Tags: software security

Anthropic unintentionally exposed the source code for its Claude Code tool, prompting a flood of GitHub reposts. Security researchers discovered that many of the copies include hidden infostealer malware, turning a simple code leak into a broader threat. The company has issued copyright takedown notices, trimming the number of repositories from over 8,000 to under 100. The episode follows earlier attempts to lure users with fake installation guides that also delivered malicious payloads. Read more

A recent update to Anthropic's Claude Code inadvertently released internal source files, exposing over half a million lines of code on a public GitHub repository. The leak, which was quickly patched, did not contain customer data but allowed the broader community to examine the codebase. Analysts and developers spotted flags hinting at upcoming features, including a "Proactive" mode that could act without user prompts, a crypto‑based payment system for autonomous AI transactions, and a Tamagotchi‑style virtual companion that reacts to coding activity. Anthropic attributed the incident to a packaging error and said measures are being taken to prevent recurrence. Read more

Anthropic confirmed that an employee error caused the Claude Code AI assistant source code to be exposed through a map file in its npm package. The leak included roughly 1,900 TypeScript files containing over 500,000 lines of code stored in a Cloudflare R2 bucket. Anthropic emphasized that no customer data or credentials were compromised and described the incident as a packaging mistake rather than a security breach. The company said it is implementing safeguards to prevent similar errors, while the leak was quickly mirrored on GitHub amid ongoing discussions about recent Claude vulnerabilities and high user demand. Read more

A recent packaging error released more than 512,000 lines of Claude Code’s source code, exposing unreleased features such as a Tamagotchi‑style coding pet and an always‑on background agent called KAIROS. Anthropic clarified that no customer data was compromised and called the incident a human‑error mistake, while analysts warned that the leak could aid bad actors and highlight the need for stronger operational safeguards. Read more

Anthropic inadvertently released the full source code for its Claude Code command‑line interface when a recent npm package included a source‑map file. The leak made nearly 2,000 TypeScript files and over half a million lines of code publicly available. Security researcher Chaofan Shou highlighted the issue, and the code quickly spread across GitHub. Anthropic confirmed the error was a packaging mistake, not a breach of customer data, and said it is implementing safeguards to prevent recurrence. Developers have begun dissecting the code to understand Claude Code’s architecture. Read more