Jump to content

Anthropic's Claude Code source leak: Difference between revisions

From Consumer Rights Wiki
Newer edit →
VisualWikitext
Linka (talk | contribs)
confirmed
97 edits
created page
 
Linka (talk | contribs)
confirmed
97 edits
content added
Line 6: Line 6:
|ArticleType=Product
|ArticleType=Product
|Type=Source Code, Artificial Intelligence
|Type=Source Code, Artificial Intelligence
|Description=On 31 March 2026, the proprietary source code of Anthropic’s Claude Code command-line tool was unintentionally exposed after version 2.1.88.
|Description=Source code leak
}}
}}
{{Ph-I-Int}}
==Background==
{{Ph-I-B}}


==[Incident]==
The proprietary source code of Anthropic’s Claude Code command-line tool was unintentionally exposed in a source map file inside their npm package.
{{Ph-I-I}}


===[Company]'s response===
==Claude Code map file references the source code==
{{Ph-I-ComR}}
On 31 March 2026, the proprietary source code of Anthropic’s Claude Code command-line tool was unintentionally exposed after version 2.1.88 of the npm package '@anthropic-ai/claude-code' which was released with a source map file 'cli.js.map' referencing the fully unobfuscated TypeScript source code, downloadable as a zip from Anthropic's R2 storage bucket. The leak was identified by Chaofan Shou, security researcher at Solayer Labs.<ref>{{cite web |first=Chaofan |last=Shou |website=X |title=Claude code source code has been leaked via a map file in their npm registry! |url=https://x.com/Fried_rice/status/2038894956459290963 |date=31 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260527101141/https://nitter.catsarch.com/Fried_rice/status/2038894956459290963#m |archive-date=2026-05-27}}</ref>
The leak totaled approximately to 1900 files and 512000 lines of code or their terminal GUI and included a draft blog post that detailed upcoming models named "Mythos" and "Capybara".


Copies of the source code have spread rapidly through mirrors and forks on [[GitHub]] and other coding platforms which prompted Anthropic to file takedown requests.


==Lawsuit==
===Anthropic's response===
{{Ph-I-L}}
Anthropic emailed a statement on the same day of the incident, categorizing the incident as human error and not a security breach.<ref>{{cite web |first=Shirin |last=Ghaffary |first2=Mark |last2=Anderson |title=Anthropic accidentally leaked thousands of lines of code |url=https://www.latimes.com/business/story/2026-04-01/anthropic-accidentally-leaked-thousands-of-lines-of-code |date=1 Apr 2026 |archive-url=https://web.archive.org/web/20260401185132/https://www.latimes.com/business/story/2026-04-01/anthropic-accidentally-leaked-thousands-of-lines-of-code |archive-date=2026-04-01}}</ref>
 
<blockquote>Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed [...] This was a release packaging issue caused by human error, not a security breach.</blockquote>
 
==Consumer response==
{{Ph-I-ConR}}


On 1 April 2026, GitHub reported<ref>{{cite web |website=[[GitHub]] |title=2026-03-31-anthropic.md |url=https://github.com/github/dmca/blob/master/2026/03/2026-03-31-anthropic.md |url-status=live |date=2026-03-31 |archive-url=https://web.archive.org/web/20260401010452/https://github.com/github/dmca/blob/master/2026/03/2026-03-31-anthropic.md |archive-date=2026-04-01}}</ref> that Anthropic's takedown request was executed against 8100 repositories, including legitimate forks of Anthropic's public repositories.<ref>{{cite web |website=TechCrunch |first=Tim |last=Fernholz |title=Anthropic took down thousands of GitHub repos trying to yank its leaked source code — a move the company says was an accident |url=https://techcrunch.com/2026/04/01/anthropic-took-down-thousands-of-github-repos-trying-to-yank-its-leaked-source-code-a-move-the-company-says-was-an-accident/ |url-status=live |date=1 Apr 2026 |archive-url=https://web.archive.org/web/20260401222629/https://techcrunch.com/2026/04/01/anthropic-took-down-thousands-of-github-repos-trying-to-yank-its-leaked-source-code-a-move-the-company-says-was-an-accident/ |archive-date=2026-04-01}}</ref><ref>{{cite web |website=X |first=Robert |last=McLaws |title=Illegitimate DMCA Takedown |url=https://x.com/robertmclaws/status/2039129333428871463 |url-status=live |date=1 Apr 2026}}</ref>
Anthropic walked back on the takedown requests due to accidental deletion of legitimate repositories.<ref>{{cite web |first=Boris |last=Cherny |website=X |title=Unintentional takedowns comment |url=https://x.com/bcherny/status/2039426466094731289 |date=1 Apr 2026}}</ref>
<blockquote>The repo named in the notice was part of a fork network connected to our own public Claude Code repo, so the takedown reached more repositories than intended [...] We retracted the notice for everything except the one repo we named, and GitHub has restored access to the affected forks.</blockquote>


==References==
==References==
{{reflist}}
{{reflist}}


{{Ph-I-C}}
==See Also==
*[[Anthropic]]
*[[ChatGPT]]
*[[Google Gemini]]

Revision as of 11:13, 27 May 2026

The proprietary source code of Anthropic’s Claude Code command-line tool was unintentionally exposed in a source map file inside their npm package.

Claude Code map file references the source code

On 31 March 2026, the proprietary source code of Anthropic’s Claude Code command-line tool was unintentionally exposed after version 2.1.88 of the npm package '@anthropic-ai/claude-code' which was released with a source map file 'cli.js.map' referencing the fully unobfuscated TypeScript source code, downloadable as a zip from Anthropic's R2 storage bucket. The leak was identified by Chaofan Shou, security researcher at Solayer Labs.[1] The leak totaled approximately to 1900 files and 512000 lines of code or their terminal GUI and included a draft blog post that detailed upcoming models named "Mythos" and "Capybara".

Copies of the source code have spread rapidly through mirrors and forks on GitHub and other coding platforms which prompted Anthropic to file takedown requests.

Anthropic's response

Anthropic emailed a statement on the same day of the incident, categorizing the incident as human error and not a security breach.[2]

Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed [...] This was a release packaging issue caused by human error, not a security breach.

On 1 April 2026, GitHub reported[3] that Anthropic's takedown request was executed against 8100 repositories, including legitimate forks of Anthropic's public repositories.[4][5] Anthropic walked back on the takedown requests due to accidental deletion of legitimate repositories.[6]

The repo named in the notice was part of a fork network connected to our own public Claude Code repo, so the takedown reached more repositories than intended [...] We retracted the notice for everything except the one repo we named, and GitHub has restored access to the affected forks.

References

  1. Shou, Chaofan (31 Mar 2026). "Claude code source code has been leaked via a map file in their npm registry!". X. Archived from the original on 2026-05-27.
  2. Ghaffary, Shirin; Anderson, Mark (1 Apr 2026). "Anthropic accidentally leaked thousands of lines of code". Archived from the original on 2026-04-01.
  3. "2026-03-31-anthropic.md". GitHub. 2026-03-31. Archived from the original on 2026-04-01.
  4. Fernholz, Tim (1 Apr 2026). "Anthropic took down thousands of GitHub repos trying to yank its leaked source code — a move the company says was an accident". TechCrunch. Archived from the original on 2026-04-01.
  5. McLaws, Robert (1 Apr 2026). "Illegitimate DMCA Takedown". X.{{cite web}}: CS1 maint: url-status (link)
  6. Cherny, Boris (1 Apr 2026). "Unintentional takedowns comment". X.

See Also

Retrieved from "https://consumerrights.wiki/index.php?title=Anthropic%27s_Claude_Code_source_leak&oldid=54941"