Explained: The Source Code Leak that hit AI Giant Anthropic

In a significant setback, Anthropic’s flagship coding platform has found itself at the centre of a cybersecurity storm after its internal workings were inadvertently exposed.

The leak of the source code behind Claude Code was not triggered by a malicious attack but by what the company described as a simple “human error”.

Claude Code, Anthropic’s leading AI-powered development tool, is widely used to transform ideas into working applications with minimal manual coding. It forms part of the broader Claude AI ecosystem, which serves more than 300,000 enterprise customers.

The incident effectively handed developers, security researchers and the wider internet a rare window into the architecture of a high-profile AI product.

A post on X containing a live link to the exposed code quickly gained traction, drawing millions of views.

The timing is notable, as the company prepares for a potential IPO expected later this year.

“No sensitive customer data or credentials were involved or exposed,” reads the statement from Anthropic, as reported by CNBC.

“This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”

Source map file triggers Claude Code exposure

Reports surfaced on 31 March that version 2.1.88 of Anthropic’s Claude Code npm package included a source map file.

Typically used for debugging, such files can provide a detailed reference linking compiled code back to its original source. In this case, the file offered a pathway to reconstruct substantial portions of the otherwise private TypeScript codebase.

Within hours, developers began sharing and mirroring elements of the code across GitHub and other public repositories. At the centre of the incident was a 59.8 MB JavaScript source map that had been unintentionally bundled into the public release.

The exposed material relates specifically to the Claude Code command line interface and associated tooling rather than the underlying AI model itself.

From a cybersecurity perspective, the event highlights the risks associated with software packaging and distribution pipelines, where overlooked artefacts can lead to significant intellectual property exposure.

Copyright concerns and AI-driven reuse debate

The code exposure marks the second high-profile incident affecting Anthropic in the same week. In an earlier case, internal or pre-release assets were reportedly left accessible within a public system.

A Fortune report noted: "Anthropic has inadvertently revealed details of an upcoming model release, an exclusive CEO event and other internal data, including images and PDFs, in what appears to be a significant security lapse."

Before the impact of that disclosure had fully settled, the latest incident sparked a broader debate around copyright and AI-assisted development. Online discussions quickly emerged, with some developers claiming to have used AI tools to reinterpret the exposed code into other programming languages.

The legal implications centre on the fact that the underlying TypeScript remains protected intellectual property. While the npm package did not directly include raw source code, the source map enabled its reconstruction.

As a result, any reproduction, redistribution or derivative work – including attempts to translate or rewrite the code using AI – could raise potential copyright infringement issues.

For cybersecurity professionals, the incident underscores a growing challenge at the intersection of software supply chains, intellectual property protection and the evolving capabilities of AI-assisted code generation.