15 MARCH 2026 · INCIDENT

Claude Code source code leaked via npm

512,000 lines of proprietary Claude Code source code were exposed through a missing .npmignore entry. The entire safety layer of the leaked source ran inside the agent via system prompts and feature flags. Prompts are advisory. The agent can ignore them.

What happened

A routine Claude Code release package published to npm contained the full internal source tree. The developer who ran npm publish intended to ship the built artifact. The .npmignore file was missing an entry. All 512,000 lines of proprietary source were uploaded to the public registry.

Within hours the package had been cloned, archived, and mirrored across multiple sites. Anthropic pulled the package, but copies remained.

What the leaked source revealed

The safety layer of the leaked source operated inside the agent via:

System prompts injected into every conversation
Feature flags that toggled behaviours at runtime
Guardrail models called on suspicious tool calls
Heuristic string matching on dangerous patterns

All of this is reasonable engineering. All of it runs inside the agent's process. All of it is visible to the agent. All of it can be modified or bypassed by anyone with the source code and a week of analysis.

What would have prevented it

The leak itself was caused by an npm publish command that should never have run. There was no pre-execution gate to catch it.

An external mechanical enforcement layer would have:

Recognised that npm publish requires explicit authorisation
Blocked the command before it executed
Required a PIN override or second approver
Logged the attempt for audit

CRE does all four out of the box. Package publishing is a standard rule in the default rule set. On any machine running CRE, the command would have been denied with a clear reason and an approval chain.

Prompts are advisory. The agent can ignore them under context pressure. CRE operates outside the agent. The npm publish command would have been gated, reviewed, and blocked before it executed.

The broader lesson

This was a human error, but it was also a tooling failure. The developer was using an AI coding assistant. The assistant helped write the build script. The assistant helped run the publish command. At no point did anything external to the assistant's own logic check whether npm publish was the right thing to do on that file.

Every step was technically legitimate. The mistake was organisational, not technical. Only an organisational policy layer could have caught it.

That is what HookBus and CRE exist for.

← All posts