Claude Code Source Code Leak: 512,000 Lines of TypeScript Exposed

On March 31, 2026, security researcher Chaofan Shou discovered a massive source code leak in the Claude Code npm package. A 60MB source-map file had been inadvertently included in the published package, exposing 1,906 files and approximately 512,000 lines of TypeScript code. The discovery sent shockwaves through the developer community and raised serious questions about supply chain security in the npm ecosystem.

The leaked source code revealed several previously unknown internal features. Most notably, an AutoDream system was uncovered -- a reflective memory pass that runs during idle periods, allowing the AI to consolidate and reorganize its contextual understanding. The code also exposed advanced agent orchestration mechanisms, showing how Claude Code coordinates multiple sub-agents for complex multi-file editing tasks.

Anthropic responded quickly to the incident, issuing a statement within hours confirming that no customer data was exposed and that the leak was limited to internal source code. The company published a patched version of the npm package with the source maps removed. Security teams noted that this was the second significant leak from Anthropic within a year, prompting calls for more rigorous pre-publish checks in their CI/CD pipeline.

The incident highlights a broader industry challenge: as AI-powered developer tools grow more sophisticated, the complexity of their codebases increases the risk of accidental exposure. The community response was mixed -- some praised the transparency the leak provided into how Claude Code works, while others expressed concern about the security implications of exposing internal AI system architectures.