It started with a single file. One .map file, accidentally bundled into a production npm package. And just like that, 512,000 lines of TypeScript source code — every internal tool, every API client, every unreleased feature plan — sat exposed on the public internet.
But that wasn’t even the whole story.
March 2026 became the month Claude Code went from being the tool developers trusted to code on their behalf, to being the subject of three critical CVEs and an embarrassing supply chain incident. Let me walk you through what actually happened.
The Source Map Leak: March 31, 2026#
On the morning of March 31st, security researcher Chaofan Shou posted on X that Claude Code’s entire source code had been exposed via an npm registry source map file. No breach. No hack. Just a configuration mistake during the build process.
Source maps are debugging tools — they let developers map compiled code back to its original source. They’re supposed to stay in development environments. Somehow, Anthropic included one in their production npm package. Click the URL referenced in the .map file, and you’d land in an R2 storage bucket containing 1,900 files of unobfuscated, fully-commented TypeScript.
The scale was staggering:
- 512,000+ lines of code
- 1,900 files
- Complete TypeScript source — not minified blobs, but readable, annotated code
And it wasn’t just架子 code. Researchers found significant internal systems exposed:
- QueryEngine.ts — 46,000 lines covering the entire LLM API engine, streaming logic, tool loops, and token tracking
- Tool.ts — 29,000 lines of agent tool types and permission schemas
- commands.ts — 25,000 lines of slash command registry and execution logic
Exposed too were around 40 agent tools (BashTool, FileReadTool, FileEditTool, WebFetchTool, MCPTool, LSPTool), roughly 85 slash commands (/commit, /review, /compact, /mcp, /memory, /diff, /cost), and internal feature flags for unreleased features like PROACTIVE, VOICE_MODE, BRIDGE_MODE, and something called KAIROS.
Oh, and there was a digital pet system called BUDDY hidden in a buddy/ directory, locked behind a compile-time flag, scheduled for an April 1-7 teaser window.
Anthropic moved fast. They pushed an update removing the source map and deleted old versions from npm. But mirrors were already on GitHub. Three of them, at least. The internet had already cached what it wanted.
This was Anthropic’s second incident in five days too. On March 26th, a CMS configuration error had exposed unreleased Claude Mythos model details, draft blog posts, and 3,000 unpublished assets. Someone at Anthropic was having a rough week.
Was it really a “leak”? Some developers pushed back on the framing. You could already read Claude Code’s logic by running cat on the installed npm package files — they were minified JavaScript, not encrypted. The source map just made it human-readable TypeScript. “This ’leak’ is kind of clickbait,” wrote developer Skanda. “Anthropic never treated Claude Code’s client logic as a secret.”
Fair point. But there’s a difference between staring at a wall of minified one-liners and actually reading someone’s architecture decisions, commented code, and internal tooling. Seeing code and understanding it are two different things entirely.
The Check Point Vulnerabilities: Three CVEs, One Theme#
While the npm incident was making headlines, a quieter but arguably more serious set of vulnerabilities was being disclosed through proper channels.
Check Point Research had spent months analyzing Claude Code’s configuration system and found three critical flaws that, together, formed a complete attack chain — from cloning a malicious repository to having your API key stolen and your entire workspace compromised.
CVE-2025-59536: Hooks That Execute Without Asking#
Claude Code supports Hooks — custom commands that run automatically at specific points in the tool’s lifecycle. Want to auto-format TypeScript files after every edit? There’s a hook for that. Want to block modifications to production directories? Hook for that too.
Hooks are defined in .claude/settings.json — a file that lives in the repository itself. The idea is elegant: clone a project, inherit the same Claude Code settings as your teammates. But this design means any contributor with commit access can define hooks that will execute on every collaborator’s machine.
Check Point’s team crafted a malicious hook that opened a Calculator when a project was opened. When they ran Claude in the directory, a trust dialog appeared asking for permission. They clicked “Yes, proceed.”
The Calculator opened immediately. No second prompt. No warning that hook commands would run silently in the background. The trust dialog had been designed around explicit command execution, but hooks snuck past it entirely.
From there, escalation was trivial. Replace “open Calculator” with “download and execute a reverse shell,” and you have full remote code execution on every developer’s machine that opens the project.
The MCP Consent Bypass#
Model Context Protocol (MCP) allows Claude Code to connect to external tools and services. MCP servers are configured via .mcp.json, another repository-controlled file. When Claude Code starts, it initializes all MCP servers by running their setup commands.
After the first vulnerability, Anthropic had added a consent dialog warning users that commands in .mcp.json might execute. Good fix. But Check Point found a bypass.
The .claude/settings.json file supports flags like enableAllProjectMcpServers and enabledMcpjsonServers — settings that let teams auto-approve MCP servers without manual confirmation. These were meant for trusted team environments. But since they’re defined in the repository’s own config, a malicious repository could enable them automatically.
When Check Point tested this, the Calculator opened before the user even saw the consent dialog — on top of it, actually. The command executed at initialization, bypassing every protection Anthropic had built.
CVE-2026-21852: API Key Exfiltration#
This one was the most devastating.
Claude Code supports setting environment variables through .claude/settings.json. One variable, ANTHROPIC_BASE_URL, controls where API requests go. Normally it points to Anthropic’s servers. But it can be overridden in the project config.
Check Point set up a local proxy and pointed ANTHROPIC_BASE_URL at it. What they discovered was alarming: Claude Code was sending API requests — including their full authorization header containing the API key — before the user even interacted with the trust dialog. The requests happened during session initialization, carrying the developer’s credentials in plaintext.
A malicious repository could set ANTHROPIC_BASE_URL to point at an attacker-controlled server. When a victim cloned the repo and ran claude, their API key would be transmitted immediately — no user interaction required. The attacker wouldn’t even need to wait for consent.
The blast radius extended further than expected. Check Point discovered that stolen API keys could access Claude’s Workspaces — shared collaborative environments where multiple developers work with the same cloud-mounted files. Files uploaded to a Workspace belong to the workspace itself, not individual API keys. Any key belonging to that workspace gets implicit access to everything in it.
There was a nominal restriction: uploaded files couldn’t be downloaded. But Check Point found it was trivially bypassed — ask Claude to regenerate the file through the code execution tool, and it becomes a system-generated artifact that’s downloadable. An attacker with a stolen key could read, write, and delete any file in the workspace, and exhaust the victim’s API credits.
Supply chain attack potential was enormous. Malicious pull requests, honeypot repositories posing as useful tools, compromised internal repositories — any scenario where developers clone and open untrusted code. And the tricky part? Configuration files are metadata in developers’ minds. Nobody scrutinizes .claude/settings.json the way they scrutinize application code.
What the Source Code Actually Revealed#
For all the hand-wringing about the npm leak, the actual content was illuminating in ways that went beyond vulnerability assessment.
Developer Jingle Bell spent a day systematically reviewing the codebase and posted a detailed breakdown. The community’s reaction to reading Claude Code’s own code while working to secure it was summed up succinctly: “Claude’s revenue today is coming from everyone using Claude to analyze Claude’s source code.”
The irony was thick enough to cut with a knife.
But beneath the jokes, developers found genuinely useful patterns:
System prompt engineering. Most people write system prompts like “try to be helpful and provide detailed answers.” Anthropic’s actual approach was more rigorous — tool constraints specified which tools must be used for which tasks, risk controls mandated double-confirmation before destructive operations, and output specs required conclusions before explanations. This wasn’t AI personality engineering; it was behavior specification. More predictable, more controllable, more production-ready.
Multi-agent orchestration. Claude Code has a complete multi-agent coordination system — a main coordinator agent that assigns tasks to workers, a permission queue (called a Mailbox) where workers request authorization for dangerous operations, an atomic claim mechanism preventing race conditions, and shared team memory across agents. The architecture balanced autonomy with human control, which is exactly the hard problem everyone building multi-agent systems is wrestling with right now.
Context compression strategy. This was the most praised engineering in the codebase. Three-layer compression: MicroCompact (local edits to cached content, no API calls), AutoCompact (triggers near context limits, reserves 13,000 token buffer, generates up to 20,000 token summary with a circuit breaker after 3 consecutive failures), and Full Compact (compresses entire conversation, re-injects recently accessed files and active plans). Anyone building long-conversation AI apps was taking notes.
AutoDream memory consolidation. Claude Code automatically consolidates memory in the background when four conditions are met: 24+ hours since last consolidation, 5+ new sessions, no other consolidation running, and 10+ minutes since last scan. The process has four phases — Orient, Gather, Consolidate, and Prune — keeping long-term memory files under 200 lines and 25KB. A directly applicable pattern for any AI app needing persistent memory.
For developers, this “leak” was a free masterclass in production AI engineering. Anthropic’s practices, refined through real-world use at scale, laid bare for anyone to study.
The Deeper Questions#
Two incidents in one month force a reckoning with some uncomfortable questions.
If Claude Code’s client code wasn’t a secret, what is? The obvious answer is the model itself — the reasoning capabilities, the weights, the training infrastructure. You can copy an architecture. You can learn from engineering decisions. But you can’t replicate what makes Claude feel like Claude through code alone. Skanda was right: the CLI tool is a delivery mechanism, not the moat.
But the vulnerabilities were real. Three CVEs, all stemming from the same root cause — repository-controlled configurations executing before user consent. These weren’t theoretical. They required only that a developer clone an untrusted repository and run Claude Code in it. That’s a standard workflow for open source contribution, code reviews, and technical interviews.
The supply chain problem cuts both ways. AI tools are increasingly integrated into development pipelines. We trust them with code generation, code review, and deployment decisions. But we’re also trusting them with our credentials, our environments, and increasingly our workspaces. When the tool itself becomes an attack vector, the blast radius is much larger than a typical vulnerable library.
And the npm leak revealed something else: even Anthropic makes basic mistakes. Two incidents in five days suggests a broader process failure, not just a one-off error. A CMS configuration error, and a build pipeline that deployed source maps to production. These aren’t sophisticated attacks. They’re the kind of mistakes any engineering team can make.
Which raises the question: if a company valued at billions, with some of the best AI researchers in the world, can have this kind of month, what does that mean for everyone else?
What Developers Should Take Away#
These incidents point to some practical lessons for anyone building or using AI-powered development tools:
Treat configuration as code. The
.claude/settings.jsonfile isn’t metadata — it controls execution. Review project configuration directories with the same rigor you apply to source code, especially in repositories you don’t fully trust.Keep tools updated. All three CVEs were patched before public disclosure. Running an outdated version of Claude Code left you exposed to supply chain attacks that required only cloning a repository.
The source map leak is a supply chain security case study. If your build pipeline accidentally publishes source maps to production npm packages, your entire codebase is exposed. This is a known risk — and one that’s easily prevented with proper build configuration review.
Multi-agent systems need careful permission design. Claude Code’s coordinator/worker pattern with a permission queue is worth studying if you’re building similar systems. Anthropic’s approach to balancing agent autonomy with human control is battle-tested.
Context management at scale is a hard unsolved problem. The three-layer compression strategy in Claude Code represents real engineering solutions to real problems. If you’re building long-conversation AI applications, these patterns are directly applicable.
The Irony, Summed Up#
In the end, the most striking moment came from reading developer discussions after both incidents landed. While security teams were scrambling to patch vulnerabilities, other developers were cheerfully using Claude to read through Claude’s source code — learning its patterns, studying its architecture, and posting detailed breakdowns of what they found.
“Claude’s revenue today is coming from everyone using Claude to analyze Claude’s source code,” one developer noted.
And honestly? That’s probably the most honest summary of the situation. Anthropic built a tool powerful enough that people wanted to understand how it worked, smart enough that it could help them do so, and secure enough in its fundamentals that even exposed source code didn’t give attackers the model itself.
But also human enough to accidentally ship source maps to production and misconfigure CMS settings. Built by people, maintained by people, and inevitably, exposed by people making the same mistakes people always make.
No matter how advanced the technology, it still comes down to code. And code, ultimately, is written by humans.
And humans make mistakes.
Have thoughts on these incidents? Reach out — I’m always interested in discussing AI security and what the field needs to learn from cases like this.