Blog

March 31, 2026

Claude Code's entire source code just leaked — and Axios got hijacked the same day

Anthropic shipped source maps in their npm package, exposing 500k+ lines of Claude Code. Meanwhile, Axios got hit by the most sophisticated supply chain attack I've seen. Two npm trust failures in one day.

Claude Code's entire source code just leaked — and Axios got hijacked the same day

Claude Code has access to my terminal, my filesystem and my git history. It’s the most privileged tool in my stack. Anthropic just shipped its entire source code to npm by accident.

The leak

A .map file — a source map meant for debugging — was included in the public npm package. It pointed to an R2 bucket with the original TypeScript source. No authentication. Public read.

A researcher named Chiao Fan Show found it and posted the link. Within hours the full codebase was archived at instructkr/claw-code — 50,000 stars, 56,000 forks, and climbing. Rust and Python rewrites are already underway.

Third time this year. Versions 2.8 and 4.228 had the same source map problem. Five days ago a misconfigured CMS exposed the Mythos draft. Three incidents, zero hacks — all build or config failures.

What the code shows

500,000+ lines of TypeScript. ~1,900 files. The architecture is more complex than the public documentation suggests:

  • 40+ permission-gated tools with the full execution boundary logic visible
  • Multi-agent orchestration — one instance spawning and managing parallel workers
  • Persistent memory via a memdir/ subsystem that preserves context across sessions
  • The complete system prompt — every instruction, every guardrail, line by line

The unreleased features are more interesting than the architecture:

Buddy mode. A Tamagotchi-style companion with 18 species, rarity tiers and personality stats (debugging, patience, chaos, wisdom, snark). Planned rollout from April 1. Hard to tell if this was an internal joke that grew legs or a real product decision.

Chyros. Always-on persistent mode. Works across sessions, stores memory logs, runs nightly consolidation. The code calls this process dreaming. This is essentially what I’ve been duct-taping together with OpenClaw — native support would eliminate a lot of orchestration overhead.

Ultra Plan. 30-minute cloud planning sessions for extended reasoning beyond normal session limits.

Model codenames. Capybara is the Mythos family with three tiers. Tangu appears hundreds of times as a feature flag prefix — likely Claude Code’s internal project name.

Undercover mode

There’s a subsystem called undercover mode built to prevent Anthropic employees from leaking internal information when contributing to public repos. It injects instructions into Claude’s system prompt: don’t reveal you’re an AI, never mention Capybara or Tangu, never reference internal tools or Slack channels.

They shipped that subsystem — along with everything it was supposed to protect — in the same .map file.

The trust question

No user data was exposed. No API keys, no conversations, no model weights. Client code only.

But I give this tool more access than I give most people I work with. A company that can’t keep a source map out of a production release — three times — deserves scrutiny for that, even if the underlying product is good. The tool is still the best option available. The release process clearly isn’t.

Axios: supply chain attack

Same day. Axios — 100M+ weekly downloads — was hijacked through a compromised maintainer token.

The attacker changed the account email and added one dependency to package.json: plain-crypto.js. No malicious code was imported into Axios itself. The dependency existed solely for its postinstall script:

  1. Drops an obfuscated setup.js
  2. Detects the OS
  3. Downloads a tailored RAT from a C2 server
  4. Deletes itself and restores a clean package.json

1.1 seconds. No filesystem trace. Affected versions: 1.7.9 and 0.30.4, poisoned within 39 minutes of each other. Caret ranges + npm install during that window = compromised.

The attacker staged a clean version 18 hours before the malicious one and published directly via npm CLI to bypass CI/CD. Methodical.

Check your systems

npm list axios

Deeper:

find ~/ -name "package-lock.json" -exec grep -l "axios" {} ;

RAT artifacts (Mac):

find /tmp /var/tmp ~/Library -name "setup.js" -o -name "plain-crypto*" 2>/dev/null

If anything shows up, treat the machine as fully compromised. Rotate every credential.

The common thread

Both incidents are npm. Both are trust failures at different points in the chain.

Anthropic can’t keep debug artifacts out of production packages. A single compromised token gives an attacker access to 174,000 downstream projects. The average npm dependency tree trusts 200–2,100 strangers with code execution.

None of this is new information. But it’s a useful reminder that the foundation most of us build on is held together by convention, not verification.

Thinking about this stuff too? Let's talk.

Previous post

Anthropic accidentally leaked their best model. Here's what I actually think about it.