On March 31st, Anthropic shipped version 2.1.88 of the Claude Code npm package. Buried inside was a source map file that wasn't supposed to be there — a file that contained the complete unobfuscated TypeScript source code for Claude Code. Nearly 2,000 files. Over 512,000 lines of code. Out in the open.
Within 48 hours, threat actors had weaponized the leak. Fake GitHub repositories appeared claiming to offer "enterprise unlocked" versions of Claude Code. Users who downloaded them got Vidar Stealer — malware that harvests credentials, credit card data, browser history, and crypto wallets.
This isn't just a security story. It's a pattern, and developers are increasingly the target.
What Actually Happened
The leak was a packaging error, not a hack. A source map file — the kind normally used to debug minified code — was accidentally included in the npm release. Source maps contain a reference to the original, unminified source. Someone noticed, extracted everything, and uploaded it to GitHub.
Security researcher Chaofan Shou flagged it on X. The post got over 28.8 million views. The extracted codebase hit 84,000 GitHub stars and 82,000 forks.
Anthropic confirmed it, saying: "No sensitive customer data or credentials were involved. This was a release packaging issue caused by human error, not a security breach."
What the Leaked Code Revealed
The community tore through the code immediately. Some genuinely fascinating architecture was exposed:
- Self-healing memory architecture — a system to overcome the model's fixed context window by compacting and managing conversation history across long sessions.
- Multi-agent orchestration — Claude Code can spawn "sub-agents" or swarms to handle complex tasks in parallel.
- KAIROS — a feature enabling Claude Code to operate as a persistent background agent that can fix errors and run tasks autonomously, sending push notifications when done.
- "Dream" mode — allows Claude to think in the background, developing and iterating on ideas continuously.
- Undercover Mode — a system prompt for making "stealth" contributions to open-source repos. The prompt literally says: "Do not blow your cover."
- Anti-distillation defenses — controls that inject fake tool definitions into API requests to poison training data if competitors try to scrape Claude Code's outputs.
Fascinating stuff from an engineering perspective. But that's not the scary part.
The Malware Campaign
Within days, malicious GitHub repositories appeared. They looked legitimate — promising the "leaked source code" for Claude Code. But the ZIP archive in the releases section contained ClaudeCode_x64.exe — a Rust-based dropper that deploys:
- Vidar Stealer v18.7 — harvests account credentials, credit card data, browser history, crypto wallet files, SSH keys, and API tokens
- GhostSocks — a tool to proxy network traffic through the victim's machine, effectively using your IP as a VPN exit node for further attacks
On top of that, attackers published typosquatted npm packages mimicking internal Claude Code dependency names — audio-capture-napi, color-diff-napi, image-processor-napi, modifiers-napi, and url-handler-napi. Currently empty stubs, but that's how dependency confusion attacks work — squat the name, wait for installs, push a malicious update.
Why Developers Keep Falling for This
The attack vector is simple: FOMO.
A hot AI tool gets leaked. Everyone's talking about it on X. You want to look at the internals, understand how it works, maybe learn something. So you clone a repo that promises the source code. You might even compile it. And just like that, you've compromised your machine.
This isn't new. We've seen the same pattern with:
- Fake VS Code extensions targeting developers
- Typosquatted npm/PyPI packages
- Trojanized GitHub repos posing as popular tools
- The Axios supply chain attack that hit the same week
Developers have elevated privileges on their machines — SSH keys, AWS credentials, API tokens, database access. We are high-value targets and most of us don't think about security the way we should.
How to Protect Yourself
- Never run executables from unofficial repos. If it's a .exe, .dmg, or binary in a GitHub release — and it's not from the official org — don't touch it. Source code is one thing; pre-built binaries are a minefield.
- Check the npm publisher. Before installing any package, verify the publisher. Use
npm info <package>to check the maintainer. If it's a fresh account with one package — red flag. - Use lockfiles and audit regularly. Run
npm auditregularly. Pin your dependencies. Review diffs when updating. - Rotate your secrets if exposed. If you installed Claude Code via npm on March 31 between 00:21 and 03:29 UTC — you may have pulled a trojanized Axios. Downgrade immediately and rotate all secrets.
- Treat your dev machine like a server. You probably have more sensitive credentials on your laptop than half the prod servers you maintain. Act accordingly.
The Bigger Picture
As AI security company Straiker pointed out: with Claude Code's internals exposed, attackers can now study exactly how data flows through its context management pipeline and craft payloads designed to persist across sessions — effectively planting a backdoor in your AI assistant.
This is the second major security incident for Anthropic in a single week — they also had internal data exposed via an unsecured CMS, revealing details about an unreleased model.
The lesson is clear: the tools we use every day are only as secure as their supply chain. And as developers, we're the supply chain's weakest link when we let curiosity override caution.
Stay skeptical. Verify everything. And for the love of your AWS credentials, stop cloning random repos and running them.