Skip to content
Three Claude Code Security Incidents in 90 Days -- What Enterprise Teams Need to Know
NewsJuly 5, 202610 min read

Three Claude Code Security Incidents in 90 Days -- What Enterprise Teams Need to Know

Three Claude Code security incidents in 90 days: source code leak, DMCA blunder, and session leakage bug. What enterprise teams need to know and do now.

Between March 31 and July 4, 2026, Claude Code surfaced three distinct security incidents: a 513,000-line source code leak via npm, an overbroad DMCA takedown that briefly nuked 8,100 GitHub repos, and a session leakage bug on macOS. The incidents look unrelated. They share one root: trust assumptions that did not survive contact with real-world conditions.

I've been tracking Claude Code closely since it launched. The last 90 days have been a stress test -- not just for Anthropic's engineering, but for the enterprise teams that built production workflows on top of it. Here's the incident log, what each means, and what I'd actually do about it.

What happened with the March 31 source code leak?

On March 31, 2026, Anthropic accidentally shipped 59.8 MB of source maps inside npm package v2.1.88, exposing 513,000 lines of unobfuscated TypeScript across 1,906 files. The root cause was a missing .npmignore entry -- a standard packaging gate that would have excluded debugging artifacts from the published bundle. Someone on the release team didn't add *.map to .npmignore or configure the files field in package.json to exclude them.

The leak was substantial. It revealed 44 internal feature flags, an always-on background agent codenamed KAIROS, a stealth mode designed to hide Anthropic employee contributions to open-source projects, and the full multi-agent orchestration architecture. The package was live for just over 3 hours -- between 00:21 and 03:29 UTC -- and security firm Zscaler confirmed that users who updated during that window may have pulled a trojanized HTTP client containing a remote access trojan. Anthropic called it human error and pulled the package.

The leak became what Layer5 called "the fastest-growing repo in GitHub history" within hours, as developers mirrored and studied the source. Researchers found real internals -- not scaffolding -- which meant the exposure was genuine. Within 24 hours, collateral damage started on two fronts.

Free Newsletter

Get the daily AI agent signal in your inbox.

One email, every morning. The builds, tools, and frontier research that matter — no fluff, no AI hype cycle noise.

Subscribe free

How did the DMCA takedown affect 8,100 legitimate developers?

Anthropic filed a DMCA notice to remove repos hosting the leaked source code. The notice was overbroad: GitHub processed it against the entire fork network -- 8,100 repositories -- including developers who had legitimately forked Anthropic's own public Claude Code repo and had nothing to do with the leak. Repos went dark without warning.

The mechanism is a documented GitHub edge case: when a reported network has more than 100 repositories and the rights holder asserts that most forks are infringing, GitHub processes the takedown against the full network. Anthropic's head of Claude Code, Boris Cherny, said the move was accidental and retracted the bulk of the notices, ultimately limiting the permanent takedown to 1 repository and 96 forks. GitHub restored the affected repos, but developers lost access for hours.

The practical implication: any dependency on Claude Code's public GitHub fork network -- custom tooling, CI scripts, community extensions -- is exposure to Anthropic's IP enforcement decisions, including mistakes. If your team maintains Claude Code forks or custom builds, treat the public fork network as unstable infrastructure.

Get the AI Agent Briefing

One email per week. The best AI agent news, tutorials, and tools -- written by someone who actually builds with them.

Subscribe Free

How did threat actors turn the leak into a malware campaign?

Within 24 hours of the source leak, threat actors created fake "leaked Claude Code" repos advertising "unlocked enterprise features" and no usage limits. Trend Micro documented the campaign: victims who downloaded the archive received a Rust-compiled Windows executable -- ClaudeCode_x64.exe -- that deployed the Vidar infostealer alongside GhostSocks proxy malware. The malicious archive updated frequently, suggesting active maintenance.

Bitdefender traced the campaign to a broader rotating lure operation active since at least February 2026, impersonating more than 25 software brands while delivering the same Rust-compiled payload. The attacker playbook is consistent: a high-profile leak creates urgency and search volume, fake repos rank quickly by front-loading stars through automated activity, and developers searching for the leaked source find the trap instead.

One identified distributor was GitHub user "idbzoomh". The campaign had no connection to Anthropic's infrastructure -- it used Claude Code's reputation, not any Anthropic systems. The victim pool was real: developers with legitimate reasons to want the leaked source were exactly the target audience. Bitdefender and BleepingComputer published indicators of compromise (IOCs) for the Vidar and GhostSocks payloads. If your team was searching for leaked Claude Code source in April 2026, run those IOCs against your endpoint logs.

What is the July 2026 session leakage bug?

On July 4, 2026, a developer filed GitHub issue #74066 describing anomalous behavior in Claude Code v2.1.199 on macOS: the agent began asking about building "a Minecraft temple" -- a task that clearly belonged to a different session. The reporter raised the possibility of cross-account leakage from a consumer plan, which would have serious implications for Enterprise Zero Data Retention (ZDR) guarantees if confirmed server-side.

A separate issue (#69669) reported that Claude Code was embedding private session identifiers inside git commit messages pushed to public repositories -- internal session state surfacing in permanent, public records. Both issues were open as of July 5, 2026, with no official Anthropic response. Investigators note that the most likely explanation is local context bleed -- where one session's transcript file contaminates another on the same machine -- rather than server-side cross-account leakage. The two failure modes have "wildly different severities," per one commenter on the thread. Session transcripts live at ~/.claude/projects/<encoded-cwd>/<session-id>.jsonl and can be inspected directly to localize where the contamination entered the context.

If you're running Claude Code in a multi-user or shared environment, verify that session transcript directories are properly isolated by user. If you're relying on Enterprise ZDR, contact Anthropic support directly and get written confirmation of what the current guarantees cover.

What is the common pattern across all three incidents?

All three incidents share a root: trust that wasn't scoped to its actual guarantees. The npm release trusted the build pipeline excluded debug artifacts. The DMCA trusted a network-wide takedown would be accurate. Enterprise users trusted session isolation worked as documented. In each case the trust was real but the system had an unexamined failure mode.

Supply chain security firm Coder published analysis of the npm leak arguing it exposed the same class of problem that hits every fast-moving AI product: build automation that outpaces security review. That framing is right, but it applies beyond the build system. The DMCA incident is a trust-in-legal-process failure. The session bug is a trust-in-isolation failure. Fast-moving teams accumulate trust debt the same way they accumulate technical debt -- and it comes due at the worst possible time.

Four things enterprise teams should act on now, based directly on what these incidents exposed:

  1. Pin your Claude Code version. Don't run on a floating latest tag in production. Pin to a specific release and read the changelog before rolling forward. The 3-hour trojanized window on March 31 only hit users who auto-updated. Version pinning would have contained the blast radius to zero.
  2. Enforce Enterprise SSO, not personal accounts. Personal accounts give you no audit trail, no revocation path, and no visibility into active sessions. Every Claude interaction at enterprise scale should be attributable and revocable from a single identity layer. Anthropic supports SAML-based SSO for enterprise deployments -- enable it if you haven't.
  3. Build and maintain an MCP server registry. Clutch Security found that 38% of production MCP servers are from unofficial sources, and 3% contained hardcoded credentials functioning as credential theft traps. Without a curated registry, individual developers make independent trust decisions under time pressure. That is exactly how supply chain compromises happen.
  4. Verify your ZDR guarantees under the current version. If your deployment relies on Zero Data Retention, audit it against the session leakage reports. File a support ticket and get written confirmation of what the current guarantees cover -- particularly for macOS deployments on v2.1.199 or later.

FAQ

Was Claude Code's source code permanently exposed after the March 31 leak?

The npm package was pulled within hours and Anthropic issued DMCA notices targeting repos hosting the leaked code. The original 1,906-file, 513,000-line TypeScript bundle is no longer officially distributed. The code was widely mirrored before removal and persists in private archives. Anthropic has not re-released the source as open source, and enforcement against active public hosts is ongoing.

Should enterprise teams stop using Claude Code after these incidents?

No. The incidents are real but don't individually break Claude Code's core value. The npm leak was a packaging error, not an active remote code execution vulnerability in the agent. The DMCA issue resolved within hours. The session leakage bug is likely local context bleed rather than server-side compromise. The right response is tighter controls -- version pinning, SSO enforcement, ZDR verification, MCP governance -- not abandonment.

How can I tell if I downloaded malware from a fake Claude Code GitHub repo?

Claude Code is a Node.js CLI -- it does not ship as a Windows .exe. If your team downloaded anything named ClaudeCode_x64.exe or similar from an unofficial GitHub repo in April 2026, treat that machine as compromised. Run a full antivirus scan immediately using Bitdefender or Trend Micro IOCs for the Vidar and GhostSocks payloads, revoke all credentials stored on that machine, and rotate any API keys it had access to.

What is GitHub issue #74066 and how serious is it?

Issue #74066 (filed July 4, 2026) reports that Claude Code v2.1.199 on macOS injected context from a different session into an unrelated workspace -- specifically referencing a "Minecraft temple" task. The most likely cause is local context bleed between session transcript files, not server-side cross-account leakage. Check your ~/.claude/projects/ directory to localize the source before escalating to Anthropic support. No official Anthropic response as of July 5, 2026.

What is Zero Data Retention (ZDR) in Claude Code enterprise?

ZDR is an enterprise option where Anthropic does not store inputs or outputs after the API response is delivered. The session leakage bug in issue #74066 raises questions about whether ZDR guarantees hold in all edge cases on macOS v2.1.199. Enterprise teams should confirm their ZDR status directly with Anthropic support and get it in writing until this issue is resolved and patched.

Get the AI Agent Briefing

One email per week. The best AI agent news, tutorials, and tools -- written by someone who actually builds with them.

Subscribe Free
AI Agents First

The daily signal from the frontier of AI agents.

Join builders, founders, and researchers getting the sharpest one-email read on what's actually shipping in AI — every morning.

No spam — unsubscribe anytime