Current Status
- Leak occurred March 31, 2026 via npm package version 2.1.88 for Claude Code
- 512,000+ lines of TypeScript across ~1,906 files were exposed via a source map (
cli.js.map) - Anthropic pulled the package and issued 8,000+ copyright takedown requests against GitHub forks
- Developers are actively converting the code to other languages (Rust, Python) to evade DMCA takedowns
- Rep. Josh Gottheimer (D-NJ) sent a letter to CEO Dario Amodei on April 2 raising national security concerns
- Threat actors are weaponizing the leak’s publicity to distribute malware (Vidar stealer, GhostSocks) – active campaign confirmed ongoing as of April 3
- NEW (Apr 2-3): Adversa AI discovered a critical vulnerability in Claude Code: a 50-subcommand threshold that bypasses safety checks entirely. The fix (a tree-sitter parser) exists in the leaked source but is not yet deployed in public builds
- NEW (Apr 3): Enterprise security analysts predict mandatory operational changes: environment isolation, stricter repo permissions, mandatory human review of AI output before production
- NEW (Apr 3): Competing project “Claw Code” accumulated 145,000 GitHub stars in a single day, signaling developer migration risk
- This was Anthropic’s second major security lapse in days, following an earlier accidental exposure of unpublished model documentation
Table of Contents
- What Happened
- Technical Mechanism
- What Was Exposed
- Unreleased Features Revealed
- Security and Privacy Concerns from the Code
- Controversial Discoveries
- Anthropic’s Response
- Community and Competitive Fallout
- Congressional and National Security Response 10a. Critical Vulnerability: 50-Subcommand Safety Bypass 10b. Enterprise Security and Governance Fallout 10c. Active Threat: Malware Exploiting the Leak
- Timeline
- Confidence Assessment
- Open Questions
- Sources
- Update History
- How This Report Was Generated
1. What Happened
On March 31, 2026, Anthropic published version 2.1.88 of the claude-code npm package. The package inadvertently included a JavaScript source map file (cli.js.map) — a debug artifact generated by Bun’s bundler that is normally excluded from production builds via a .npmignore rule. That rule was missing. The source map contained the full, unobfuscated TypeScript source for the Claude Code CLI: 512,000 lines of code across roughly 1,906 files, distributed in a 59.8 MB file.
Security researcher Chaofan Shou discovered it within hours and posted on X: “Claude code source code has been leaked via a map file in their npm registry!” That post accumulated over 28.8 million views. [source: https://thehackernews.com/2026/04/claude-code-tleaked-via-npm-packaging.html]
Anthropic scrambled to pull the package. The code had already been mirrored, forked, and downloaded tens of thousands of times before removal. [source: https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak]
This was the second significant security lapse from Anthropic within days. Earlier that week, unpublished drafts of documents and blog posts about a yet-to-be-announced model had been found in a publicly visible data cache. [source: https://gizmodo.com/source-code-for-anthropics-claude-code-leaks-at-the-exact-wrong-time-2000740379]
2. Technical Mechanism
Claude Code is distributed as a closed-source, obfuscated npm package. Anthropic uses Bun as its bundler. By default, Bun generates source map files (*.js.map) unless explicitly disabled. The missing .npmignore entry meant the source map was bundled alongside the production artifacts and published to the public npm registry.
The source map file is sufficient to fully reconstruct the original TypeScript source code. Anyone who downloaded version 2.1.88 before Anthropic pulled it had the complete codebase. Multiple community members archived and mirrored it immediately.
Irony noted in the community: the leaked code itself contains a system called “Undercover Mode” specifically built to prevent Anthropic’s internal information from leaking. [source: https://github.com/Kuberwastaken/claurst]
3. What Was Exposed
The exposed code covers the full Claude Code CLI client. It does NOT include:
- Model weights
- Server-side safety pipelines
- User data or credentials
- Anthropic’s training infrastructure
What WAS exposed:
- CLI implementation: The full terminal interface, command parsing, output rendering
- Agent orchestration logic: LLM API calls, streaming, tool-call loops, retry mechanisms, multi-agent coordination
- Tool execution layer: Shell command auto-execution, MCP integrations, environment variable handling
- Memory systems: Three-layer indexing (pointers to topic files to transcripts), persistent storage configurations
- Security internals: Telemetry collection scope, encryption, OAuth flows, inter-process communication, permission logic
- System prompts: Internal prompts used to direct the agent’s behavior
- 44 feature flags: Including 20+ for unreleased capabilities
- Internal model codenames: Capybara, Fennec, Numbat, Tengu (see section 4)
[source: https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak]
4. Unreleased Features Revealed
The 44 feature flags in the source included at least 8 fully unreleased features and 20+ total unreleased capabilities. Key ones:
KAIROS: Proactive Background Agent Mode The flagship unreleased feature. KAIROS is a persistent daemon that operates 24/7 without user initiation. It receives periodic “heartbeat” prompts asking whether anything is worth doing right now, then acts autonomously: fixing errors, updating files, responding to messages. It includes:
- Cron scheduling capabilities for timed tasks
- “autoDream” memory consolidation during off-hours
- Push notifications and file delivery tools
- GitHub PR subscription monitoring
- Self-resuming agents with sleep/wake cycles for continuous operation (e.g., Friday through Monday)
- An append-only audit log
[source: https://read.engineerscodex.com/p/diving-into-claude-codes-source-code]
Proactive Mode A related daemon feature (separate from KAIROS in the code) that similarly enables the agent to initiate actions without user prompting. [source: https://www.msn.com/en-us/news/technology/claude-code-leak-suggests-anthropic-is-working-on-a-proactive-mode-for-its-coding-tool/ar-AA1ZVdem]
CHICAGO: Desktop Automation Mouse clicks, keyboard input, clipboard access, and screenshot capture. [source: https://www.theregister.com/2026/04/01/claude_code_source_leak_privacy_nightmare/]
Multi-Claude Orchestration One coordinator Claude instance managing multiple parallel worker instances. [source: https://read.engineerscodex.com/p/diving-into-claude-codes-source-code]
“Tamagotchi” Coding Pet References to a persistent, personality-bearing AI companion for developers. [source: https://www.theverge.com/ai-artificial-intelligence/904776/anthropic-claude-source-code-leak]
Voice Command Mode Full voice interface, unreleased. [source: https://read.engineerscodex.com/p/diving-into-claude-codes-source-code]
Browser Automation via Playwright Web scraping and browser control integration. [source: https://read.engineerscodex.com/p/diving-into-claude-codes-source-code]
Internal Model Codenames
- Capybara: Claude 4.6 variant, version 8, with 1M context window and fast mode
- Fennec: Speculated as Opus 4.6
- Mythos: Referenced alongside Capybara
- Numbat: Launch timeline embedded in source
- Tengu: Referenced in undercover systems
[source: https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know]
5. Security and Privacy Concerns from the Code
Data collection scope revealed: The telemetry system logs:
- User ID, session ID, app version, platform, terminal type, organization UUID, email address
- Current working directory (which can expose project names and client names)
- All read/write operations and bash command results, stored locally as plaintext JSONL files
- Message length telemetry and system prompt data
Data retention periods confirmed in the code:
- Free/Pro/Max users: 5 years (if training data sharing is enabled) or 30 days
- Commercial users: 30 days standard; zero-retention option available
[source: https://www.theregister.com/2026/04/01/claude_code_source_leak_privacy_nightmare/]
Frustration detection: The code includes regex pattern-matching to detect user frustration in prompts, flagging profanity, insults, and phrases like “so frustrating” and “this sucks.” This is logged. [source: https://www.scientificamerican.com/article/anthropic-leak-reveals-claude-code-tracking-user-frustration-and-raises-new/]
Permission and hook exposure: The full permission logic and hook mechanisms are now visible to attackers. Security researchers identified pre-existing CVEs (CVE-2025-59536 and CVE-2026-21852) that are now significantly easier to weaponize with access to the source. [source: https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak]
Court context: The Register noted the device access scope revealed in the code is relevant to an ongoing court dispute. The U.S. Department of War sued Anthropic (case: Anthropic PBC v. U.S. Department of War et al), with the government arguing “substantial risk that Anthropic could attempt to disable its technology or surreptitiously alter model behavior during warfighting operations.” [source: https://www.theregister.com/2026/04/01/claude_code_source_leak_privacy_nightmare/]
6. Controversial Discoveries
Undercover Mode: Undisclosed AI authorship in open source This is the most ethically charged finding. The leaked code contains a fully built system called “Undercover Mode” designed to strip Anthropic-specific references from code submitted to public repositories. Specifically:
- It scrubs internal codenames, Slack channels, and tool names from any commits to public repos
- It explicitly instructs the system that commits should “never include… the phrase ‘Claude Code’ or any mention that you are an AI”
- It directs the agent to omit “co-Authored-By lines or any other attribution”
The stated purpose in the prompt is to protect internal information from leaking via open source contributions. The side effect: when Anthropic employees use Claude Code to contribute to public open source repos, the AI-authored portions are made to appear fully human-authored with no disclosure.
One developer’s characterization: “Having the AI actively pretend to be human is a different thing” from simply hiding codenames. This is described as a “one-way door” — there is no force-OFF toggle for the concealment.
[source: https://www.scientificamerican.com/article/anthropic-leak-reveals-claude-code-tracking-user-frustration-and-raises-new/; https://arstechnica.com/ai/2026/04/heres-what-that-claude-code-source-leak-reveals-about-anthropics-plans/]
Anti-distillation countermeasures: The code includes active measures to poison competitor AI training data. “Decoy tool schemas” are injected into prompts, designed to corrupt any model trained on Claude’s outputs. A “CONNECTOR_TEXT” mechanism returns only summarized reasoning to external callers, withholding full chain-of-thought. [source: https://read.engineerscodex.com/p/diving-into-claude-codes-source-code]
Cryptographic DRM below JavaScript layer: Cryptographic request hashing implemented in Bun’s Zig HTTP layer (below JavaScript) prevents spoofing or monkey-patching. [source: https://read.engineerscodex.com/p/diving-into-claude-codes-source-code]
7. Anthropic’s Response
Official statement (confirmed by multiple outlets): “Earlier today, a Claude Code release included some internal source code. This was a release packaging issue caused by human error, not a security breach. No sensitive customer data or credentials were involved or exposed.” [source: https://www.axios.com/2026/03/31/anthropic-leaked-source-code-ai; https://fortune.com/2026/03/31/anthropic-source-code-claude-code-data-leak-second-security-lapse-days-after-accidentally-revealing-mythos/]
Actions taken:
- Immediately pulled version 2.1.88 from npm
- Issued 8,000+ copyright takedown requests against GitHub repositories hosting the code
- CCO Paul Smith acknowledged “process errors” related to rapid product releases as the cause
- Reportedly working to patch security vulnerabilities exposed by the source visibility
Limitations of response: The takedown effort has been largely ineffective. Developers quickly converted the leaked TypeScript into Rust, Python, and other languages — rewritten code is not covered by the same DMCA claims. One community project (ClaURST) produced a Rust port and emerged as potentially the fastest GitHub repository to reach 50,000 stars in history. [source: https://www.pcmag.com/news/anthropic-issues-8000-copyright-takedowns-to-scrub-claude-code-leak; https://layer5.io/blog/engineering/the-claude-code-source-leak-512000-lines-a-missing-npmignore-and-the-fastest-growing-repo-in-github-history]
8. Community and Competitive Fallout
- The Ars Technica analysis headlined that this revealed Anthropic’s internal product roadmap to every competitor
- Claude Code had a run-rate revenue of $2.5 billion as of February 2026 per CNBC, making the competitive stakes significant [source: https://www.cnbc.com/2026/03/31/anthropic-leak-claude-code-internal-source.html]
- Developers used the code for architectural deep dives; Medium analysis noted “everyone analyzed the features, nobody analyzed the architecture” and found deeply sophisticated engineering including a single function in
print.tsspanning 3,167 lines across 12 nesting levels, and code comments written for AI agents rather than human developers - Gartner issued a same-day advisory on enterprise security implications [source: https://venturebeat.com/security/claude-code-512000-line-source-leak-attack-paths-audit-security-leaders]
- CrowdStrike CTO and Enkrypt AI CSO both weighed in on agent permission risks
- Forbes framed this as a preview of “dark code” — AI contributions to codebases that are not disclosed or attributable
9. Congressional and National Security Response
Rep. Josh Gottheimer (D-NJ) sent a letter directly to CEO Dario Amodei on April 2, 2026, warning that the leak could “erode the U.S. AI advantage.” The letter pressed Anthropic on:
- The specific circumstances of the leak
- Changes Anthropic made to its internal safety protocols (a reference to a separate controversy about Anthropic relaxing its safety guidelines around the same timeframe)
- National security risks from exposing Claude Code’s architecture to foreign adversaries
The letter was shared exclusively with Axios before publication. This is the first known Congressional action tied to the incident. [source: https://www.msn.com/en-us/news/technology/exclusive-gottheimer-presses-anthropic-on-source-code-leaks/ar-AA1ZZrvy; https://www.inc.com/leila-sheridan/anthropic-code-leak-dc-security/91326007]
10a. Critical Vulnerability: 50-Subcommand Safety Bypass (NEW Apr 2-3)
Adversa AI discovered a critical vulnerability in Claude Code that the leaked source code both documents and partially resolves – though the fix is not yet deployed.
Mechanism: When Claude Code processes a request containing more than 50 subcommands, it skips compute-intensive safety analysis for all commands beyond the 50th threshold and instead falls back to requesting simple user confirmation. Users who approve the confirmation believe standard safety checks remain active; they do not.
Attack scenario documented by Adversa AI: A supply chain attack via malicious CLAUDE.md files. Attacker creates a GitHub repository containing a CLAUDE.md configuration file with 50+ legitimate-looking build commands followed by credential exfiltration instructions or other harmful actions. When a developer opens the repo in Claude Code, the harmful tail commands execute with minimal scrutiny.
Status of fix: The leaked source code contains a fix: a tree-sitter parser that would validate commands more rigorously. However, as of April 3, 2026, this parser is present in the codebase but disabled in publicly available builds. The vulnerability remains exploitable in production.
Why the leak made this worse: The existence of this vulnerability was not publicly known before the source code leak. Security researchers only discovered it by analyzing the leaked TypeScript. The leaked code also reveals Anthropic was aware of the issue – the fix was built but not shipped.
[source: https://www.infoworld.com/article/4154199/claude-code-is-still-vulnerable-to-an-attack-anthropic-has-already-fixed.html; https://www.securityweek.com/critical-vulnerability-in-claude-code-emerges-days-after-source-leak/]
10b. Enterprise Security and Governance Fallout (NEW Apr 2-3)
Analyst and enterprise security commentary has coalesced around specific risk categories and operational changes:
Targeted exploitation risk: Jun Zhou of Straiker AI: attackers can now “study and fuzz exactly how data flows through Claude Code’s four-stage context management pipeline” to craft persistent backdoors. The shift is from probabilistic jailbreaking to deterministic exploitation using known architecture.
Malicious repository risk: Shreeya Deshpande, Everest Group senior analyst: “attackers can design malicious repositories specifically tailored to trick Claude Code into running unauthorized background commands.”
Predicted enterprise response (Sanchit Vir Gogia, Greyhound Research): immediate moves toward environment isolation, stricter repository permissions, and enforced human review before any AI-generated output reaches production.
Switching cost friction: Pareekh Jain, Pareekh Consulting, notes enterprises face high switching costs around AI coding tools, making immediate platform migration unlikely despite the breach.
Governance and compliance exposure: KAIROS (autonomous background operations) and Undercover Mode (AI authorship concealment) create specific compliance risks in regulated industries where AI contribution must be disclosed and attributed.
Competitive acceleration: Joshua Sum estimates the leak “shaved a year of reverse-engineering off every startup and enterprise’s roadmap.” Competing project Claw Code accumulated 145,000 GitHub stars in one day.
[source: https://www.infoworld.com/article/4154023/claude-code-leak-puts-enterprise-trust-at-risk-as-security-governance-concerns-mount.html]
10. Active Threat: Malware Exploiting the Leak
Zscaler ThreatLabz identified an active malware campaign exploiting the leak’s publicity as a social engineering lure.
Mechanism: Malicious GitHub repositories posing as “leaked Claude Code” appeared near the top of Google search results. They distributed Rust-based droppers (ClaudeCode_x64.exe) packaged in .7z archives.
Payloads confirmed:
- Vidar v18.7 (information stealer / credential harvester)
- GhostSocks (network traffic proxy / SOCKS5 backdoor)
C2 infrastructure:
- Vidar C2:
rti.cargomanbd[.]com - GhostSocks C2:
147.45.197[.]92:443,94.228.161[.]88:443 - Dead drop resolvers: Steam community profiles, Telegram channels
Attribution: Publishers idbzoomh and associated accounts. Zscaler assessed this as a coordinated campaign, not opportunistic. Archives were updated frequently, indicating active maintenance.
[source: https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak]
Updated details (BleepingComputer, Apr 2-3):
- The malicious repo was actively SEO-optimized and ranked near the top of Google results for “leaked Claude Code”
- A second repository with identical code but a non-functional Download ZIP button was discovered, suggesting the same actor was A/B testing delivery strategies
- Zscaler confirmed the archive is “updated frequently, so other payloads may be added in future iterations” – indicating active development, not a one-off campaign
- No GitHub or Anthropic containment statement has been issued specifically regarding the malware repositories as of April 3
[source: https://www.bleepingcomputer.com/news/security/claude-code-leak-used-to-push-infostealer-malware-on-github/]
If you searched for “leaked Claude Code” on GitHub or Google after March 31: treat any downloaded archives as potentially malicious. Verify against known-good npm checksums.
11. Timeline
Reverse chronological
| Date/Time (ET) | Event |
|---|---|
| Apr 3, 2026 | InfoWorld reports Adversa AI vulnerability in deployed builds; fix confirmed present in leaked source but disabled |
| Apr 3, 2026 | Dark Reading publishes supply chain oversight analysis citing Claude Code leak |
| Apr 2, 2026, ~6:00 PM | SecurityWeek publishes Adversa AI critical vulnerability report |
| Apr 2, 2026 | Competing project Claw Code reaches 145,000 GitHub stars in one day |
| Apr 2, 2026 | BleepingComputer confirms malicious repos are SEO-optimized and actively maintained; dual-repo delivery strategy identified |
| Apr 2, 2026 | InfoWorld enterprise analysis: Greyhound Research, Straiker AI, Everest Group predict operational changes |
| Apr 2, 2026, ~9:00 AM | Rep. Gottheimer letter to Dario Amodei sent; shared with Axios |
| Apr 2, 2026 | Gartner issues same-day advisory on enterprise security implications |
| Apr 2, 2026 | Zscaler publishes threat research on malware campaign exploiting leak |
| Apr 1, 2026 | Anthropic CCO Paul Smith attributes leak to “process errors” in rapid releases |
| Apr 1, 2026 | Anthropic issues 8,000+ DMCA takedowns against GitHub forks |
| Apr 1, 2026 | Community Rust port (ClaURST) emerges; reportedly fastest repo to 50k GitHub stars |
| Apr 1, 2026 | The Verge, Ars Technica, Bloomberg, Fortune, CNBC publish deep analyses |
| Apr 1, 2026 | Gizmodo: Anthropic “can’t cover up its Claude Code leak fast enough” |
| Mar 31, 2026, evening | Anthropic pulls version 2.1.88 from npm; confirms leak via spokesperson |
| Mar 31, 2026, ~morning | Security researcher Chaofan Shou posts on X; post reaches 28.8M views |
| Mar 31, 2026, morning | Claude Code v2.1.88 published to npm with cli.js.map source map included |
| ~Mar 28-30, 2026 | Earlier lapse: unpublished model docs accidentally visible in public Anthropic data cache |
12. Confidence Assessment
High Confidence
- The leak occurred on March 31, 2026 via npm package v2.1.88 (confirmed by Anthropic, Hacker News, multiple outlets)
- 512,000+ lines across ~1,906 TypeScript files were exposed via
cli.js.map - Anthropic’s official characterization: human error, not a security breach
- No model weights, user data, or credentials were exposed (confirmed by Anthropic)
- Anthropic issued 8,000+ DMCA takedowns (confirmed by PCMag, NDTV, Gizmodo)
- The KAIROS daemon, Undercover Mode, and anti-distillation features exist in the leaked code (confirmed by multiple independent analyses)
- Rep. Gottheimer’s letter is confirmed via Axios and The Hill
Medium Confidence
- Model codename mappings (Capybara = Claude 4.6, Fennec = Opus 4.6) — sourced from VentureBeat analysis of leaked code; Anthropic has not confirmed
- Zscaler’s CVE identifications (CVE-2025-59536 and CVE-2026-21852) — sourced from Zscaler research, not independently verified by this report
- The malware campaign attribution to coordinated rather than opportunistic activity — Zscaler’s assessment, not independently corroborated
- “Fastest GitHub repo to 50k stars” claim for ClaURST — widely reported but unverified against GitHub historical data
13. Open Questions
- Has Anthropic confirmed whether the Undercover Mode was actively used (i.e., did Anthropic employees actually submit AI-authored commits without disclosure)?
- Will Gottheimer’s letter produce a formal Congressional hearing or subpoena?
- When will Anthropic enable the tree-sitter parser fix for the 50-subcommand vulnerability in production builds? No timeline has been stated.
- Has Anthropic or GitHub taken any specific action to remove the SEO-optimized malware repositories confirmed by BleepingComputer?
- What specific security patches is Anthropic deploying in response to the exposed permission logic and identified CVEs?
- The earlier lapse (unpublished model docs) is referenced but details remain thin – what exactly was in those documents?
- Claude Code’s $2.5B run-rate revenue: is this being affected by trust erosion following the dual incidents?
- Are there other npm packages from Anthropic that may have had similar packaging errors?
- Will enterprise customers publicly disclose changes to their Claude Code deployment posture in Q2 2026?
14. Sources
| Source | URL | Used For |
|---|---|---|
| The Hacker News | https://thehackernews.com/2026/04/claude-code-tleaked-via-npm-packaging.html | How error happened, Chaofan Shou discovery, 28.8M views |
| Zscaler ThreatLabz | https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak | Full security analysis, CVEs, malware campaign, attack surface |
| The Register | https://www.theregister.com/2026/04/01/claude_code_source_leak_privacy_nightmare/ | Device access scope, telemetry, data retention, court case |
| Scientific American | https://www.scientificamerican.com/article/anthropic-leak-reveals-claude-code-tracking-user-frustration-and-raises-new/ | Frustration tracking, Undercover Mode, AI concealment |
| Engineer’s Codex | https://read.engineerscodex.com/p/diving-into-claude-codes-source-code | KAIROS, architecture, unreleased features, anti-distillation |
| Gizmodo (leak) | https://gizmodo.com/source-code-for-anthropics-claude-code-leaks-at-the-exact-wrong-time-2000740379 | Second lapse context |
| Gizmodo (cover-up) | https://gizmodo.com/anthropic-cant-cover-up-its-claude-code-leak-fast-enough-2000740972 | Takedowns, WSJ reporting on security holes |
| VentureBeat | https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know | Internal codenames, model roadmap |
| CNBC | https://www.cnbc.com/2026/03/31/anthropic-leak-claude-code-internal-source.html | $2.5B revenue figure, Anthropic statement |
| Fortune | https://fortune.com/2026/03/31/anthropic-source-code-claude-code-data-leak-second-security-lapse-days-after-accidentally-revealing-mythos/ | Second lapse framing, official confirmation |
| Axios | https://www.axios.com/2026/03/31/anthropic-leaked-source-code-ai | Official Anthropic no-credentials statement |
| Bloomberg | https://www.bloomberg.com/news/articles/2026-04-01/anthropic-scrambles-to-address-leak-of-claude-code-source-code | Anthropic scrambles to limit damage |
| PCMag | https://www.pcmag.com/news/anthropic-issues-8000-copyright-takedowns-to-scrub-claude-code-leak | 8,000 DMCA takedowns, language conversion evasion |
| The Hill | https://thehill.com/policy/technology/5812881-gottheimer-presses-anthropic-ai-safety/ | Gottheimer letter details |
| Axios (Gottheimer) | https://www.msn.com/en-us/news/technology/exclusive-gottheimer-presses-anthropic-on-source-code-leaks/ar-AA1ZZrvy | Gottheimer letter text |
| Inc. | https://www.inc.com/leila-sheridan/anthropic-code-leak-dc-security/91326007 | National security framing |
| VentureBeat (security) | https://venturebeat.com/security/claude-code-512000-line-source-leak-attack-paths-audit-security-leaders | Gartner advisory, CrowdStrike/Enkrypt AI comments |
| GitHub (ClaURST) | https://github.com/Kuberwastaken/claurst | Undercover Mode irony, Bun source map explanation |
| SecurityWeek | https://www.securityweek.com/critical-vulnerability-in-claude-code-emerges-days-after-source-leak/ | Adversa AI critical vulnerability report |
| InfoWorld (vulnerability) | https://www.infoworld.com/article/4154199/claude-code-is-still-vulnerable-to-an-attack-anthropic-has-already-fixed.html | 50-subcommand bypass, tree-sitter fix in source but not deployed |
| InfoWorld (enterprise) | https://www.infoworld.com/article/4154023/claude-code-leak-puts-enterprise-trust-at-risk-as-security-governance-concerns-mount.html | Enterprise security implications, analyst quotes, Claw Code competitor |
| BleepingComputer (malware) | https://www.bleepingcomputer.com/news/security/claude-code-leak-used-to-push-infostealer-malware-on-github/ | SEO-optimized malware repos, dual delivery strategy, active campaign maintenance |
15. Update History
| Date | Change |
|---|---|
| 2026-04-03 | Updated with Apr 2-3 developments: Adversa AI 50-subcommand safety bypass vulnerability (fix exists in leaked source but disabled in production); enterprise security analyst responses (Greyhound, Straiker AI, Everest Group, Pareekh Consulting); BleepingComputer confirmation of SEO-optimized malware repos and dual delivery strategy; Claw Code competitor hitting 145,000 GitHub stars in one day; new open questions on patch deployment timeline and enterprise response. |
| 2026-04-02 | Initial report created. Covers events through April 2, 2026 2:07 PM ET. |
16. How This Report Was Generated
Researched by the Claude Research Agent using SearXNG (deep search and news search), WebFetch for primary source verification, and public reporting from Hacker News, Zscaler ThreatLabz, The Register, Scientific American, Engineer’s Codex, VentureBeat, The Verge, Ars Technica, Fortune, CNBC, Bloomberg, Axios, Gizmodo, PCMag, The Hill, Inc., and GitHub. Research conducted April 2, 2026.