IntroductionOn March 31, 2026, Anthropic accidentally exposed the full source code of Claude Code (its flagship terminal-based AI coding agent) through a 59.8 MB JavaScript source map (.map) file bundled in the public npm package @anthropic-ai/claude-code version 2.1.88. A security researcher, Chaofan Shou (@Fried_rice), publicly disclosed Anthropic’s leak on X which triggered an immediate viral response. The leaked file contained approximately 513,000 lines of unobfuscated TypeScript across 1,906 files, revealing the complete client-side agent harness, according to online publications. Within hours, the codebase was downloaded from Anthropic’s own Cloudflare R2 bucket, mirrored to GitHub, and forked tens of thousands of times. Thousands of developers, researchers, and threat actors are actively analyzing, forking, porting to Rust/Python and redistributing it. Some of the GitHub repositories have gained over 84,000 stars and 82,000 forks. Anthropic has issued Digital Millennium Copyright Act (DMCA) notices on some mirrors, but the code is now available across hundreds of public repositories.In addition to discussing the Anthropic leak, this blog post also covers a “Claude Code leak” lure delivering Vidar and Ghostsocks malware that was discovered and analyzed by the Zscaler ThreatLabz team.RecommendationsImplement Zero Trust architecture and prioritize segmenting mission critical application access. Do not download, fork, build, or run code from any GitHub repository claiming to be the “leaked Claude Code.” Verify every source against Anthropic’s official channels only.Educate developers that leaked code is not “open source”. It remains proprietary and dangerous to run unmodified.Avoid running AI agents with local shell/tool access on untrusted codebases.Monitor for anomalous telemetry or outbound connections from developer workstations.Use official channels and signed binaries only.Scan local environments and Git clones for suspicious processes, modified hooks, or unexpected npm packages, and wait for a cool down period before using the latest npm packages.Watch for Anthropic patches addressing newly exposed paths.BackgroundClaude Code is Anthropic’s official AI-powered coding CLI/agent that delegates tasks directly in the terminal, using hooks, background agents, autonomous daemons, and local execution capabilities. The leak stemmed from a packaging error where Bun (the runtime used) generated a full source map by default, and *.map was not excluded in .npmignore or the files field of package.json. The map file referenced a complete ZIP of the original TypeScript sources hosted on Anthropic’s infrastructure.Components ExposedAgent orchestration: LLM API calls, streaming, tool-call loops, retry logic, thinking/review modes, multi-agent coordination.Permission and execution layer: Claude Code hooks (auto-executing shell commands/scripts), Model Context Protocol (MCP) integrations, environment variable handling, project-load flows.Memory and state: Persistent memory systems, background agents/autonomous daemons.Security-related internals: Telemetry analysis, encryption tools, inter-process communication (IPC), OAuth flows, permission logic.Hidden/restricted features: 44 feature flags (20+ unshipped), internal API design, system prompts.Build and dependency details: Exact npm handling, local execution paths.Not exposed: Model weights, safety pipelines, or user data.Potential Misuse and Security RisksThe heavy sharing on GitHub (thousands of forks, stars, and mirrors by developers worldwide) turns this into a vector for abuse. Key risks include:Supply chain attacks via malicious forks and mirrors: Thousands of repositories now host the leaked code or derivatives. Threat actors can (and already are) seeding trojanized versions with backdoors, data exfiltrators, or cryptominers. Unsuspecting users cloning “official-looking” forks risks immediate compromise.Amplified exploitation of known vulnerabilities and discovery of new vulnerabilities: Pre-existing flaws (e.g., CVE-2025-59536, CVE-2026-21852, RCE and API key exfiltration via malicious repo configs, hooks, MCP servers, and env vars) are now far easier to weaponize. Threat actors with full source visibility can craft precise malicious repositories or project files that trigger arbitrary shell execution or credential theft simply by cloning/opening an untrusted repo. The exposed hook and permission logic makes silent device takeover more reliable.Local environment and developer workstation compromise: Users building or running the leaked code locally introduce unvetted dependencies and execution paths. The leak coincided exactly with a separate malicious Axios npm supply chain attack (RATs published March 31, 00:21–03:29 UTC), creating a perfect storm for anyone updating Claude Code via npm that day.ThreatLabz discovers “Claude Code leak” lure that distributes Vidar and GhostSocksWhile monitoring GitHub for threats, ThreatLabz came across a “Claude Code
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: