2026-03
Data Leakage
Anthropic

Anthropic leaked Claude Code's full source via an npm source-map packaging bug

What happened

A packaging mistake shipped a full JavaScript source map inside a public Claude Code npm release because the runtime emitted the map by default and no ignore rule excluded it. The file contained roughly 513,000 lines of unobfuscated TypeScript across about 1,900 files, exposing the agent harness, permission system, unreleased features, and feature flags. The code was mirrored and forked tens of thousands of times within hours.

Impact

The complete client-side codebase and unreleased-feature details spread across hundreds of public repos on 2026-03-31, and opportunists seeded malware-laced clones — though Anthropic said no customer data or credentials were involved.

How this could have been prevented

Excluding source maps from published packages and validating package contents in CI before release would have stopped the accidental disclosure.

Sources

More data leakage incidents

Would runtime governance have caught this?

Guardion enforces policy on every agent action inline — with visibility, tamper-evident evidence, and DLP for agents and MCPs.

Request a demo