William OGOU Cybersecurity Blog

Published

- 7 min read

Dissecting the Claude Code Fiasco: Anthropic 512K-Line Leak

By William OGOU
Claude Code Leak Anthropic AI Supply Chain Security Prompt Injection Agentic AI Security DevSecOps MLOps
img of Dissecting the Claude Code Fiasco: Anthropic 512K-Line Leak

March 31, 2026. My birthday. I woke up expecting cake, maybe some questionable singing, and a quiet day. Instead, the AI security world handed me the ultimate gift: Anthropic accidentally published the entire, unobfuscated TypeScript source code for Claude Code to npm.

It turns out, someone at Anthropic hit “publish” with a 59.8 MB JavaScript source map file still attached to version 2.1.88 of the @anthropic-ai/claude-code package. Within hours, students, researchers, and threat actors had pulled down roughly 512,000 lines of code across 1,900 files.

Anthropic confirmed it was a “release packaging issue caused by human error, not a security breach.” But in the era of Agentic AI where tools like Claude Code have direct access to developer terminals, file systems, and cloud credentials leaking the operational blueprint of your security boundaries is a massive big deal.

Here is a technical breakdown of what the leak revealed, how attackers are already exploiting it, and what you need to do to secure your development environment.

What to Remember

  • The Leak: 512,000 lines of Claude Code TypeScript source were accidentally published to npm via a source map.
  • Exploits Unlocked: Attackers now have the exact blueprints for context poisoning and sandbox bypasses.
  • The 50-Command Limit: A critical flaw allows attackers to bypass security validators by chaining more than 50 commands.
  • Supply Chain Threats: Fake “unlocked” Claude Code repositories are actively distributing the Vidar Infostealer to developers.

1. The Death of Security by Obscurity

Before the leak, finding a vulnerability in a complex, agentic system like Claude Code required tedious black-box testing. You had to guess how the agent managed memory, how it validated bash commands, and what triggers caused it to prompt the user.

Now? Attackers have the map.

While the npm package was previously shipped as a minified bundle (meaning a dedicated researcher could have reversed it), the leak collapsed the cost and time required to find exploits to near zero. We now know exactly how data flows through Claude Code’s internal pipelines.

Exploit Vector A: Context Poisoning via the Compaction Pipeline

Claude Code handles long conversations by “compacting” memory so it doesn’t run out of tokens. The leak revealed exactly how this four-stage pipeline works: tool result budgeting $\rightarrow$ microcompact $\rightarrow$ context collapse $\rightarrow$ autocompact.

Because attackers now see the exact rules governing what gets deleted and what gets saved, they can craft Prompt Injections designed specifically to survive compaction.

  • The Flaw: The source code shows that the autocompact prompt instructs the model to preserve “all user messages that are not tool results” as “user feedback.”
  • The Attack: An attacker places a malicious instruction inside a repo’s CLAUDE.md file. The model reads it. When compaction happens, the system launders this malicious instruction, saving it as genuine “user feedback.” The model is now permanently backdoored for the rest of the session, completely bypassing initial safety checks.

Exploit Vector B: Sandbox Bypass via Shell Parsing Gaps

Claude Code uses 25+ validators to ensure it doesn’t run dangerous bash commands. The leaked source code literally contains the developers’ comments explaining their threat models (and their fears).

Attackers quickly found discrepancies between the three different parsers Claude uses to analyze commands. For instance, the code reveals that while ANSI-C quoting ($'...') is caught by one validator, the function used to extract quoted content for all other validators ignores it. Attackers immediately used this syntax gap to bypass the sandbox and execute arbitrary code.

2. The Adversa AI Discovery: The 50-Command Limit

The most critical vulnerability found post-leak was published by the Adversa AI Red Team.

Claude Code has a robust permission system: you can explicitly deny commands like curl (to prevent data exfiltration) and allow commands like git.

However, Anthropic noticed that analyzing massive, compound bash commands caused the UI to freeze. Their fix? Cap the security analysis at 50 subcommands. If a command pipeline has more than 50 steps, the system skips the security validators and simply prompts the user (behavior: 'ask').

  • The Attack: A malicious repository contains a CLAUDE.md file that instructs the AI agent to generate a 51-step build process. The 51st step is a malicious exfiltration command (e.g., stealing ~/.aws/credentials). Because the pipeline exceeds 50 commands, all deny rules are skipped. The user is prompted to approve a massive, complex wall of text, hiding the malicious command at the very end.

3. The Supply Chain Fallout: Infostealers and Fake Repos

It didn’t take long for cybercriminals to capitalize on the hype. According to Zscaler, threat actors immediately set up fake GitHub repositories claiming to host the “Unlocked Enterprise” version of the leaked Claude Code.

Search engine optimization (SEO) pushed these fake repos to the top of Google. When curious developers downloaded the “leak” (a 7-Zip archive containing ClaudeCode_x64.exe), they actually infected themselves with the Vidar Infostealer and a network proxy tool called GhostSocks.

This mirrors the simultaneous supply chain attack on the axios npm package that happened mere hours before the Claude leak, proving that developers are currently the most targeted demographic on the internet.

What Defenders Must Do Now

If you or your team use Claude Code (or any autonomous AI coding agent), you must adjust your threat model immediately:

  • Audit CLAUDE.md Files: Treat these files in cloned repositories or Pull Requests as highly untrusted input. They are the primary vector for context poisoning.
  • Vet MCP Servers: Treat Model Context Protocol (MCP) servers like raw npm dependencies. Vet them, pin their SHAs, and monitor them for changes. The leak makes crafting convincing malicious MCP servers trivial.
  • Avoid Broad Permissions: Never use broad allow rules like Bash(git:*).
  • Watch the Compaction Window: Limit session lengths for sensitive work. The longer the session, the higher the chance a laundered prompt injection survives compaction.
  • Beware Fake Leaks: Only download Claude Code via the official Anthropic installer, not via npm directly, and absolutely avoid “leaked” versions on GitHub.

How Tools Like Straiker Help As the researchers at Straiker point out, this isn’t just a Claude problem; it’s an Agentic AI problem. The compaction pipelines and permission gaps exposed here exist in almost every enterprise AI agent. You need tools that map your AI attack surface (Discover AI), continuously probe for these exact failure paths (Ascend AI), and inspect prompts at runtime (Defend AI).

Conclusion

So, happy birthday to me. As I blow out the candles, the security industry is scrambling to patch the holes revealed by 512,000 lines of unexpected transparency. The Claude Code leak didn’t ruin the product, but it definitively ended the era of implicit trust in AI agents.

We now know exactly how the sausage is made and so do the attackers. Time to get to work.

To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected]

Frequently Asked Questions (FAQ)

What caused the Claude Code source code leak?

The leak was caused by a release packaging issue due to human error, where a 59.8 MB JavaScript source map file was accidentally left attached to version 2.1.88 of the `@anthropic-ai/claude-code` npm package.

How are attackers exploiting the compaction pipeline?

Attackers can hide malicious instructions in a `CLAUDE.md` file. During memory compaction, the system preserves these instructions as genuine "user feedback," permanently backdooring the session and bypassing initial safety checks.

What is the 50-command limit vulnerability discovered by Adversa AI?

To prevent the UI from freezing, Claude Code caps security analysis at 50 subcommands. Attackers can bypass deny rules entirely by generating a 51-step build process with a malicious exfiltration command hidden at the very end.

How are cybercriminals using the leak for supply chain attacks?

Threat actors have set up fake GitHub repositories claiming to host 'unlocked' versions of the leaked code. Developers downloading these archives are actually infecting themselves with the Vidar Infostealer and GhostSocks proxies.

What immediate steps should defenders take?

Defenders must audit `CLAUDE.md` files as highly untrusted input, vet and pin MCP servers, avoid broad allow rules like `Bash(git:*)`, and limit session lengths for sensitive development work.

William OGOU

William OGOU

Need help implementing Zero Trust strategy or securing your cloud infrastructure? I help organizations build resilient, compliance-ready security architectures.

Connect on LinkedIn