the exposed source and the axios malware during this timeframe.
According to a Gartner First Take published the same day, the gap between Anthropic’s product capabilities and operational discipline highlights the need for leaders to reconsider their evaluation criteria for AI development tool vendors. Claude Code is a widely discussed AI coding agent among Gartner’s software engineering clients. This incident marks the second leak within five days; a separate CMS misconfiguration had already revealed nearly 3,000 unpublished internal assets, including draft announcements for a model named Claude Mythos. Gartner views these March incidents as indicative of a systemic issue.
Insights from 512,000 lines of code on AI agent architecture
The leaked code is not merely a chat wrapper; it is the framework that allows Claude’s language model to utilize tools, manage files, execute bash commands, and orchestrate multi-agent workflows. The WSJ compared this harness to a rider guiding a horse, enabling users to control and direct AI models. Fortune reported that competitors and numerous startups now possess a detailed blueprint to duplicate Claude Code’s features without the need for reverse engineering.
The components are detailed: a 46,000-line query engine manages context through three-layer compression and orchestrates over 40 tools, each with its own schema and permission checks. Additionally, 2,500 lines of bash security validation perform 23 checks on shell commands, addressing issues like blocked Zsh builtins and IFS null-byte injection discovered during a HackerOne review.
Gartner highlighted an often-overlooked detail: 90% of Claude Code is AI-generated, according to Anthropic’s public disclosures. Under current U.S. copyright law, which requires human authorship, this diminishes the code’s intellectual property protection. The Supreme Court chose not to revisit the human authorship standard in March 2026, leaving unresolved IP exposure for organizations shipping AI-generated code.
Three vulnerabilities made more accessible by the readable source
The already minified bundle allowed extraction of every string literal, but the readable source removes the need for extensive research. A technical analysis by Straiker’s Jun Zhou outlined three now-practical attack paths due to the clear implementation.
Context poisoning through the compaction pipeline. Claude Code manages context pressure with a four-stage cascade. MCP tool results are never microcompacted, and read tool results bypass budgeting. The autocompact prompt tells the model to keep all user messages not related to tool results. A malicious instruction in a cloned repository’s CLAUDE.md file can survive compaction, be summarized, and emerge as a genuine user directive. The model isn’t jailbroken; it follows what it perceives as legitimate instructions.
Sandbox bypass through shell parsing differences. Three separate parsers handle bash commands, each with unique edge-case behavior. The source notes a gap where one parser treats carriage returns as word separators, unlike bash. Alex Kim’s review found early-allow decisions that bypass all subsequent checks, with explicit warnings about past exploitability.
The composition. Context poisoning instructs a cooperative model to create bash commands exploiting security validator gaps. The defender’s mental model assumes an adversarial model and cooperative user, but this attack flips both assumptions. The model is cooperative, the context weaponized, and outputs resemble commands a developer might approve.
Elia Zaitsev, CTO of CrowdStrike, highlighted the permission problem revealed by the leak as a common issue across enterprises deploying agents. He advised against giving an agent unrestricted access, emphasizing the need for a narrow scope. Zaitsev warned that open-ended coding agents are risky due to their broad access capabilities. “People want to give them access to everything. If you’re building an agentic application in an enterprise, you don’t want to do that. You want a very narrow scope,” he stated.
He further explained the core risk: “You may trick an agent into doing something bad, but nothing bad has happened until the agent acts on that,” which aligns with the Straiker analysis of context poisoning leading to cooperative agent behavior.
Exposed layers and necessary audits
The following table links each exposed layer to its corresponding attack path and recommended audit action. Consider this in your next meeting.
|
Exposed Layer |
What the Leak Revealed |
Attack Path Enabled |
Defender Audit Action |
|
4-stage compaction pipeline |
Exact criteria for what survives each stage. MCP tool results are never microcompacted. Read results skip budgeting. |
Context poisoning: malicious instructions in CLAUDE.md survive compaction and get laundered into ‘user directives’. |
Audit every CLAUDE.md and .claude/config.json in cloned repos. Treat as executable, not metadata. |
|
Bash security validators (2,500 lines, 23 checks) |
Full validator chain, early-allow short circuits, three-parser differentials, blocked pattern lists |
Sandbox bypass: CR-as-separator gap between parsers. Early-allow in git validators bypasses all downstream checks. |
Restrict broad permission rules (Bash(git:*), Bash(echo:*)). Redirect operators chain with allowed commands to overwrite files. |
|
MCP server interface contract |
Exact tool schemas, permission checks, and integration patterns for all 40+ built-in tools |
Malicious MCP servers that match the exact interface. Supply chain attacks are indistinguishable from legitimate servers. |
Treat MCP servers as untrusted dependencies. Pin versions. Monitor for changes. Vet before enabling. |
|
44 feature flags (KAIROS, ULTRAPLAN, coordinator mode) |
Unreleased autonomous agent mode, 30-min remote planning, multi-agent orchestration, background memory consolidation |
Competitors accelerate the development of comparable features. Future attack surface previewed before defenses ship. |
Monitor for feature flag activation in production. Inventory where agent permissions expand with each release. |
|
Anti-distillation and client attestation |
Fake tool injection logic, Zig-level hash attestation (cch=00000), GrowthBook feature flag gating |
Workarounds documented. MITM proxy strips anti-distillation fields. Env var disables experimental betas. |
Do not rely on vendor DRM for API security. Implement your own API key rotation and usage monitoring. |
|
Undercover mode (undercover.ts) |
90-line module strips AI attribution from commits. Force ON possible, force OFF impossible. Dead-code-eliminated in external builds. |
AI-authored code enters repos with no attribution. Provenance and audit trail gaps for regulated industries. |
Implement commit provenance verification. Require AI disclosure policies for development teams using any coding agent. |
AI-assisted code is leaking secrets at twice the rate
The GitGuardian’s State of Secrets Sprawl 2026 report, released on March 17, revealed that Claude Code-assisted commits leaked secrets at a rate of 3.2%, compared to the 1.5% baseline across all public GitHub commits. Leaks of AI service credentials increased by 81% year-over-year to 1,275,105 exposures. 24,008 unique secrets were discovered in MCP configuration files on public GitHub, with 2,117 confirmed as valid credentials. GitGuardian attributed the higher leak rate to human workflow failures exacerbated by the speed of AI, rather than a flaw in the tool itself.
Gartner’s focus on operational patterns
March saw over a dozen Claude Code releases from Anthropic, introducing features like autonomous permission delegation, remote code execution from mobile devices, and AI-scheduled background tasks. Each new capability expanded the operational surface, coinciding with the leak that exposed their implementation.
Gartner’s advice is clear: require AI coding agent vendors to demonstrate the same operational maturity as other critical development infrastructures. This includes published SLAs, public uptime history, and documented incident response policies. Establish provider-independent integration boundaries for a potential vendor change within 30 days. Anthropic has issued just one postmortem for more than a dozen March incidents, while third-party monitors detected outages 15 to 30 minutes prior to acknowledgment on Anthropic’s status page.
As the WSJ reported, the company is valued at $380 billion and possibly heading for a public offering this year. However, it now faces a containment challenge that 8,000 DMCA takedowns have not resolved.
Merritt Baer, Chief Security Officer at Enkrypt AI, noted that the IP exposure flagged by Gartner extends into areas most teams have yet to explore. “The questions many teams aren’t asking yet are about derived IP,” Baer said. “Can model providers retain embeddings or reasoning traces, and are those artifacts considered your intellectual property?” With 90% of Claude Code’s source AI-generated and now public, this question becomes critical for any enterprise releasing AI-written production code.
Zaitsev emphasized the need to rethink identity models. “It doesn’t make sense that an agent acting on your behalf would have more privileges than you do,” he told VentureBeat. “You may have 20 agents working on your behalf, but they’re all tied to your privileges and capabilities. We’re not creating 20 new accounts and 20 new services that we need to keep track of.” The leaked source shows Claude Code’s permission system is per-tool and granular. The question is whether enterprises are enforcing the same discipline on their side.
Five actions for security leaders this week
1. Audit CLAUDE.md and .claude/config.json in every cloned repository. Context poisoning through these files is a documented attack path with a readable implementation guide. Check Point Research found that developers inherently trust project configuration files and rarely apply the same scrutiny as application code during reviews.
2. Treat MCP servers as untrusted dependencies. Pin versions, vet before enabling, monitor for changes. The leaked source reveals the exact interface contract.
3. Restrict broad bash permission rules and deploy pre-commit secret scanning. A team generating 100 commits per week at the 3.2% leak rate is statistically exposing three credentials. MCP configuration files are the newest surface that most teams are not scanning.
4. Require SLAs, uptime history, and incident response documentation from your AI coding agent vendor. Architect provider-independent integration boundaries. Gartner’s guidance: 30-day vendor switch capability.
5. Implement commit provenance verification for AI-assisted code. The leaked Undercover Mode module strips AI attribution from commits with no force-off option. Regulated industries need disclosure policies that account for this.
Gartner noted that source map exposure is a well-known failure class detected by standard commercial security tools. Apple and identity verification provider Persona suffered similar failures in the past year. The mechanism was not new, but the target was. Claude Code alone generates approximately $2.5 billion in annual revenue for a company now valued at $380 billion. Its complete architectural blueprint is circulating on mirrors that have vowed never to be taken down.
