Anthropic Leak Exposes Claude Code Command Injection - Let's Data Science

Detailed Analysis

Anthropic's accidental exposure of Claude Code's full source code on March 31, 2026, constitutes one of the more consequential unintended disclosures in recent AI tooling history. The leak originated from a 59.8 MB JavaScript source map file (cli.js.map) inadvertently bundled into npm package version 2.1.88 of @anthropic-ai/claude-code and stored on Anthropic's Cloudflare R2 infrastructure. Security researcher Chaofan Shou (@Fried_rice) disclosed the find on X, after which the reconstructed codebase — approximately 513,000 lines of unobfuscated TypeScript spread across 1,906 files — was rapidly mirrored and forked thousands of times on GitHub. The incident gave outside researchers an unprecedented and unsanctioned look at the internals of one of the most actively used AI-powered CLI coding agents on the market.

Security analysis of the exposed code identified three independent command injection sinks, each classified under CWE-78, spanning Claude Code's command lookup mechanism, editor invocation logic, and credential/authentication subsystems. These flaws enable arbitrary shell command execution by smuggling restricted instructions through insufficiently sanitized input strings — for example, by embedding commands like `rm` or `sudo` inside whitelisted calls to `echo` or `pwd`. Phoenix Security tested 100 distinct attack paths and confirmed at least eight substantiated vulnerabilities. Two formally assigned CVEs also surfaced from prior discovery: CVE-2025-59536 (CVSS 8.7), which allows remote code execution when Claude Code initializes Hooks or MCP configurations in untrusted directories, patched in v1.0.111 in October 2025; and CVE-2026-21852 (CVSS 5.3), enabling API key exfiltration through a malicious `ANTHROPIC_BASE_URL` environment variable during project load, addressed in v2.0.65 in January 2026. Additional risks include path restriction bypass through inverse prompting and context poisoning in multi-agent orchestration loops.

Beyond the vulnerabilities, the leak illuminated a range of unannounced or undisclosed product features. Researchers identified internal capabilities labeled "Kairos mode," "Buddy" (a per-user character generation system), and "Undercover Mode," which conceals internal codenames in public-facing commits. The codebase also revealed more than 44 feature flags — roughly 20 of which correspond to unshipped functionality — as well as persistent memory architecture, OS-level sandboxes, and a Bash validator system employing over 25 regex and AST-based checks. These revelations matter not only because they expose Anthropic's product roadmap prematurely, but because they illustrate the depth of internal complexity underlying what users interact with as a simple command-line tool.

The incident carries significant implications for the broader ecosystem in which agentic AI coding tools operate. Claude Code runs with user-level privileges and is designed to delegate terminal tasks within a working directory while requesting consent for external actions — a design philosophy that inherently concentrates risk when untrusted repositories or CI/CD pipelines are involved. The fact that three injection sinks existed simultaneously in security-sensitive subsystems suggests that the rapid expansion of AI coding agents into production workflows is outpacing rigorous security review practices. The tool's architecture — combining tool-use permission systems, OAuth flows, and LLM API orchestration — creates a complex attack surface that differs materially from traditional software, where injection risks are better understood and tooling for detection is more mature.

The Claude Code leak arrives at a moment when agentic AI systems are transitioning from research novelties to enterprise infrastructure, making security posture a first-order concern rather than a secondary consideration. The source map disclosure is a reminder that the software supply chain risks affecting AI tooling are not merely theoretical: a single misconfigured build artifact can expose proprietary architecture, future product plans, and exploitable vulnerabilities simultaneously. Researchers and organizations relying on tools like Claude Code are now urged to enforce updates, avoid execution in untrusted directory contexts, and apply heightened scrutiny to agentic systems that blend LLM reasoning with direct shell access — a combination whose security properties remain incompletely characterized across the industry.