What caused the Anthropic Claude Code npm source leak?

Bun packaging error plus missing .npmignore shipped the 59.8 MB source map with 513K lines.

Did the axios RAT affect Claude Code users?

Possible—trojan active hours before leak went public. Check logs if you installed March 31.

Are Claude Code CVEs exploitable now?

Yes, leaked source makes RCE via repo configs and key exfil via hooks/MCP trivial for attackers.

Anthropic's Claude Code Nightmare: 513K Lines of Source Leaked on npm, Plus a Trojan Twist

Anthropic's Claude Code agent just had its guts spilled across npm—513,000 lines of TypeScript, ripe for exploits. And right as that hit, axios got trojaned. Coincidence? Check your logs.

theAIcatchup Apr 10, 2026 3 min read

npm package warning screen with Anthropic Claude Code source code leaking out

⚡ Key Takeaways

Anthropic leaked 513K lines of Claude Code source via npm—full agent architecture exposed. 𝕏
Two CVEs for RCE and API key theft; coincides with axios RAT trojan. 𝕏
Devs: Audit logs, scan repos, update packages immediately. 𝕏

Published by

theAIcatchup

Ship faster. Build smarter.

#AI agent vulnerabilities #Anthropic #Anthropic leak #Anthropic security #Anthropic source code #Claude Code #Claude code leak #axios trojan #npm leak #npm security #npm supply chain #supply chain attack

Worth sharing?

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by dev.to

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

Claude's Secret Emotions: Guardrails for Coding Agents

Claude Code SEO Stack Exposes AI Search's Hidden Fractures

The Hidden Trap in Every 'npm install': Lessons from the Axios Hack

Claude Code's Hidden Tax: Why Tokens and Context Windows Cost You More Than You Think

Stay in the loop