Pre-publish guardrails so npm packages do not accidentally ship debug files (like source maps) or other sensitive artifacts.
New here? Skim Understanding the leak (plain language) or open the full glossary if terms like npm, agent, or model weights are unfamiliar. The toolkit section is for people who ship JavaScript packages.
Feel free to Star the repo (top right on GitHub) if you want to keep it handy for reference.
Important
Zero Proprietary Code Policy — This project does not host or link to leaked proprietary source or binaries. It teaches release safety and ships reusable audit tooling.
Educational summary of public discussion and reporting—not independent forensic verification.
Glossary: See docs/glossary.md for LLM / weights / npm / agent / source map / supply chain explained for non-developers and data scientists.
What broke: Reporting describes a packaging error in @anthropic-ai/claude-code v2.1.88 (late March 2026): files that should not ship to every npm install user were published, which made client-side product code (CLI, tooling, prompts) much easier to reconstruct. That is not the same as “the model weights leaked.” Vendor framing: human error, not a classic intrusion—CNBC on Anthropic’s statement.
Broad agreement: (1) Weights/training data are a different asset class; consensus is they were not the exposed core here. (2) The sensitive shape of the story is orchestration: prompts, tools, permissions, workflows around the model. (3) That matches how agents are built today: model + control layer.
Often overclaimed: Internal codenames ≠ proven roadmap; “be careful / don’t hallucinate” prompts are normal guardrails, not proof the model is uniquely bad; “full prediction engines” are easy to hype—assume bounded experiments unless proven.
IP note: Public code visibility ≠ open source or a license to redistribute. When in doubt, use official vendor channels only.
- Fake “leak” downloads — Treat unofficial repos/archives as malware risk; see Zscaler ThreatLabz.
- Smarter lures — More product detail can mean more convincing malicious project layouts (hooks, config). Assume untrusted repos are hostile.
- Agents amplify mistakes — Shell + file access on a bad clone is high impact.
- Noisy news days — Pin installs; unrelated npm incidents can coincide in time.
- This repo helps publishers audit what ships; it is not a full SCA/secrets/SBOM program.
Copy: scripts/audit-package.mjs, scripts/generate-pack-manifest.mjs, scripts/compare-pack-manifest.mjs, package-audit.config.json, .github/workflows/package-audit.yml.
node scripts/audit-package.mjs
node scripts/generate-pack-manifest.mjs
node scripts/compare-pack-manifest.mjsModes: minimal = audit only · standard = audit + manifest + CI · strict = tighter package-audit.config.json / presets in configs/presets/. Details: docs/adopt-in-5-minutes.md.
CI: .github/workflows/package-audit.yml checks out the repo, uses Node 24, runs npm test when present, runs the audit, and compares to data/pack-manifest.json if you commit a baseline.
Run from a directory that has package.json (your library or CLI).
node scripts/audit-package.mjs
npm test # in this repo only; adds confidence in the scriptsStrict example: node scripts/audit-package.mjs --max-bytes=300000 --fail-on-license-missing
Defaults: blocks .map, flags risky paths, size limits; tune via package-audit.config.json. False positives: docs/false-positives-and-tuning.md.
| Area | Path |
|---|---|
| Audit scripts | scripts/*.mjs, *.sh, *.ps1 |
| Policy | package-audit.config.json, configs/presets/ |
| CI | .github/workflows/package-audit.yml |
| Example package | examples/npm-secure-package/ |
| Incident data | data/sources.json, data/timeline.json |
| Docs | docs/ (FAQ, checklist, threat matrix, sample outputs, scope, support, runbooks) |
| Templates | .github/ISSUE_TEMPLATE/, PULL_REQUEST_TEMPLATE.md |
| Tests | tests/, npm test |
Learn more: docs/claude-code-leak-faq.md · docs/npm-hardening-checklist.md · docs/threat-model-matrix.md
npm facts (from official docs): publish contents follow files / ignore rules; npm pack --dry-run previews the tarball; public buckets can widen impact if artifacts point there—Cloudflare R2 public buckets.
- npm
package.json· publish · pack - Cloudflare R2 public buckets
- Bun #28001 (tooling context, not causal proof)
- The Register · VentureBeat
- Zscaler ThreatLabz · CNBC
Full index: data/sources.json.