Anthropic's Claude Code source leak: Difference between revisions
m irrelevant? |
m Moved tag to top of page. |
||
| Line 1: | Line 1: | ||
{{Irrelevant|no consumer rights implications}} | |||
{{IncidentCargo | {{IncidentCargo | ||
|Company=Anthropic | |Company=Anthropic | ||
| Line 24: | Line 25: | ||
Anthropic walked back on the takedown requests due to accidental deletion of legitimate repositories.<ref>{{cite web |first=Boris |last=Cherny |website=X |title=Unintentional takedowns comment |url=https://x.com/bcherny/status/2039426466094731289 |date=1 Apr 2026}}</ref> | Anthropic walked back on the takedown requests due to accidental deletion of legitimate repositories.<ref>{{cite web |first=Boris |last=Cherny |website=X |title=Unintentional takedowns comment |url=https://x.com/bcherny/status/2039426466094731289 |date=1 Apr 2026}}</ref> | ||
<blockquote>The repo named in the notice was part of a fork network connected to our own public Claude Code repo, so the takedown reached more repositories than intended [...] We retracted the notice for everything except the one repo we named, and GitHub has restored access to the affected forks.</blockquote> | <blockquote>The repo named in the notice was part of a fork network connected to our own public Claude Code repo, so the takedown reached more repositories than intended [...] We retracted the notice for everything except the one repo we named, and GitHub has restored access to the affected forks.</blockquote> | ||
==References== | ==References== | ||
Latest revision as of 03:49, 28 May 2026
⚠️This article's relevance is under review. It does not appear to be in-scope for the wiki.
#appeals channel in either Zulip or Discord to request removal. Discussions of this article's relevancy should take place on its talk page.You can help establish relevance by showing how the issue represents either large-scale consumer exploitation (systemic practices, recurring incidents, etc.) or a case of 'modern' consumer rights issues such as privacy violations, barriers to repair, or ownership rights, in line with the Mission statement and Moderator Guidelines.
The proprietary source code of Anthropic’s Claude Code command-line tool was unintentionally exposed in a source map file inside their npm package.
Claude Code map file references the source code
[edit | edit source]On 31 March 2026, the proprietary source code of Anthropic’s Claude Code command-line tool was unintentionally exposed after version 2.1.88 of the npm package '@anthropic-ai/claude-code' which was released with a source map file 'cli.js.map' referencing the fully unobfuscated TypeScript source code, downloadable as a zip from Anthropic's R2 storage bucket. The leak was identified by Chaofan Shou, security researcher at Solayer Labs.[1] The leak totaled approximately to 1900 files and 512000 lines of code or their terminal GUI and included a draft blog post that detailed upcoming models named "Mythos" and "Capybara".
Copies of the source code have spread rapidly through mirrors and forks on GitHub and other coding platforms which prompted Anthropic to file takedown requests.
Anthropic's response
[edit | edit source]Anthropic emailed a statement on the same day of the incident, categorizing the incident as human error and not a security breach.[2]
Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed [...] This was a release packaging issue caused by human error, not a security breach.
On 1 April 2026, GitHub reported[3] that Anthropic's takedown request was executed against 8100 repositories, including legitimate forks of Anthropic's public repositories.[4][5] Anthropic walked back on the takedown requests due to accidental deletion of legitimate repositories.[6]
The repo named in the notice was part of a fork network connected to our own public Claude Code repo, so the takedown reached more repositories than intended [...] We retracted the notice for everything except the one repo we named, and GitHub has restored access to the affected forks.
References
[edit | edit source]- ↑ Shou, Chaofan (31 Mar 2026). "Claude code source code has been leaked via a map file in their npm registry!". X. Archived from the original on 2026-05-27.
- ↑ Ghaffary, Shirin; Anderson, Mark (1 Apr 2026). "Anthropic accidentally leaked thousands of lines of code". Archived from the original on 2026-04-01.
- ↑ "2026-03-31-anthropic.md". GitHub. 2026-03-31. Archived from the original on 2026-04-01.
- ↑ Fernholz, Tim (1 Apr 2026). "Anthropic took down thousands of GitHub repos trying to yank its leaked source code — a move the company says was an accident". TechCrunch. Archived from the original on 2026-04-01.
- ↑ McLaws, Robert (1 Apr 2026). "Illegitimate DMCA Takedown". X.
{{cite web}}: CS1 maint: url-status (link) - ↑ Cherny, Boris (1 Apr 2026). "Unintentional takedowns comment". X.