On March 31, someone noticed something odd in Claude Code v2.1.88.
A debugging file had been accidentally bundled into the npm package — a source map (cli.js.map) that pointed to a zip archive on Anthropic's cloud storage. Inside: the unobfuscated TypeScript source code for Claude Code. Nearly 2,000 files. Around 500,000 lines of code.
Within hours, the archive had been downloaded, mirrored across GitHub, and was accumulating thousands of stars. Anthropic's internal codebase — unreleased features, architecture decisions, internal tooling — was publicly readable.
What actually happened
This was a packaging error, not a breach. A developer accidentally included a debug build artifact in a production release. The source map pointed to internal cloud storage that shouldn't have been publicly accessible, but was.
No customer data was exposed. No credentials or API keys were in the leaked code. No sensitive user information.
Anthropic's statement was straightforward: "A Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We're rolling out measures to prevent this from happening again."
What was exposed
The leaked code covered:
- Full TypeScript source and architecture
- Internal model performance data
- Feature flags for dozens of unshipped capabilities
- Unreleased features that weren't yet publicly announced
The architecture exposure is significant from a competitive intelligence standpoint, though Anthropic's moat is model capability, not tooling code. The interesting stuff is in the feature flags.
The unreleased features people found
This is the part worth paying attention to.
Session review
Claude Code can apparently study its own past work and transfer learnings across sessions. Not just "here's the history" — actively reviewing what it did well and poorly in previous sessions, and carrying those insights into new ones.
For anyone who's hit the pattern of Claude Code making the same kind of mistake across different sessions: this is the fix. It's not shipped yet, but it's clearly in development.
Persistent assistant mode
Claude Code can apparently continue working in the background even when you're idle or have closed your session.
This is a significant capability jump. Current Claude Code is interactive — it works when you're in the loop. A persistent mode means you could hand off a task and come back to a completed result, like a proper async workflow rather than a synchronous conversation.
Both features are behind flags. Neither is shipped. But both are clearly complete enough to be in the codebase.
The bigger picture
This is the second notable operational security issue for Anthropic in just over a year. The pattern matters: AI companies are moving fast, shipping frequently, and sometimes the release pipeline doesn't have the safeguards that ship quality requires.
This doesn't change Claude Code's value. The product works. The architecture is what you'd expect from a serious engineering team. But it's a useful reminder that "AI company" and "solid software ops" aren't synonymous just because the models are impressive.
The feature flag discoveries are probably the most useful thing to come out of this. Anthropic will ship session review and persistent assistant mode eventually — they were far enough along to be in a production build. Now we know to watch for them.
What to do (nothing, mostly)
If you're using Claude Code, there's no action required. Nothing sensitive was exposed on your end. The v2.1.88 npm package was the affected release — if you're on a newer version, Anthropic has already made changes to packaging.
If you downloaded the leaked archive: that's a grey area. Reading source code of a tool you use isn't a criminal act, but redistributing it or building on it commercially would be. The code is proprietary regardless of how it became accessible.
The more interesting thing to do is note what's coming and stay close to Claude Code releases over the next few quarters. Session review and persistent assistant mode are the two features I'm watching.