By Security researcher Chaofan Shou found the entire Claude Code source code sitting in plain sight on the npm registry this morning. A source map file, cli.js.map, was bundled into the published package. Source maps contain the original source code as strings inside a JSON file. Every file. Every comment. Every internal constant.
The numbers: roughly 1,900 TypeScript files. Over 512,000 lines of code. About 40 built-in tools and 50 slash commands. The leaked codebase was archived to GitHub within hours, where it has already passed 1,100 stars and 1,900 forks. A separate repository contains a full Python rewrite built from the exposed source.
This is the second time Claude Code's source has leaked in roughly a year. And it happened five days after Anthropic's CMS misconfiguration exposed draft launch materials for their unreleased Mythos model, including details about what the company called "unprecedented" cybersecurity risks.
How a .map file ships an entire codebase
Source maps exist so that when minified production code crashes, the stack trace points to the original file and line number instead of an unreadable blob. The format is straightforward JSON. A sourcesContent array holds the complete, unmodified source of every file that was bundled.
Claude Code uses Bun as its JavaScript runtime. Bun's bundler generates source maps by default. Unless someone explicitly disables them or adds *.map to the .npmignore file, the maps ship with the package. That is what happened here.
According to analysis by Gabriel Anhaia on DEV Community, this is not a novel attack vector. It has happened to other projects before. The fix is a single line in a config file.
What the source code reveals
The architecture is more complex than most people expected from a CLI tool.
The query engine alone is 46,000 lines of TypeScript handling all LLM API calls, streaming, caching, and orchestration. Claude Code uses React with Ink to render its terminal interface, treating the CLI like a component-based web application with state management.
It has a multi-agent orchestration system. Claude Code can spawn sub-agents it calls "swarms" to handle parallel tasks, each running in its own context with specific tool permissions. There is an IDE bridge that connects VS Code and JetBrains extensions via JWT-authenticated bidirectional channels. A persistent memory system stores context about users and projects across sessions, and a background process called "dream" consolidates that memory.
Two details stand out. First, there is a full Tamagotchi-style companion pet system called "Buddy," gated behind a compile-time feature flag. Species are determined by a deterministic gacha system seeded from the user's ID hash.
Second, and more relevant: the codebase contains an "Undercover Mode" subsystem specifically designed to prevent Anthropic's internal information from leaking into git commits and other outputs. The company built an entire feature to stop accidental disclosure of internal details. Then the build pipeline shipped the complete source code in a .map file.
The pattern matters more than the incident
One leak is a mistake. Two leaks in a week starts to look like a process problem.
The Mythos CMS leak exposed approximately 3,000 draft assets, including details about a model Anthropic describes as "a step change" in capabilities with significant cybersecurity implications. That leak was found by two independent security researchers before Anthropic noticed, according to Fortune.
Now the company's flagship developer tool has its internals exposed through a build configuration error. These are not sophisticated supply chain attacks or zero-day exploits. A CMS left in its default public state. A .map file that nobody stripped from the build. These are the kinds of oversights that show up in onboarding checklists, not post-mortems.
Anthropic positions itself as the safety-focused AI lab. Its Responsible Scaling Policy emphasizes rigorous testing and risk assessment before deployment. The Mythos leak documents specifically warned about the model's cybersecurity capabilities. The question enterprise customers should be asking: if basic deployment hygiene is failing on public-facing assets, what does internal operational security actually look like?
What we don't know yet
- Whether Anthropic has issued a statement about the npm source map leak specifically, or if they consider the exposed code to contain any sensitive credentials, API endpoints, or internal infrastructure details beyond the architecture itself.
- How long the .map file was available in the npm package before Shou discovered it. The exposure window matters.
- Whether enterprise customers who rely on Claude Code's security model have been notified, and whether any contractual obligations around source code protection were affected.
What happens next
The GitHub repositories are not going away. Even if Anthropic files takedown requests, the code has been forked thousands of times and a complete Python port already exists. The architecture is public knowledge now.
For Anthropic, the immediate fix is trivial: strip the .map file from future npm publishes. The harder problem is the pattern. Two high-profile leaks in five days, both caused by configuration oversights rather than adversarial attacks, suggests the company's deployment review process has gaps that basic automation should catch. A CI pipeline check for source maps in npm packages takes about three lines of code.
For the broader AI tools ecosystem, the leak offers a rare look at what production-grade AI tooling actually requires. The 46K-line query engine, the multi-agent orchestration, the IDE bridge architecture: this is the kind of infrastructure detail that competitors and open-source projects will study closely.
The irony of Undercover Mode shipping alongside the source map will be hard to live down.
Omar Rashid covers cybersecurity and technology for The Daily Vibe.
