On March 31, 2026, a 59.8 MB JavaScript source map shipped inside the npm package @anthropic-ai/claude-code version 2.1.88. It contained 513,000 lines of unobfuscated TypeScript across 1,906 files — Anthropic's full Claude Code agent architecture, published by accident.
What Happened
A Bun packaging error combined with a missing .npmignore file caused the source map to be included in the published npm package. Security researcher Chaofan Shou discovered and posted about it on X. Within hours, the source was mirrored to GitHub and forked tens of thousands of times.
The CVEs
Two CVEs were assigned:
- CVE-2025-59536 — Remote code execution via malicious repository configs
- CVE-2026-21852 — API key exfiltration through hooks and MCP (Model Context Protocol) servers
The leak exposed exact orchestration logic, making these exploits trivially reproducible by attackers who studied the source.
The Same-Day Supply Chain Attack
In a coincidence that made an already bad day worse, the axios npm package was trojaned with a Remote Access Trojan (RAT) between 00:21 and 03:29 UTC on March 31 — hours before the Claude Code leak became public. If your CI/CD ran npm install during that window, you may have pulled a compromised version of axios alongside Claude Code.
What You Should Do Now
- Audit your npm install logs for March 31 — check what versions were pulled
- Check for axios RAT indicators — the trojaned version was active for ~3 hours
- Scan repos used with Claude Code — hooks and MCP server configurations are the primary attack surface
- Update to the latest Claude Code version — the source map has been removed
Video Breakdown
I put together a detailed breakdown covering the full timeline, what was inside the leaked source, and specific steps for developers:
Sources
- The Hacker News — Claude Code leak via npm (April 2026)
- Zscaler ThreatLabz analysis
- Bloomberg, April 1, 2026
- Axios RAT supply chain attack report
Originally published on EndOfCoding.com. Follow @endofcoding for more AI security analysis.
Top comments (0)