Rebaz.dev
Anthropic's Claude Code Source Leak: What Was Exposed and Why It Matters
Back to Articles
aianthropicsecurity

Anthropic's Claude Code Source Leak: What Was Exposed and Why It Matters

Anthropic accidentally leaked 512,000 lines of Claude Code's internal TypeScript source through a packaging mistake in npm version 2.1.88 — and competitors are already studying every line.

Rebaz Omar

Author

Wednesday, April 1, 2026
6 min read
Share this article

On March 31, 2026, security researcher Chaofan Shou discovered that the public npm package @anthropic-ai/claude-code — Anthropic’s official CLI for Claude Code — had been shipping the complete unobfuscated TypeScript source of the tool for who knows how long. Version 2.1.88 included a stray .map file that effectively served the entire codebase to anyone who ran npm install.

By the time anyone at Anthropic noticed, the source had been mirrored, archived, and dissected on GitHub. It is now permanently public.

This article walks through what was exposed, how the packaging mistake happened, and the parts that actually matter for engineers building production AI tools.

The numbers

  • ~513,000 lines of unobfuscated TypeScript
  • 1,906 files in the bundle
  • 59.8 MB total package size — roughly the normal published size
  • Released as version 2.1.88 on the public npm registry
  • Discovered by a security researcher, not by Anthropic
  • Rapid mirroring within hours: tens of thousands of stars and forks across multiple GitHub re-uploads

Anthropic’s statement to CNBC framed it as “a release packaging issue caused by human error, not a security breach” — and they were technically right. No customer data or credentials were exposed. But the entire client-side agent harness, every prompt, every tool definition, and every safety scaffold for Anthropic’s flagship coding agent is now permanently in the open.

How a single .map file leaked the whole codebase

The mechanics are mundane. They are also exactly the kind of thing that bites every team that does its own packaging.

  1. Claude Code’s build pipeline uses Bun as its runtime/bundler.
  2. Bun, by default, generates full source maps when bundling for production.
  3. A source map (.map file) is a JSON document mapping minified production code back to its original source — including the original source code itself, embedded inline.
  4. The Claude Code CLI was published to npm with the .map file accidentally included in the package.
  5. The fix is one line: add *.map to either .npmignore or the "files" array in package.json.

That one missing line meant the package ballooned to 59.8 MB, ~6× normal size. Nobody on the publishing path treated the size delta as a signal worth checking.

What was actually inside

A few categories of code that became public, ranked roughly by how interesting they are:

The agent harness

The core scaffold that turns a Claude API call into an autonomous coding agent — the loop, the tool dispatch, the conversation state, the file-system safety checks, the bash execution sandbox. This is the part competitors and open-source projects most wanted to see, and it is now a reference implementation.

Tool definitions and prompts

Every tool Claude Code exposes (Read, Edit, Write, Bash, Grep, Glob, Agent, etc.) is now visible with its exact JSON schema, its description, and any pre/post hooks. The system prompts and few-shot examples that condition Claude’s behaviour as a coding agent are also in the leak.

Safety and rate-limit logic

Client-side safety checks — what tool calls get blocked, what gets warned, how rate limiting and quota are tracked — are all visible. Bypass strategies for some of these are obvious from reading the code.

Build and CI configuration

Internal package versions, build scripts, and tooling preferences. Useful intelligence for understanding how the team works.

What was not exposed

It is worth being precise: no customer data, no API keys, no model weights, and no Anthropic-internal infrastructure code. This was the client-side CLI. The server-side Claude API is unaffected. Customer conversations, billing data, and user accounts are all unaffected.

Why this matters for the rest of us

Three concrete takeaways.

1. .map files are the new .env files

For a decade, the canonical “thing you must never publish” has been your environment file. Now add one more: source maps. Modern bundlers (Bun, esbuild, swc, webpack 5) generate them by default in production mode. They are intended to be shipped to a private symbol server or stripped before release — never bundled into a public artifact.

If you publish anything to npm, PyPI, or any registry, explicitly exclude *.map from your package and verify the published artifact size matches expectations. npm pack locally and inspect the tarball before npm publish is good hygiene.

2. The “no customer data” framing misses the threat model

Anthropic is correct that no customer data leaked. But for an AI coding agent, the prompts and tool definitions are the product. They are what makes the agent good. They are also exactly what attackers need to find prompt-injection bypasses, jailbreaks, and logic flaws. “No security breach” understates what actually happened.

For any AI product, treat the agent harness — prompts, tool schemas, safety logic — as part of your threat surface. It does not have to be marked “secret” to be valuable to an attacker.

3. Package-size monitoring is a security control

A package size that suddenly jumps 6× is a glaring signal. Adding a CI check that fails publish if the package tarball grows past a threshold would have caught this in seconds. Any team publishing to a public registry should have one.

The aftermath

Inside a few hours, the leaked source was archived to multiple GitHub repositories. Once that happened, no takedown was going to undo it — DMCA can pull individual mirrors, but the bytes are out and they will not come back. The fork count grew by tens of thousands within the first week.

Anthropic has since shipped patches to its release pipeline to prevent recurrence. The 2.1.88 version was unpublished from npm, and 2.1.89+ ship clean. But the social outcome is unavoidable: every competitor building a coding agent now has a free, well-engineered reference implementation to study.

What changes from here

For Anthropic specifically, this hands competitors a meaningful head start on agent design. For the rest of the industry, it is a reminder that open-source-by-accident is now a real risk class for AI tooling — and that the gap between “client-side CLI” and “core IP” is narrower than it looks when prompts and harnesses are the product.

The fix is one line in a config file. The lesson is that one line carries far more weight in 2026 than it did in 2020.

Gallery

Anthropic's Claude Code Source Leak: What Was Exposed and Why It Matters - Image 1