Hero image for: Claude Code npm Leak: Source Maps, IP Risk, and the March 2026 npm Window

Security

Claude Code npm Leak: Source Maps, IP Risk, and the March 2026 npm Window

Edited by SignalStack · Corrections

TLDR

SignalStack Tech Report · April 1, 2026 · Security / Release Engineering / AI Agents

Why this is on SignalStack: we cover incidents where release process and supply-chain risk collide—here, debug artifacts on a public registry plus the same calendar window as a malware-style npm event. That compound risk is what security and platform teams must ticket separately.

Anthropic’s Claude Code CLI/tooling shipped on npm as @anthropic-ai/claude-code. Version 2.1.88 included a large JavaScript source map (.map) in the public package, which analysts treated as exposing extensive TypeScript-equivalent surface.

Anthropic attributed the issue to a release packaging mistake, not a customer-data breach. March 31, 2026 was also a high-risk day on npm due to an unrelated Axios compromise—treat “npm install that day” as a compound supply-chain review, not one issue. See also our deep dive: Axios npm incident.

Conceptual illustration of a source map file exposing bundled code paths
Source maps help debug bundled JavaScript; if shipped to production registries, they can reveal far more than intended.

What happened

On March 31, 2026, coverage described @anthropic-ai/claude-code@2.1.88 as including a ~59.8 MB .map file. Source maps are commonly used for debugging, but they should not ship in artifacts meant for end users when they can reconstruct or point to unobfuscated source.

Early analyses claimed the map enabled recovery of a very large TypeScript surface area (often described on the order of hundreds of thousands of lines). Unofficial mirrors appeared quickly—typical for high-profile disclosures, whether or not every copy is complete.

Anthropic’s public stance, as reflected in reporting, was that this was a human packaging error and not an incident involving customer data or credentials in the same sense as a database breach.

Why it matters

Commercial and competitive: Claude Code is a major product line. Even when no customer records leak, source disclosure can accelerate competitor feature cloning and reduce differentiation in the AI coding/agent market.

Security research and abuse: Public orchestration logic can help defenders audit behavior—but it can also help attackers craft more convincing repo-level tricks (prompting, tool use, hooks) against users who run agents on untrusted code.

Process trust: This is the kind of mistake teams audit for in release engineering: map files, debug symbols, internal paths, and “debug-only” bundles accidentally published to registries.

Supply chain risk concept: dependencies and publishing pipelines
npm supply-chain risk is rarely one failure mode; it is often multiple overlapping incidents in the same window.

Key details at a glance

The list below mixes confirmed packaging facts (version + .map artifact) with claims from third-party analysis of leaked materials. Treat codenames and unreleased features as unverified unless Anthropic publishes them.

  • Package/version: @anthropic-ai/claude-code 2.1.88, distributed via npm.
  • Artifact: a JavaScript source map (.map) at roughly 59.8 MB, described as enabling TypeScript reconstruction from published outputs.
  • Scale: community reporting often cited ~512k lines across ~1,900 files—useful as an order-of-magnitude signal, not a courtroom-exact count.
  • Architecture commentary (unverified): leaked-code narratives referenced ideas like a multi-layer memory system, long-session “context” management, and agent orchestration patterns—i.e., the “how” behind an agent product, not end-user chat logs.
  • Product/engineering hints (unverified): some writeups mentioned internal codenames, experimental modes, IDE bridge ideas, and runtime choices (e.g., Bun, terminal UI stacks). These can be wrong, incomplete, or outdated even if they appeared in a snapshot.
  • Recurrence theme: observers noted Anthropic-related packages have previously been scrutinized for accidentally shipping maps—if true, it strengthens the case for hard gates in CI that block .map publish to npm.

Related: Axios npm incident the same day

On March 31, 2026, a separate npm incident involved malicious Axios releases (commonly cited as 1.14.1 and 0.30.4). That is a different failure mode (malware in a dependency) from accidentally publishing a map file.

If your organization updated JavaScript dependencies broadly on that date, review both:

  • whether @anthropic-ai/claude-code@2.1.88 was installed, and
  • whether Axios resolved to a bad version in the same window.

What to do now

For Claude Code users

  • Move to a known-safe version per Anthropic guidance (commonly: upgrade past 2.1.88 or pin to an earlier verified release such as 2.1.86, depending on vendor advisories).
  • Prefer Anthropic’s native installer if your threat model includes npm supply-chain risk.
  • Rotate secrets that could have been present on developer machines running installs (API keys, cloud tokens, SSH keys)—standard hygiene after high-risk supply-chain days.

For engineering orgs

  • Add CI checks that fail builds if .map files are present in publish artifacts intended for npm.
  • Ensure immutable version pins and lockfile review for release engineering machines.

What to watch next

  1. Vendor remediation — Patch cadence, install guidance, and hard CI gates blocking .map in publish tarballs.
  2. Ecosystem copycats — Whether agent products converge on similar orchestration patterns after public code visibility.
  3. npm policy/tooling — Signals for debug artifacts in production packages and registry-level hints.
  4. Threat use of leaked logicRepo-level social engineering against Claude Code users on untrusted code.

The SignalStack angle

What we are not doing: treating a .map leak as the same incident class as RAT malware—different controls and IR playbooks. What we are doing: naming the release-engineering failure mode (artifact hygiene) and calendar-clustering risk when teams bulk-update dependencies.

1. IP and competition, not only “security”

Even without customer database exposure, source reconstruction from maps shifts competitive dynamics in AI coding tools. SignalStack’s read: pair technical remediation with explicit assumptions about what rivals can infer from leaked materials.

2. Agent products raise the stakes for accidental transparency

Orchestration logic in the open helps defenders audit—and helps attackers craft targeted repo-level tricks. Teams running agents on untrusted code should re-baseline threat models after high-visibility leaks.

3. The npm window: two incidents, two tickets

Claude Code .map and Axios malware are orthogonal failures; compound review prevents mis-prioritization. Closing metric: time-to-pin safe versions across both stories on affected estates.

Disclaimer: SignalStack synthesizes vendor statements and registry facts; verify Anthropic advisories and npm metadata for your environment.

FAQ

Q Did this leak customer data?

A Per Anthropic’s public framing reported in coverage, the issue was source packaging, not a customer database leak. Still treat developer machines as sensitive.

Q Is a source map leak the same as a supply-chain malware incident?

A No. A .map leak is primarily an IP / reverse-engineering problem. Malicious packages are a different class of risk.

Q Why is the Axios story mentioned here?

A Because the timeline overlaps and teams often update many npm packages at once. You want separate tickets: “bad Axios resolution” vs “accidental map publish.”

Q What is the highest ROI hardening step?

A Automated publishing checks that prevent debug maps and other dev artifacts from entering npm release tarballs.

Keep reading

More stories from SignalStack

Back to top