512,000 Lines of Claude Code Leaked via npm — What Enterprise Teams Need to Audit Now
On March 31, Anthropic accidentally shipped a 59.8 MB source map file inside version 2.1.88 of the @anthropic-ai/claude-code npm package, exposing over 512,000 lines of unobfuscated TypeScript across 1,906 files. The leaked source included Claude Code's complete permission model, every bash security validator, 44 unreleased feature flags, and references to unannounced models. Within hours of the package hitting npm registries, mirrors had spread across GitHub — making meaningful containment nearly impossible despite Anthropic's swift DMCA filings. The company confirmed the incident was a packaging error rather than a deliberate breach, but the downstream risk window was real and measurable.
The timing made things worse. The same npm install window overlapped with a separate supply-chain attack distributing malicious versions of the axios package containing a remote access trojan. VentureBeat's security team mapped out three concrete attack paths that a determined adversary could have exploited using the leaked source, and outlined the specific audit steps enterprise security teams should run to assess exposure. If your team installed or auto-updated @anthropic-ai/claude-code between 00:21 and 03:29 UTC on March 31, a full environment audit is strongly recommended.
More broadly, the incident underscores a growing blind spot: as AI coding agents move deeper into production pipelines, their npm packages become high-value targets for supply-chain attacks. The combination of privileged file system access, bash execution, and network connectivity that makes tools like Claude Code powerful is exactly what makes a compromised version so dangerous. Security teams should apply the same scrutiny to AI agent packages that they give to any critical infrastructure dependency — including version pinning, integrity hashing, and restricted install permissions in CI environments.