Claude Code Source Leak: The Vulnerability That Followed

TL;DR: On March 31, 2026, Anthropic accidentally published 513,000 lines of Claude Code's TypeScript source to npm. Within hours, researchers found critical security vulnerabilities using the exposed code — and threat actors launched a malware campaign riding the hype wave. Here's everything you need to know.

🔓 The Leak: A Single Missing Line in .npmignore

At approximately 4:23 AM ET on March 31, 2026, Chaofan Shou — an intern at Solayer Labs — posted on X that Claude Code v2.1.88 had shipped with a 59.8 MB JavaScript source map file (cli.js.map) accidentally bundled into the public npm package @anthropic-ai/claude-code.

The root cause: someone forgot to add *.map to the .npmignore file. Boris Cherny, head of Claude Code at Anthropic, confirmed it was a "plain developer error." Anthropic's official statement: "This was a release packaging issue caused by human error, not a security breach."

The exposed archive contained:

• 513,000 lines of unobfuscated TypeScript across 1,906 files
• Full orchestration logic, permission systems, and execution internals
• Hidden feature flags (including "KAIROS" — an autonomous daemon mode)
• Internal model codenames: Capybara (Claude 4.6), Fennec (Opus 4.6), Numbat (unreleased)
• Internal performance metrics — including a 29–30% false claims rate in Capybara v8

Within hours, the code was mirrored across GitHub and forked thousands of times. Note: this was not the first time — a similar accidental exposure occurred in February 2025 during Claude Code's early days.

⚔️ Critical Vulnerability Discovered Days After

The real security story started after the leak. Researchers at Adversa AI studied the now-readable source and found a critical vulnerability in Claude Code (CVE-2026-21852) within days. SecurityWeek reported that this flaw — which involves RCE and API key exfiltration vectors via malicious repo configs, hooks, MCP servers, and environment variables — was only surfaced because the source was readable.

Additional CVEs tied to this incident include:

• CVE-2025-59536
• CVE-2025-59828
• CVE-2025-58764
• CVE-2025-64755

The key insight from security researchers at Straiker AI: while the minified npm bundle was always technically reversible, the leaked source collapsed the cost of reverse engineering to zero. Attacks that would have taken weeks of fuzzing are now engineering problems that take hours.

Context Poisoning via the Compaction Pipeline

The most novel attack surface revealed by the source: context poisoning through the autocompact pipeline. Claude Code manages context pressure via a four-stage cascade:

tool result budgeting → microcompact → context collapse → autocompact

The source code reveals that MCP tool results are never microcompacted — they persist until the full autocompact fires. More critically, the autocompact prompt instructs the model to preserve "all user messages" and "specific user feedback," then tells the model to "continue without asking the user any further questions."

A malicious CLAUDE.md in a cloned repository — or content injected via a file read — can be laundered through compaction summaries, re-emerging post-compaction as what the model believes are genuine user directives. The model isn't jailbroken. It's cooperative, following laundered instructions it can't distinguish from real ones.

☠️ Concurrent Supply Chain Attack: The Axios Hijack

March 31 was a doubly bad day. In a separate but parallel incident (00:21–03:29 UTC), attackers compromised the npm account of Jason Saayman, lead Axios maintainer, and published two backdoored versions of the world's most popular HTTP library (~100M weekly downloads):

• [email protected]
• [email protected]

Both versions contained a Remote Access Trojan (RAT) via a malicious dependency called plain-crypto-js. Claude Code uses axios as a dependency — meaning anyone who ran npm install or updated Claude Code during that 3-hour window may have pulled the trojanized version.

If you updated Claude Code between 00:21–03:29 UTC on March 31, 2026: audit your system immediately. Check for [email protected] or [email protected] in your node_modules and rotate any credentials stored in that environment.

🎣 Threat Actors Capitalize: Vidar Infostealer Campaign

Within days, Zscaler ThreatLabz discovered a malware campaign exploiting the hype around the leak. A GitHub repository by user "idbzoomh" claimed to host a working fork of the leaked Claude Code with "unlocked enterprise features and no usage restrictions." The repo was SEO-optimized to appear in the top Google results for "leaked Claude Code."

Downloading the archive delivers:

• Vidar v18.7 — a commodity infostealer targeting credentials, crypto wallets, and browser data
• GhostSocks — a network traffic proxy used to route stolen data

Do not download, fork, build, or run any code from GitHub repositories claiming to be "leaked Claude Code." Verify everything against Anthropic's official npm package only.

🛡️ What Security Leaders Should Do Now

1. Audit your Claude Code installs — confirm you're on a clean version (v2.1.89+). Check npm ls axios for any lingering malicious versions.
2. Review your CLAUDE.md and .claudeignore files — treat any repo-level Claude config as a potential injection surface, especially in shared or cloned codebases.
3. Harden MCP server trust — the leak confirms MCP tool results bypass microcompaction. Only connect Claude Code to MCP servers you fully control.
4. Rotate API keys — if Claude Code ran in any environment during the axios compromise window, rotate Anthropic API keys and any other credentials accessible from that context.
5. Don't run code from "leaked Claude Code" repos — the Vidar campaign is active and well-SEO'd. Warn your teams.

📌 The Bigger Picture

This incident is a microcosm of a broader trend in agentic AI security: the more capable and autonomous an AI tool becomes, the more catastrophic its attack surface. Claude Code runs directly in developer environments with access to terminals, file systems, codebases, and API keys. A single prompt injection that survives autocompaction is a persistent foothold — not just a jailbreak.

Anthropic is rolling out measures to prevent future packaging errors. But the leaked source will remain in the wild indefinitely. The security community now has a blueprint for Claude Code's internals — and so do adversaries.

"Do not keep a lax runtime posture just because today's headline was about source disclosure rather than direct compromise." — Penligent AI

The lesson: if you're deploying agentic AI tools in production, runtime security hygiene matters as much as model safety. Keep watching this space — this story is still developing.

Sources: SecurityWeek · BleepingComputer · Zscaler ThreatLabz · VentureBeat · Straiker AI · The Register

📬 This is The LGTM — your daily digest of what matters in AI-assisted coding. Subscribe to get it in your inbox.