Claude Code is Anthropic's command-line AI coding assistant - a tool that lets developers interact with Claude directly from their terminal to edit files, run commands, and manage code. It's one of the most popular AI developer tools on the market right now, which made this leak especially high-profile.

Here's how the timeline unfolded on March 31, 2026:

• ~00:21 UTC: An unrelated but catastrophically timed supply chain attack hit the widely-used axios npm package. Malicious versions 1.14.1 and 0.30.4 were published containing a Remote Access Trojan (RAT).
• ~04:00 UTC: Anthropic pushed Claude Code version 2.1.88 to npm. This release included a 59.8 MB source map file that contained the entire original TypeScript codebase.
• 04:23 UTC: Security researcher Chaofan Shou posted the discovery on X with a direct download link. The post generated 28+ million views.
• Within 2 hours: GitHub repositories mirroring the code began appearing. The fastest-growing repo hit 50,000 stars in under two hours and eventually surpassed 84,000 stars with 82,000+ forks.
• ~08:00 UTC: Anthropic pulled the npm package and issued a statement calling it "a release packaging issue caused by human error, not a security breach."
• Same day: Threat actors began publishing fake "leaked Claude Code" repositories loaded with malware, and typosquatting attacks appeared on npm targeting internal Anthropic package names.

The speed of that weaponization cycle should alarm every business owner. We're not talking about days or weeks - attackers had trojanized versions of the leaked code circulating within hours.

Source map files are debugging tools. When developers bundle and minify their JavaScript or TypeScript code for production, the resulting output is compact but unreadable. Source maps create a bridge back to the original code so developers can trace errors to the right file and line number. They're incredibly useful in development. They should never ship in a production package.

With Bun - the JavaScript runtime Claude Code uses - source maps are generated by default unless you explicitly disable them. A missing entry in the .npmignore file or an incorrect files field in package.json is all it takes to accidentally include them.

The irony is thick here. The leaked source code actually revealed an internal feature called "Undercover Mode" - a system specifically designed to prevent Anthropic's internal information from leaking through Claude's git commits. They built a subsystem to stop their AI from accidentally revealing codenames, then shipped the entire codebase because of a build configuration oversight.

For Houston businesses running development teams, this is a pattern we see more often than you'd think. Build pipelines are complex. A single misconfigured file can expose API keys, credentials, proprietary logic, or in this case, 512,000 lines of proprietary source code. This is why managed IT support that includes development environment security isn't optional anymore - it's table stakes.

The source code leak didn't just embarrass Anthropic - it handed security researchers a complete blueprint to audit. Within days, the Adversa AI Red Team discovered a critical vulnerability in Claude Code's permission enforcement system that could allow attackers to silently exfiltrate credentials from developer machines.

Here's how it works. Claude Code uses a three-tier permission system: allow rules (auto-approve specific commands), deny rules (hard-block dangerous commands), and ask rules (always prompt the user for confirmation). On paper, that's a solid approach. The flaw is in how Claude Code handles composite commands with large numbers of subcommands.

To prevent the terminal UI from freezing, Anthropic designed the system to limit per-subcommand analysis to 50. If a command pipeline exceeds 50 subcommands, the system skips individual analysis entirely and reverts to a blanket "ask" prompt. That means deny rules, security validators, and command injection detection are all bypassed for every subcommand beyond the 50th.

An attacker could exploit this by embedding a malicious CLAUDE.md configuration file in a code repository. That file uses prompt injection to instruct Claude's AI to generate a pipeline with 50+ subcommands that looks like a routine build process. The first 50 commands get scrutinized normally. Everything after that - including commands to exfiltrate SSH private keys, AWS credentials, GitHub tokens, or environment secrets - runs with no per-command security checks.

Adversa confirmed that Claude's AI safety layer did independently block some obviously malicious payloads during testing. But they were clear that this is a bug in the permission system's code, not an AI judgment problem. It exists regardless of how smart the underlying model is.

The source code exposure itself was bad for Anthropic's intellectual property. But the real cybersecurity threat to businesses came from what happened next.

Fake repositories with embedded malware. Zscaler's ThreatLabz team identified GitHub repositories titled "Leaked Claude Code" that claimed to offer a functional fork with "unlocked enterprise features and no message limits." The repository contained a malicious ZIP archive with a Rust-based dropper that deployed two payloads: Vidar Stealer v18.7 (an information-stealing malware) and GhostSocks (a tool used to proxy network traffic through compromised machines). Before removal, these malicious repositories appeared near the top of Google search results for anyone searching "leaked Claude Code."

Concurrent axios supply chain attack. In a case of catastrophically bad timing, a separate supply chain attack hit the widely-used axios HTTP library on npm the same day. Malicious versions contained a cross-platform RAT. Anyone who installed or updated Claude Code via npm between 00:21 and 03:29 UTC on March 31 may have pulled in the trojanized axios dependency.

Typosquatting on npm. Attackers began registering npm packages with names matching internal Anthropic package names discovered in the leaked source. These "dependency confusion" attacks work by tricking build systems into pulling from public registries instead of private ones. The initial packages were empty stubs - placeholders waiting to push malicious updates once they accumulated installations.

This three-pronged attack pattern - fake repos, dependency poisoning, and typosquatting - is exactly the kind of supply chain threat that Houston businesses need to be preparing for. It doesn't matter whether your team writes code or just runs software that depends on these ecosystems.

You don't have to be a software company to be affected by supply chain attacks. Any business running modern software has dependencies on external code packages, libraries, and tools. The Claude Code incident highlights how a single exposure event creates a cascade of secondary threats that can reach businesses far removed from the original target.

Houston's major industry verticals each face specific supply chain security risks. Organizations like the Houston Bar Association and the Texas Society of CPAs - Houston Chapter have been pushing their members toward stronger cybersecurity practices, and incidents like this one reinforce why.

CinchOps is a managed IT services provider based in Katy, Texas, serving small and mid-sized businesses across the Houston metro area. CinchOps specializes in cybersecurity, network security, managed IT support, VoIP, and SD-WAN for businesses with 10-200 employees.

Supply chain security isn't a single product you buy off the shelf. It requires a layered approach that covers your endpoints, your network, your software dependencies, and your team's awareness. Here's how CinchOps helps businesses in Sugar Land, Cypress, and across the Houston area stay protected:

• Endpoint protection and monitoring - We deploy advanced endpoint detection and response (EDR) tools that catch info-stealers like Vidar before they exfiltrate your data. Real-time monitoring means we know when something suspicious lands on your network.
• Software inventory and dependency auditing - We help businesses maintain a current inventory of all installed software and their dependencies. When a supply chain threat emerges - like the axios poisoning - we can quickly assess your exposure.
• Patch management and update controls - Not every software update should be installed immediately. We implement controlled update policies that verify packages before deployment, preventing auto-installation of compromised dependencies.
• Network segmentation and traffic analysis - Tools like GhostSocks work by proxying traffic through compromised machines. Our network monitoring catches unusual outbound connections before they become data exfiltration channels.
• Security awareness training - The fake Claude Code repositories ranked at the top of Google search results. We train your team to verify software sources and recognize social engineering tactics that exploit trending security news.
• Incident response planning - When a supply chain compromise does happen, response time determines damage. We build and maintain incident response plans tailored to your business so you know exactly what to do.

In 30 years of managing IT for businesses, I've watched supply chain attacks go from a rare, nation-state-level concern to something that hits small businesses in Katy on a regular Tuesday. The Claude Code incident is just the latest reminder that your security is only as strong as the weakest link in your software supply chain.