Anthropic Just Leaked Claude Code's Source. Here's What That Means for Every AI Agent You Run.

On March 31, 2026, Anthropic published Claude Code version 2.1.88 to the npm registry with a 59.8 MB JavaScript source map file accidentally included. The file pointed to a zip archive on Anthropic's own cloud storage containing the full, unobfuscated source — 512,000 lines of TypeScript across 1,900 files. Within hours, the entire codebase was mirrored across GitHub and analyzed by thousands of developers. A clean-room reimplementation hit 50,000 stars in two hours — reportedly the fastest-growing repository in GitHub history. This was Anthropic's second security lapse in five days. On March 26, a CMS misconfiguration had exposed roughly 3,000 internal files, including a draft blog post detailing an unreleased model called Claude Mythos that the company says poses "unprecedented cybersecurity risks." Anthropic characterized both incidents as human error. But the downstream question isn't about Anthropic's release engineering. It's about yours. AI agent security governance is the set o