Anthropic Leaks Claude Code Source via Npm Source Map
Rapid Spread: An unofficial GitHub mirror of the leaked code surpassed 1,100 stars and 1,900 forks within hours of the disclosure.
A packaging error revealed Anthropic's entire Claude Code codebase, spanning nearly 1,900 TypeScript files and over 512,000 lines of code, after a source map file shipped in the tool's public npm package. Security researcher Chaofan Shou reported the finding on X on March 31, 2026.
With Claude Code's full source now circulating online, Anthropic faces its third accidental source map shipment in npm packages. According to Anthropic's February 2026 financial disclosures, Claude Code generates over $2.5 billion in annualized revenue and is used by companies including Uber, Netflix, Spotify, Salesforce, and Snowflake.
Repeated build pipeline failures for such a commercially vital product raise questions about the company's release controls. Anthropic has not issued a formal public statement about the incident.
Source map files are standard JavaScript development artifacts that map minified code back to original source. Build systems routinely generate them during compilation, but they should not be included in production packages. In this case, a .map file shipped inside the @anthropic-ai/claude-code npm package contained a link to an R2 storage bucket hosting the complete original TypeScript source.
As an npm-distributed package, Claude Code is accessible to any developer with a Node.js 18+ environment. Build artifacts like source maps, if not explicitly excluded via .npmignore or package.json configuration, ship directly to end users when published to the registry.
Unlike compiled binaries, npm packages are zip files of the build output directory, making any misconfiguration in the exclusion rules immediately visible to anyone who installs the package.
Developer and security analyst Gabriel Anhaia, who analyzed the leaked code in detail on DEV Community, identified a packaging misconfiguration as the root cause.
"A single misconfigured .npmignore or files field in package.json can expose an entire proprietary codebase to the public."
After the disclosure, Anthropic removed the source map and unpublished affected versions from the npm registry. However, cached copies had already been downloaded and redistributed across multiple platforms, including unofficial GitHub mirrors, limiting the effectiveness of the takedown effort.
Moreover, npm's publication model places the burden of source exclusion entirely on the developer, with no automated checks for accidentally included debugging artifacts. For a company distributing proprietary code through a public registry, a single misconfigured exclusion rule becomes a single point of failure.
Anhaia's analysis provides an unusually detailed look at the architecture of a commercially dominant AI coding tool. Claude Code runs on Bun, the JavaScript runtime Anthropic acquired in December 2025, rather than Node.js. It uses React with Ink for terminal UI rendering and Zod v4 for schema validation.
By choosing Bun over Node.js, Anthropic optimized for startup speed and lower memory consumption, while the React/Ink terminal rendering layer provides a component-based UI model unusual for command-line tools. Zod v4 for runtime schema validation suggests a defense-in-depth approach to data integrity across the tool's integrations.
Furthermore, approximately 40 built-in tools, each permission-gated, form the core of Claude Code's capabilities, with the base tool definition spanning 29,000 lines of TypeScript. A separate query engine at 46,000 lines handles all large language model (LLM) API calls, streaming, caching, and sophisticated orchestration. Combined, these two subsystems account for roughly 75,000 lines of the total 512,000-line codebase.
Several unreleased features stand out among the discoveries. Claude Code's source reveals a multi-agent orchestration system with sub-agents called "swarms" for complex parallelizable tasks. A bidirectional IDE bridge connects VS Code and JetBrains extensions via JWT-authenticated channels, enabling operation across terminal and editor environments simultaneously.
In particular, JWT-based authentication for IDE connections points to a zero-trust security model between Claude Code's terminal process and editor extensions, a design choice that separates it architecturally from competitors like GitHub Copilot that rely on tighter editor integration.
References to codenames BUDDY (an AI pet companion), KAIROS (a persistent assistant), and ULTRAPLAN (cloud-based planning) suggest features in active development that have not been publicly announced. KAIROS in particular suggests Anthropic is building toward a model where Claude Code retains context across sessions rather than starting fresh each time, addressing a common developer complaint about AI coding assistants losing context between interactions.
Meanwhile, ULTRAPLAN appears designed to offload complex planning tasks to cloud infrastructure, potentially allowing Claude Code to handle larger-scale refactoring and architectural analysis that would exceed local compute constraints. If shipped, these features would position Claude Code as a persistent, multi-modal development environment rather than a session-based coding assistant, marking a significant strategic shift for Anthropic's developer tooling roadmap.
Anthropic has shipped source maps in its npm packages before. Earlier versions, including v0.2.8 and v0.2.28, released in 2025, also included full source maps.
Anthropic removed those versions from the registry after the issues were flagged, but cached copies remained accessible through npm's mirror infrastructure and local developer caches. The current leak therefore represents the third known occurrence of the same class of build pipeline failure, according to Anhaia's DEV Community analysis.
Anthropic's aggressive stance on protecting Claude Code's intellectual property makes this recurring pattern particularly notable. In April 2025, the company issued a takedown notice against a developer who reverse-engineered Claude Code, which is distributed under a restrictive non-open-source license. Accidentally exposing the very codebase it has actively defended drew pointed commentary from the developer community.
Within hours of the disclosure, a GitHub mirror surpassed 1,100 stars and 1,900 forks, and the story was rapidly discussed on Hacker News.
Beyond the source map incidents, Claude Code has faced a broader pattern of security concerns. In October 2025, researcher Johann Rehberger reported a Files API exfiltration vulnerability to Anthropic, demonstrating that malicious actors could use the tool to steal sensitive data from developer environments. The vulnerability was publicly disclosed in January 2026.
That same month, a security flaw in Anthropic's Claude Cowork tool resurfaced just days after its launch, raising questions about Anthropic's pre-release security review process. Separately, Anthropic implemented strict technical safeguards to prevent third-party applications from spoofing Claude Code and moved to block unauthorized Claude harnesses, signaling awareness of the growing attack surface around its developer tooling.
According to Anthropic's financial reports, Claude Code's annual recurring revenue more than doubled between January and February 2026. For a product scaling at that pace, a third source map leak suggests build pipeline controls have not kept pace with commercial growth.
Exposed architecture details and unreleased feature references give competitors and security researchers a detailed view of Claude Code's internals, lowering the barrier to studying its tool system design, multi-agent orchestration approach, and IDE integration architecture. While the code was already partially reconstructable through reverse engineering, having the full annotated TypeScript source with original variable names, comments, and module structure represents a qualitatively different level of exposure.
For enterprise customers that rely on Claude Code as part of their daily development infrastructure, the repeated exposure raises immediate questions about supply chain trust. Anthropic has yet to publicly detail what specific remediation steps it will take beyond unpublishing the affected npm versions or whether its CI/CD pipeline will be updated with automated source map detection to prevent a fourth occurrence.