Anthropic Accidentally Published Claude AI Agent Source Code in NPM Package

Anthropic inadvertently released source code for its Claude AI agent by publishing it inside an NPM package, the company confirmed, raising questions about its operational security and exposing internal details about the product's architecture and roadmap. Bloomberg first reported the leak, which sent developers combing through the released code for details about Anthropic's plans. The code, published accidentally to the NPM registry, contained approximately 500,000 lines according to Axios, which cited sources familiar with the contents. Among the details the code reportedly exposed: a Tamagotchi-style virtual pet feature and references to an always-on agent capability, according to The Verge, which analyzed portions of the leaked material. The findings suggest Anthropic has been developing more ambient and persistent agent behaviors than the company has publicly disclosed. NPM, the JavaScript package manager, is widely used by developers to distribute open-source and private software libraries. Publishing sensitive code to a public NPM registry is an operational error that has affected multiple companies; packages are publicly accessible by default unless explicitly scoped to private registries. The incident is particularly notable for Anthropic given its emphasis on responsible AI development and safety. The company has not detailed how the code was published or what internal processes failed to prevent it. Security researchers and developers moved quickly to archive the code before Anthropic could remove it, meaning the contents are likely circulating in private channels even after the public package was taken down. Anthropy said it is investigating the incident. Bloomberg and Axios reported the story on April 1, 2026.