devtake.dev

Claude Code's full source leaked on npm. A stray source-map file gave away every line.

Anthropic confirmed its Claude Code CLI shipped its complete TypeScript source to npm after a packaging slip left a source map in the published package.

Luca Reinhardt · · 4 min read · 3 sources
Claude Code branding over a terminal, illustrating the leaked source code on npm
Image via The Hacker News · Source

Anthropic confirmed that Claude Code shipped its own source code to the public npm registry. A packaging mistake left a source map in one release, and the file pointed straight at the unminified TypeScript behind the popular coding agent.

The exposure landed in version 2.1.88 of the @anthropic-ai/claude-code package, published in late March. By the time anyone noticed, the complete codebase had already been mirrored to GitHub repositories that pulled in tens of thousands of stars. Anthropic confirmed the slip and called it human error rather than a breach, but the source was already out and unrecallable. That’s the part that matters beyond one vendor: the same one-line config gap that exposed a frontier AI lab’s flagship tool sits in countless package builds right now. This is the kind of own-goal that any team publishing to npm can score, which is exactly why it’s worth reading past the brand name on the headline.

What we know

Anthropic confirmed the incident after researcher Chaofan Shou flagged it on March 31, and three outlets reported the same core facts.

  • The leak was real and large. The published package carried a source map referencing Claude Code’s full source: over 500,000 lines of TypeScript across nearly 2,000 files, per The Hacker News. InfoQ counted “over 500,000 lines of TypeScript code across nearly 2,000 files” too.
  • A debugging artifact did the damage. The .map file in v2.1.88 referenced the complete, unobfuscated source hosted on Anthropic’s cloud storage, SiliconANGLE reported, which made the code downloadable rather than just reverse-engineerable. The Bun runtime that builds the package generates source maps by default unless they’re explicitly turned off.
  • A researcher caught it, not an attacker. Security researcher Chaofan Shou spotted the exposed source on March 31, and the find spread across X before Anthropic pulled the version.
  • Anthropic confirmed it on the record. The company described it as “a release packaging issue caused by human error, not a security breach,” and said no customer data or credentials were affected.
  • The internals got read. People digging through the code documented Claude Code’s tool system, its query and orchestration engine, and its multi-agent “sub-agent” spawning, the kind of design notes Anthropic would normally keep in-house.

What we don’t know

Anthropic confirmed the v2.1.88 slip but hasn’t published a full postmortem, so a few things stay open.

  • Whether this was a one-off. Some reports note that earlier 2025 builds of Anthropic’s npm packages also carried source maps before removal, which would make v2.1.88 a recurrence rather than a fluke.
  • How many installs pulled the package before Anthropic yanked it on March 31, and how many of those copies still sit in local caches and lockfiles where a npm install already cached the bad version.
  • What “measures to prevent this from happening again” looks like in practice. Anthropic hasn’t published a postmortem, so we don’t know if the fix is a CI check, an allowlist, or just a reminder not to ship maps.
  • Whether anything sensitive beyond architecture rode along in the source, such as hardcoded endpoints, prompt templates, or internal feature flags that competitors can now read.

Who reported it

The Hacker News broke the confirmation under the headline “Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms”. InfoQ and SiliconANGLE covered the same incident with consistent details on the version, the file count, and Anthropic’s statement. The discovery itself traces back to Chaofan Shou’s posts. None of the coverage disputes the core facts; Anthropic owned the mistake quickly.

What this means for you

Here’s the uncomfortable part: this had nothing to do with Claude. It was a build config that nobody double-checked. Source maps are great in development and radioactive in a published package, and most bundlers emit them unless you say no. If you publish to npm, the fix costs you one command. Run npm pack --dry-run before every release and actually read the file list it prints. Better, set an explicit files allowlist in package.json so only the artifacts you name ship, instead of relying on .npmignore to catch everything you forgot. Add *.map to that ignore list too. The same packaging sloppiness is what feeds the wider npm supply-chain mess and the auth bugs hiding in agent dependencies. A leaked source map is the cheap version of that lesson. Pay it now.

Share this article

Quick reference

source map
A file that maps minified or bundled code back to its original source so debuggers show real line numbers. Shipping one in a release can expose that source.

Sources

Mentioned in this article