Anthropic's Claude Code Source Leaked via npm — Then It Mass-DMCA'd Thousands of Unrelated GitHub Repos

Anthropic Leaked Its Own Source Code — Then Nuked Thousands of Innocent GitHub Repos

In late March 2026, npm release 2.1.88 of the Claude Code package shipped with the complete source of Claude Code: 512,000 lines across 1,900 files. The leak was not a hack — it was a packaging error by Anthropic's own release pipeline.

The Receipt

Rather than a targeted takedown, Anthropic's legal team issued DMCA notices to thousands of GitHub repositories, the majority of which had no connection to the leaked source. GitHub began processing the removals before the over-breadth was identified. Anthropic subsequently described the mass takedowns as "an accident," per TechCrunch reporting from April 1, 2026. The incident arrived the same week a $1.5B copyright judgment landed against a separate AI firm in the Bartz case, and music labels filed a new BitTorrent-style piracy suit covering 20,517 compositions.

What It Proves

Anthropic's DMCA response demonstrates what happens when AI companies treat intellectual property law as a blunt instrument. The "accident" framing does not explain how thousands of unrelated repos were flagged — automated systems operating without human review of individual targets are the only plausible mechanism. The episode also documents that Anthropic's internal release process had no gate preventing source code from shipping inside a public npm package.