Security researcher Chaofan Shou discovered on March 31 that Anthropic’s Claude Code CLI tool had its full TypeScript source code sitting in plain sight on the public npm registry. Version 2.1.88 of the @anthropic-ai/claude-code package shipped with a source map file that should never have been included. Shou posted the finding on X, where it attracted millions of views. Within hours, the complete codebase had been archived to multiple GitHub repositories, rapidly accumulating tens of thousands of stars and forks.
In a statement to CNBC, Anthropic called it “a release packaging issue caused by human error, not a security breach,” adding that no customer data or credentials were involved. The company said it is rolling out measures to prevent a recurrence.
So what went wrong? A .map file, the kind of debugging artifact that maps minified production code back to its original source, got bundled into the published npm package. That file referenced the complete, unobfuscated TypeScript source hosted on Anthropic’s own R2 cloud storage bucket, making it directly downloadable as a ZIP archive. Claude Code uses the Bun runtime, which generates source maps by default unless you explicitly disable them. Preventing this is not exotic: add *.map to .npmignore, maintain an explicit whitelist in package.json’s files field, or run npm pack –dry-run before publishing to audit what gets included.
As developer and security analyst Gabriel Anhaia wrote in his DEV Community analysis:
A single misconfigured .npmignore or files field in package.json can expose everything.
Notably, this is reportedly not the first time Anthropic has shipped source maps in its npm packages. Earlier versions in 2025 also included full source maps before being pulled from the registry.
(Source: Tweet on X)
It is worth noting that this is the Claude Code CLI tool, not the claude.ai web application or the LLM models themselves. As one commenter on Reddit put it:
While technically not the end of the world since frontend clients should be assumed to be reverse-engineerable anyway, it’s still a massive oops to leak the entire, unobfuscated source code, since there’s a treasure trove of extremely valuable system prompts, context / query / RAG engine design, coordinator / orchestrator logic, and the overall agent architecture in there. It’s basically a reference manual for how to design an LLM-based agent.
Not everyone agreed the damage was as severe as headlines suggested. Another commenter countered that:
Anyone who really wanted that already had it. The relevant prompts were available as free strings in the executable. The entire source code that leaked was available as minified JS.
Because Claude Code is a JavaScript application bundled with a runtime, the minified source has always been technically accessible, though having the full annotated TypeScript with original variable names, comments, and module structure provides a qualitatively different level of exposure.
What the codebase reveals is a system far more complex than Claude Code’s terminal interface suggests. Spanning approximately 1,900 TypeScript files and over 512,000 lines of code, the source has been analyzed on DEV Community, Hacker News, and in a detailed GitHub repository breakdown. Among the findings: roughly 40 discrete tools, each with its own permission gating. A query engine of approximately 46,000 lines handles LLM API calls, streaming, caching, and orchestration. Multi-agent coordination allows spawning and managing parallel worker agents. IDE bridge integrations use JWT authentication. A persistent memory system rounds out the architecture.
Buried in the source are multiple unreleased features hidden behind feature flags. KAIROS describes an autonomous daemon mode where Claude Code operates as a background agent, performing memory consolidation while the user is idle. ULTRAPLAN appears designed for offloading complex planning tasks to cloud infrastructure. BUDDY is a Tamagotchi-style AI companion complete with species, rarity tiers, and stats. Internal model codenames are visible too, with Capybara mapping to a Claude 4.6 variant and Fennec to an Opus 4.6 variant.
One detail drew particular attention: a subsystem called “Undercover Mode.” Designed to prevent Claude Code from revealing internal information when contributing to public open-source repositories, the system prompts it to inject instructions that instruct the model not to reference internal codenames, unreleased version numbers, internal Slack channels, or the fact that it is an AI. The irony was not lost on observers. Anthropic built an entire subsystem to prevent its AI from leaking internal details, but a build configuration oversight exposed the entire codebase.
A Reddit commenter highlighted the security implications of the leaked orchestration logic:
If you know where and how prompt injection defenses are applied, you can more easily find a bypass. If you know the system prompts, an attacker doesn’t have to guess the preamble anymore to craft content that uses the right language to subvert the model.
Compounding the timing, a separate and unrelated supply-chain attack hit the axios npm package on the same day, first reported by StepSecurity. Between 00:21 and 03:29 UTC on March 31, malicious versions of axios (1.14.1 and 0.30.4) containing a Remote Access Trojan were published to npm. Because Claude Code depends on axios, anyone who installed or updated it during that window may have pulled in the compromised dependency. Developers should check their lockfiles for these specific versions or the dependency plain-crypto-js.
For enterprise teams that rely on Claude Code as part of their development infrastructure, this raises uncomfortable questions. The source map exposure is reportedly the third instance of this class of error. It also comes less than a week after internal documents describing an upcoming model called Claude Mythos were discovered in a publicly accessible data cache, making this the second significant exposure in rapid succession. Anthropic has not yet publicly detailed specific remediation steps beyond unpublishing the affected npm versions.
