On March 31, 2026, Anthropic accidentally published the complete source code of Claude Code - their AI coding agent - to the public NPM registry. Roughly 512,000 lines of TypeScript, exposed by a single misconfigured source map file.
Five days earlier, ~3,000 unpublished internal assets (blog drafts, model details, event plans for their unreleased "Claude Mythos" model) were found sitting in a publicly accessible data store.
Two leaks in five days. From the company that built Claude.
This post isn't about blaming Anthropic. Build systems break. Humans make packaging errors. What's interesting is the architectural pattern that would have caught this - and why every team using AI coding agents needs to understand it now.
~3,000 unpublished assets found in a publicly searchable data store linked to Anthropic's blog infrastructure. Draft blog posts revealed the existence of "Claude Mythos," an unreleased model Anthropic described internally as a "step change" in capabilities.
Version 2.1.88 of @anthropic-ai/claude-code shipped to NPM with a 59.8 MB JavaScript source map file. That source map mapped the minified production code back to the original TypeScript and pointed to a publicly accessible zip archive on Anthropic's Cloudflare R2 bucket. Security researcher Chaofan Shou found the direct link and posted it publicly.
Mirrored repositories appeared on GitHub, some accumulating tens of thousands of stars before Anthropic's DMCA takedowns hit. 512,000 lines of Claude Code are now permanently in the wild.
Anthropic called it "a release packaging issue caused by human error, not a security breach." No customer data or model weights were exposed. But the reputational and competitive damage is done.
Claude Code is an AI coding agent. It writes files, runs shell commands, executes build steps, and publishes packages. The NPM publish that leaked 512,000 lines of source code was an agent action.
And there was no gate between "agent decides to publish" and "code hits a public registry."
This is the architectural gap. AI agents are taking real-world, irreversible actions - shipping code, sending emails, making API calls, modifying databases - and the default pattern is: agent decides, action happens. No interception. No review. No audit trail.
The question isn't "how did a human make a packaging error?" The question is: why did the system allow an unchecked publish to a public registry?
An action firewall sits between an AI agent's decision and the real-world execution of that decision. Every action passes through a policy engine before it happens.
Four possible outcomes:
| Risk Level | Outcome | What Happens |
|---|---|---|
| Low | auto_allow | Action proceeds immediately. Read operations, local file writes. |
| Medium | scan_and_allow | PII redactor and secrets scanner run first. Then allow. |
| High | require_approval | Human must review and approve before action executes. |
| Prohibited | block | Action never executes. Logged and flagged. |
If the Claude Code NPM publish had run through this pattern:
The publish never happens. The leak never occurs.
AIR Gate is an open-source implementation of this pattern. Here's what the NPM publish would look like if it went through a gate:
from gate import GateClient
client = GateClient()
# AI agent wants to publish to NPM
result = client.validate_action(
agent_id="claude-code-build",
action="npm_publish",
target="@anthropic-ai/[email protected]",
payload_size="59.8MB",
contains_source_maps=True
)
# Policy engine response:
# {
# "decision": "require_approval",
# "reason": "Publishing to public registry with source maps detected",
# "risk_score": 0.92,
# "flags": ["source_maps_included", "payload_exceeds_threshold"]
# }
if result["decision"] == "require_approval":
# Route to human. Publish waits.
approval = client.request_approval(
action_id=result["action_id"],
reviewer="[email protected]"
)
The gate config that drives this is a simple YAML file:
# gate_config.yaml
policies:
- name: "block-source-maps-in-publish"
match:
action: "npm_publish"
conditions:
- contains_source_maps: true
outcome: "block"
reason: "Source maps must not be included in public packages"
- name: "require-approval-for-publish"
match:
action: "npm_publish"
outcome: "require_approval"
reason: "All public registry publishes require human review"
AI coding agents are taking actions across your entire development stack:
| Agent Action | Risk | What Could Go Wrong |
|---|---|---|
npm publish | High | Internal source code hits public registry (Anthropic leak) |
git push | High | Secrets, API keys, or internal code pushed to public repo |
docker push | High | Internal container images exposed to public registry |
curl POST to external API | Medium | Sensitive data sent to third-party services |
rm -rf | High | Destructive operations on production files |
Database DROP / DELETE | High | Irreversible data loss |
| Email/Slack send | Medium | Internal information shared externally |
| Read local files | Low | Generally safe - auto-allow |
Every one of these happens in AI coding agents today. Claude Code, GitHub Copilot Workspace, Cursor, Windsurf, Devin - they all execute real commands. The question is whether those commands pass through a gate first.
This isn't just a security best practice. For teams operating in the EU, it's becoming law.
The EU AI Act (enforcement deadline: August 2, 2026) requires two things that action firewalls directly address:
Article 14 - Human Oversight: High-risk AI systems must include mechanisms for human review of AI-assisted decisions. An action firewall's require_approval policy is a direct implementation: high-risk actions route to a human before execution.
Article 12 - Record-Keeping: AI systems must maintain tamper-evident logs of all decisions. AIR Gate's HMAC-SHA256 audit chain creates cryptographic proof of every action - what was attempted, what the policy decided, whether a human approved it, and when.
The Anthropic leak happened in the US, where there's no equivalent mandate. But the architectural pattern is the same regardless of jurisdiction: if AI agents are taking actions, those actions need gates.
If you're using AI coding agents - and in 2026, most engineering teams are - ask yourself:
If the answer to any of these is yes, you have the same architectural gap that led to the Anthropic leak.
AIR Gate is built for Python AI agent workflows - not CI/CD pipelines written in bash or TypeScript. Anthropic's actual leak happened in a Node.js build step, so AIR Gate wouldn't have caught it directly. The pattern applies, but you'd need to implement action gating in your specific build toolchain.
Also: action firewalls add friction. The require_approval step means a human has to review things. For teams shipping fast, that's a tradeoff. The question is whether the cost of review is less than the cost of a 512,000-line source code leak. For most teams, the math is obvious.
On March 31, 2026, Anthropic accidentally published ~512,000 lines of Claude Code's TypeScript source to the public NPM registry. Version 2.1.88 shipped with a 59.8 MB source map file that pointed to a zip archive on a public Cloudflare R2 bucket. This was Anthropic's second data exposure in five days - the first revealed their unreleased Claude Mythos model.
A packaging error in the build pipeline included a JavaScript source map (.map file) that contained references to the original unobfuscated TypeScript source. That source map pointed to a zip archive on a publicly accessible storage bucket. Anthropic called it "a release packaging issue caused by human error."
An interception layer between an AI agent's decision and the real-world execution of that decision. Every action (publish, push, send, delete) passes through a policy engine. Actions are classified by risk: low-risk auto-allow, medium-risk get scanned, high-risk require human approval, prohibited get blocked. AIR Gate is an open-source implementation.
Yes. If the NPM publish ran through a gate, the policy engine would flag it as high-risk. The scanner would detect source maps and internal code patterns in the payload. The action would route to a human for review. That human would see raw TypeScript instead of compiled JavaScript and catch the error before publish.
Any agent that executes real-world actions: Claude Code, GitHub Copilot Workspace, Cursor, Windsurf, Devin, and custom agents built on LangChain, CrewAI, OpenAI Agents SDK, or Google ADK. If the agent can publish, push, send, or delete, it needs a gate.
They happened concurrently but are separate incidents. The source leak was Anthropic's packaging error. The Axios trojan was a supply chain attack on a third-party library. Users who installed Claude Code via NPM on March 31 between 00:21-03:29 UTC may have been affected by both.
Not by name, but Article 14 (Human Oversight) and Article 12 (Record-Keeping) effectively require the same pattern: human review of high-risk AI actions and tamper-evident logging of all AI decisions. The enforcement deadline for high-risk systems is August 2, 2026.