Anthropic experienced a significant source code leak on March 31 when a missing .npmignore file shipped the complete Claude Code source map with the npm package cli.js.map. The exposure, discovered by security researcher Chaofan Shou (whose post garnered 21 million views), included 512,000 lines of TypeScript source code across 1,906 files.
The exposed source map included sensitive architectural information: feature flags, internal project names, and references to unreleased capabilities like KAIROS, an autonomous daemon mode for long-running agent operations. While Anthropic confirmed no customer data or credentials were exposed, the leak revealed significant portions of the development roadmap.
This was a packaging error, not a security breach. Anthropic's statement was clear: the missing .npmignore was human error during the release process. However, human error in supply chain artifacts can have significant downstream effects, making the incident notable despite its limited technical severity.
The three-hour exposure window before removal demonstrates the importance of rapid incident response. Immediate action prevented extended impact, though the code was already indexed and distributed through npm caches and mirrors.
The timing compounds the problem: this incident follows Anthropic's Mythos leak from just one week prior, creating negative attention around operational security and release management practices. Successive incidents, even if each individually minor, raise questions about process discipline and testing rigor.
From a technical perspective, the leak reveals Anthropic's underlying architecture. Claude Code uses a TypeScript-based foundation with 1,906 individual files, suggesting significant modularization and careful component separation. The feature flags exposed in the source code suggest active experimentation with multiple capabilities simultaneously.
KAIROS, mentioned prominently in the leaked code, represents an interesting direction: an autonomous daemon mode enabling Claude to operate independently for extended periods. This capability, if released, would position Claude Code for scenarios like long-running research automation, continuous monitoring, and background task processing.
The incident serves as a reminder that source code protection extends beyond runtime security into release and distribution processes. Many organizations focus on code review and testing but underinvest in release tooling validation. A simple linting check validating .npmignore completeness would have prevented this exposure.
For developers using Anthropic's tools, the exposure is largely academic. The source code itself doesn't compromise authentication or enable attacks—the real impact is competitive: Anthropic's roadmap, architectural decisions, and capability timelines are now public. This information might influence competitor strategies and developer expectations for feature releases.