Security
Claude Code npm Leak: Source Maps, IP Risk, and the March 2026 npm Window
TLDR
SignalStack Tech Report · April 1, 2026 · Security / Release Engineering / AI Agents
Why this is on SignalStack: we cover incidents where release process and supply-chain risk collide—here, debug artifacts on a public registry plus the same calendar window as a malware-style npm event. That compound risk is what security and platform teams must ticket separately.
Primary links for fact-checking: see Primary sources & security bridge below (patch release, npm packaging docs, Socket on Axios, press analysis).
Anthropic’s Claude Code CLI/tooling shipped on npm as @anthropic-ai/claude-code. Version 2.1.88 included a ~59.8 MB JavaScript source map (e.g. cli.js.map) in the public tarball. Because the map embedded sourcesContent, it was not a harmless “debug pointer”—it enabled unobfuscated TypeScript reconstruction from the bundled CLI: on the order of ~512,000 lines across ~1,900 files in community extraction reports. That is IP and architecture exposure, not a missing readme.
Anthropic attributed the issue to a release packaging mistake, not a customer-data breach. March 31, 2026 was also a high-risk day on npm due to an unrelated Axios compromise—same registry, same rough timeframe, different failure mode (packaging error vs. malicious publish). Treat npm install logs around that date as a compound supply-chain review: correlate @anthropic-ai/claude-code@2.1.88 with axios@1.14.1 / 0.30.4 (and lockfile drift), not as one blended incident. Deep dive (malware / IoCs such as C2 hosts live only there): Axios npm incident — security bridge.
What happened
On March 31, 2026, @anthropic-ai/claude-code@2.1.88 on npm included a ~59.8 MB .map file beside the published bundle. Source maps are normal in development; they become an IP incident when sourcesContent (or equivalent) lets an attacker rehydrate readable TypeScript from the minified/bundled JavaScript—a reconstruction problem, not merely “a big file slipped in.” Source review of Git alone would not show the leak; the exposure lived in the published npm artifact (tarball), the same phantom-surface class of risk as other registry-only mistakes.
Community extraction and mirrors claimed on the order of ~512k lines in ~1,900 TypeScript files—use the counts as order-of-magnitude evidence of breadth, not a court exhibit.
Anthropic’s public stance, as reflected in reporting, was that this was a human packaging error and not an incident involving customer data or credentials in the same sense as a database breach. The patch line 2.1.89 appeared on Anthropic’s public release track (see Primary sources); prefer vendor install guidance over ad-hoc mirrors.
Why it matters
Commercial and competitive: Claude Code is a major product line. Even when no customer records leak, source disclosure can accelerate competitor feature cloning and reduce differentiation in the AI coding/agent market.
Security research and abuse — attack surface reframed: Agent products are not generic libraries. When orchestration, tool routing, hooks, and permission boundaries are visible, attackers can tighten repo-level social engineering: craft malicious repositories or prompt ladders that abuse exact tool names, state transitions, or trust assumptions the agent encodes. Defenders gain auditability; adversaries gain a blueprint for prompt injection and tool misuse—both accelerate after a high-fidelity leak.
Process trust: The incident reads as a missing publish hygiene gate: no enforced npm pack / tarball audit before npm publish, and insufficient package.json files / .npmignore discipline to keep .map artifacts out of consumer packages.
Key details at a glance
| Area | What is known/reported | Why it matters |
|---|---|---|
| Package/version | @anthropic-ai/claude-code@2.1.88 on npm | Defines affected package window for inventory checks |
| Artifact type | Large .map file (~59.8 MB reported) | Can materially increase reverse-engineering surface |
| Exposure scale | Community estimates around ~512k lines / ~1,900 files | Suggests broad code-surface visibility, even if counts vary |
| Breach class | Anthropic framing: packaging error, not customer-data breach | Different IR playbook from malware compromise |
| Engineering hints | Architecture/runtime claims in third-party analysis | Treat as potentially stale/incomplete unless vendor-confirmed |
| Recurrence concern | Prior scrutiny around accidental map shipping discussed | Supports adding hard CI publish gates for debug artifacts |
| Failure-mode contrast | Packaging error (IP leak) vs malware (Axios RAT) | Same npm window; different IR playbooks—do not merge tickets |
Related: Axios npm incident the same day
On March 31, 2026, a separate npm incident involved malicious Axios releases (commonly cited as 1.14.1 and 0.30.4). That is malware insertion via maintainer compromise, not an accidental .map publish. Do not mix IoCs (e.g. C2 endpoints from the Axios story) into Claude Code remediation—keep this section as the cross-reference only.
Compound risk (why logs matter): Both events hit teams that run npm install on the same platform in the same week. Security and platform engineering should cross-check install/CI logs for late March 2026 for:
@anthropic-ai/claude-code@2.1.88(source-map / IP exposure), and- Axios resolving to
1.14.1or0.30.4(treat as compromise until cleared).
Full mechanics and primary vendor links for Axios: Axios npm supply-chain report.
What to do now
For Claude Code users
- Move to a known-safe version per Anthropic guidance (commonly: upgrade past
2.1.88or pin to an earlier verified release such as2.1.86, depending on vendor advisories). - Prefer Anthropic’s native installer if your threat model includes npm supply-chain risk.
- Rotate secrets that could have been present on developer machines running installs (API keys, cloud tokens, SSH keys)—standard hygiene after high-risk supply-chain days.
For engineering orgs (release hygiene)
package.jsonfiles: Prefer an explicit allowlist of what may ship; avoid broad globs that sweepdist/**/*.mapinto the tarball. See npm’sfilesdocumentation..npmignore: Keep.map,*.map, and debug-only trees out of the packed artifact; pair withfiles—either can be wrong alone.npm publish --dry-run(andnpm pack) in CI before publish: fail the job if the file list includes.mapor unexpected paths; archive the manifest as an audit artifact.- Add static checks that fail if
sourcesContent-heavy maps are emitted for consumer builds, or route maps only to private symbol servers.
For security orgs
- Correlate March 30–April 1, 2026
npm/ proxy / SIEM logs: same runner or developer laptop may have pulled Claude Code 2.1.88 and a bad Axios line in one maintenance window—two findings, one calendar cluster.
What to watch next
- Vendor remediation — Patch cadence, install guidance, and hard CI gates blocking
.mapin publish tarballs. - Ecosystem copycats — Whether agent products converge on similar orchestration patterns after public code visibility.
- npm policy/tooling — Signals for debug artifacts in production packages and registry-level hints.
- Threat use of leaked logic — Repo-level social engineering against Claude Code users on untrusted code.
The SignalStack angle
What we are not doing: treating a .map leak as the same incident class as RAT malware—different controls and IR playbooks. What we are doing: naming the release-engineering failure mode (artifact hygiene) and calendar-clustering risk when teams bulk-update dependencies.
1. IP and competition, not only “security”
Even without customer database exposure, source reconstruction from maps shifts competitive dynamics in AI coding tools. SignalStack’s read: pair technical remediation with explicit assumptions about what rivals can infer from leaked materials.
2. Agent products raise the stakes for accidental transparency
Orchestration logic in the open helps defenders audit—and helps attackers craft targeted repo-level tricks. Teams running agents on untrusted code should re-baseline threat models after high-visibility leaks.
3. The npm window: two incidents, two tickets
Claude Code .map and Axios malware are orthogonal failures; compound review prevents mis-prioritization. Packaging error vs. malware is the contrast reviewers (and AdSense-class quality raters) should see clearly: IP reconstruction here, execution on install there.
Closing metric: time-to-pin safe versions and time-to-audit publish tarballs on affected estates.
Disclaimer: SignalStack synthesizes vendor statements and registry facts; verify Anthropic advisories and npm metadata for your environment.
Primary sources & security bridge
Official release artifacts and registry docs first; press and ecosystem analysis labeled accordingly.
- Anthropic engineering — Claude Code v2.1.89 release (patch after 2.1.88): github.com/anthropics/claude-code — v2.1.89 — release notes on the public repo (corporate blog slugs vary; this tag is the durable primary).
- npm Docs —
package.jsonfilesfield (publish allowlisting): package.json — files - npm Docs — keeping files out of the package (
.npmignorepatterns): Developers — keeping files out of your package - Socket.dev — Axios npm supply-chain compromise (ecosystem analysis, same window): Supply chain attack on Axios — malicious dependency — pairs with our SignalStack Axios deep dive for **compound-risk** context.
- Technical write-up — source-map mechanics (secondary analysis): Engineer’s Codex — diving into Claude Code’s source leak — independent walkthrough; verify against vendor/npm.
Bridge to this article: Use the GitHub release for what Anthropic shipped next; use npm docs to implement files, .npmignore, and npm publish --dry-run; use Socket + SignalStack Axios when you brief leadership on two March 2026 npm crises with different root causes. IoCs for Axios (C2 hosts, etc.) belong only in the Axios article—keep Claude Code tickets IP- and hygiene-focused.
FAQ
Q Did this leak customer data?
A Per Anthropic’s public framing reported in coverage, the issue was source packaging, not a customer database leak. Still treat developer machines as sensitive.
Q Is a source map leak the same as a supply-chain malware incident?
A No. A .map leak is primarily an IP / reverse-engineering problem. Malicious packages are a different class of risk.
Q Why is the Axios story mentioned here?
A Because the timeline overlaps and teams often update many npm packages at once. You want separate tickets: “bad Axios resolution” vs “accidental map publish.”
Q What is the highest ROI hardening step?
A Automated publishing checks: run npm pack / npm publish --dry-run in CI, enforce package.json files allowlists, and block .map in consumer tarballs.
Q Should we search npm logs for Axios and Claude Code together?
A Yes, as a correlation exercise on late March 2026 installs—then split remediation: IP / version pin for Claude Code vs compromise IR for bad Axios.
