Anthropic Leaked Its Own Claude Code Source Twice in One Week

Anthropic accidentally leaked 512,000 lines of Claude Code source code via npm, its second security lapse in one week after exposing an unreleased model.

Anthropic Leaked Its Own Claude Code Source Twice in One Week Anthropic accidentally leaked 512,000 lines of Claude Code source code via npm, its second security lapse in one week after exposing an unreleased model. Aaron Rafferty April 02, 2026 Key Takeaways: Anthropic accidentally exposed 512,000 lines of Claude Code source code across roughly 1,900 TypeScript files via a misconfigured npm package release on March 31. The leak came days after a separate lapse exposed details of an unreleased model codenamed Mythos/Capybara, which Anthropic is withholding due to unprecedented cybersecurity capabilities. Attackers launched typosquatting and supply chain attacks within hours of the exposure, and a Chinese state-sponsored group had already exploited Claude Code against approximately 30 organizations. Anthropic accidentally published the full source code for Claude Code, its AI-powered coding assistant, via a misconfigured npm package on March 31 . The leak exposed roughly 512,000 lines of TypeScript code across approximately 1,900 files, revealing the tool's complete architecture, unreleased features, and internal model performance data. Within hours, the codebase was mirrored across GitHub and accumulated more than 25,000 stars. This was Anthropic's second security lapse in one week. Days earlier, Fortune reported the company left close to 3,000 files publicly accessible in an unsecured data store, including a draft blog post detailing an unreleased model known internally as Mythos and Capybara. That model is described as a new tier above the current Opus, with what Anthropic called unprecedented cybersecurity capabilities. The company is deliberately withholding it. "No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson t