AI Security Breach 🚨 Claude Code Leak! 💥
Tech
🎧
On March 31, 2026, Anthropic reported an accidental leak of the source code for Claude Code, a closed-source project. The leak originated when an update mistakenly included internal source code, specifically a 60 MB file named cli.js.map, containing approximately 1,900 files and 500,000 lines of code. The issue, identified by Chaofan Shou and widely disseminated on platforms like GitHub, stemmed from a release packaging error. Anthropic confirmed that no customer data or credentials were compromised. Following the discovery, the company began issuing DMCA notifications to remove the source code. Simultaneously, investigations revealed a widespread usage bug affecting plans including the Personal and Max tiers, with users reporting rapid usage limit breaches. Anthropic confirmed they were actively investigating the issue, and testing a new “Proactive mode.”
UNEXPECTED SOURCE CODE RELEASE
Anthropic inadvertently released source code for Claude Code, a closed-source application, due to a packaging error during a version 2.1.88 release on NPM. This release included a 60 MB `cli.js.map` file containing the complete source code of the application. The error stemmed from a human error during the release process, not a deliberate security breach. The leaked code represents approximately 1,900 files and 500,000 lines of code, detailing several Claude-exclusive features. The incident was initially spotted by Chaofan Shou (@Fried_rice) and rapidly disseminated across platforms like GitHub and other storage solutions.
CODE ANALYSIS AND COMMUNITY RESPONSE
Following the leak, developers have begun analyzing the Claude Code source code, seeking to uncover undocumented features and understand the application's inner workings. This proactive investigation reflects the typical response within the open-source community, driven by a desire to learn and adapt. The availability of the source code has spurred considerable interest and scrutiny.
RECONSTRUCTION AND LEGAL ACTION
The `cli.js.map` file’s inclusion of the “sourcesContent” field enabled the reconstruction of the entire Claude Code source tree. This highlights the potential risk associated with publicly distributing large map files, which can expose significant portions of the original source code. Anthropic has initiated DMCA infringement notifications to remove the leaked code from various online locations, demonstrating a commitment to addressing the immediate fallout.
NEW FEATURES AND FUNCTIONALITY DISCOVERED
Analysis of the leaked code has revealed several intriguing features within Claude Code. Notably, Anthropic is testing a “Proactive Mode,” where Claude will code for users 24/7. Additionally, a “Dream” mode has been identified, allowing Claude to continuously think, develop ideas, improve plans, and solve problems while the user is away. These discoveries underscore the complexity and potential capabilities of the Claude Code application.
USAGE LIMITS AND SYSTEMIC ISSUES
Users have reported experiencing significantly reduced usage limits within Claude Code, particularly on the Pro and Max plans. Initial observations indicate that usage limits are being exhausted far more quickly than anticipated. Anthropic has confirmed that it’s investigating a bug causing this issue, stating it’s a top priority. This issue is impacting user productivity and access to the application.
INVESTIGATION AND MITIGATION STRATEGIES
Anthropic’s Lydia Hallie confirmed the widespread nature of the usage limit problem, stating the team is actively investigating and committed to providing updates. Automated pentesting and BAS (Baseline Assessment System) are being employed to identify the root cause and develop mitigation strategies. The company’s response highlights a proactive approach to resolving the issue and preventing future occurrences.
This article is AI-synthesized from public sources and may not reflect original reporting.