Anthropic Accidentally Shipped Claude Code Internal Source Code to npm — and Then Issued Mass DMCA Takedowns
Anthropic found itself at the center of an accidental source code disclosure this week after a debugging artifact was inadvertently bundled into a routine Claude Code npm package release and pushed to the public registry. The exposed file was an unobfuscated TypeScript source map — the kind of artifact that developers include during debugging but strip before shipping — and it gave anyone who downloaded the package a window into Anthropic's internal Claude Code implementation. Thousands of GitHub mirrors of the code that subsequently appeared were removed through DMCA copyright takedown requests filed by Anthropic.
Anthropic confirmed the incident, stating that "some internal source code" was included in the release but that "no sensitive customer data or credentials were involved or exposed." The Register identified the root cause as a .map source-map file inside the npm package that referenced the unobfuscated TypeScript source directly — a misconfiguration in the build or publish pipeline, not a hack. The timing is notable: this is the second security-related scare for Anthropic in quick succession, following a separate incident just days prior.
The broader lesson for the industry is about SDK supply chain hygiene at speed. AI framework vendors are shipping updates at an aggressive cadence, and the gap between "works in CI" and "safe to publish to a public registry" is exactly where this kind of exposure lives. A source map misconfiguration is mundane on its own — the stakes are elevated when the artifact belongs to one of the most widely used AI coding SDKs in the ecosystem. Expect tighter npm publish checklists and pre-release artifact audits to become standard practice across the industry in response.