Claude Code Source Code Leak via npm Source Map

The Claude Code source code leak is significant not merely because proprietary code was exposed, but because of what it reveals about the gap between Anthropic's safety-first brand positioning and its operational security practices. Anthropic has consistently marketed itself as the most safety-conscious AI lab, yet this was the company's second major data exposure in under a week. Days earlier, nearly 3,000 internal files had been found publicly accessible, revealing details about an unreleased model codenamed 'Mythos.' As Fortune reported, the back-to-back incidents create a pattern that is difficult to dismiss as isolated bad luck.

The leak also matters because it permanently altered the competitive landscape for AI coding tools. With 512,000 lines of unobfuscated TypeScript now in the public domain, competitors like Cursor, OpenAI Codex, and Windsurf have a literal blueprint of Claude Code's architecture, including its permission-gated tool system, context management pipeline, and complete unreleased feature roadmap. As multiple community voices noted, this competitive intelligence cannot be un-leaked. The open-source community's response was equally dramatic: mirrored repositories accumulated over 84,000 GitHub stars, and a rewrite project called 'claw-code' became one of the fastest-growing repositories in GitHub history.

The leak originated from a single misconfigured build step. Claude Code v2.1.88, published to the npm registry, included a 60 MB source map file named cli.js.map. Source maps are development artifacts that map minified or bundled JavaScript back to the original source code. Critically, this file contained a 'sourcesContent' field that embedded the full original TypeScript source across approximately 1,900 files. As one analyst noted, 'A single misconfigured .npmignore or files field in package.json can expose everything.'

The technical root cause was that Bun, the JavaScript runtime used to build Claude Code (rather than Node.js), generates source maps by default unless explicitly disabled. Someone failed to add *.map to the project's .npmignore file, which controls what gets excluded from npm packages. Additionally, the source map file referenced a zip archive hosted on Anthropic's Cloudflare R2 storage bucket that was publicly downloadable. The combination of these oversights meant that anyone who ran 'npm install' on the package could extract the complete source code. Claude Code's internal architecture was revealed to use React with Ink for terminal rendering, Zod v4 for schema validation, and a plugin-like tool architecture with approximately 40 discrete permission-gated tools and about 50 slash commands.

The scale of the leak and its aftermath can be captured in several key figures. The exposed codebase comprised over 512,000 lines of TypeScript across approximately 1,900 files, all embedded in a single 60 MB source map file. The internal architecture included around 40 discrete tools, approximately 50 slash commands, and 46,000 lines dedicated to the query engine handling LLM calls, streaming, caching, and orchestration.

The community response was extraordinary. Chaofan Shou's original X post announcing the discovery garnered 28.8 million views, 44,000 likes, and 12,000 retweets. On GitHub, mirrored repositories accumulated over 84,000 stars and 82,000 forks. The 'claw-code' rewrite project hit 50,000 stars in roughly two hours. Meanwhile, opportunistic actors published at least 5 typosquatted npm packages attempting to exploit developers searching for the leaked code.

The immediate impacts of the leak span competitive, security, and reputational dimensions. On the competitive front, the exposed code gives rivals a detailed understanding of Claude Code's architecture, including unreleased features like BUDDY (a Tamagotchi-style AI pet) and KAIROS (a persistent always-on assistant mode). This roadmap visibility is irreversible. On the security front, Straiker warned that 'attackers can now study and fuzz exactly how data flows through Claude Code's context management pipeline,' enabling targeted adversarial attacks designed to persist across sessions.

The concurrent supply-chain attack on the axios npm package added a dangerous complication. Users who installed or updated Claude Code between 00:21 and 03:29 UTC on March 31 may have pulled a trojanized version containing a Remote Access Trojan. This overlap between a legitimate code leak and an active supply-chain attack created a compounded threat that is rare in its severity. Looking forward, multiple community voices have argued that Anthropic should simply open-source Claude Code, noting that Google's Gemini CLI and OpenAI's Codex are already open. Whether Anthropic pivots toward transparency or doubles down on proprietary development will be a defining strategic decision.

This incident exposes a fundamental tension in the AI industry: companies building the most sophisticated software tools in history are still vulnerable to the most basic operational failures. As Gabriel Anhaia observed, 'It's ironic -- a tool designed to help engineers write better code was undone by a build configuration oversight.' The irony deepened when it emerged that Anthropic's head of Claude Code, Boris Cherny, had recently stated that '100% of my contributions to Claude Code were written by Claude Code' -- raising questions about whether AI-assisted development pipelines introduce new blind spots in release management.

More broadly, the incident highlights the fragility of the npm ecosystem as a distribution mechanism for commercial software. A single missing line in a .npmignore file turned a routine package update into the largest unintentional source code exposure in recent AI industry history. LayerX Security's Roy Paz criticized the lack of process: 'At Anthropic, it seems that the process wasn't in place and a single misconfiguration or misclick suddenly exposed the full source code.' For the wider developer community, this serves as a stark reminder that build pipeline hygiene is not optional -- and that source maps, a standard development convenience, can become a critical attack vector when CI/CD processes lack verification steps for production artifacts.