Anthropic’s Claude Code Source Code Exposed via npm Registry Misconfiguration
In a significant security lapse, Anthropic’s proprietary command-line interface (CLI) tool, Claude Code, has had its complete TypeScript source code inadvertently exposed. This exposure resulted from a misconfigured npm package that included a source map (`.map`) file referencing the unobfuscated codebase stored on Anthropic’s cloud infrastructure.
On March 31, 2026, security researcher Chaofan Shou publicly disclosed the incident, stating:
> Claude code source code has been leaked via a map file in their npm registry!
The npm package `@anthropic-ai/claude-code` reportedly contained a `.map` file that pointed to the complete, unminified TypeScript source. This source was directly accessible as a ZIP archive from Anthropic’s R2 cloud storage bucket. The unmodified source has since been preserved and mirrored in a public GitHub repository under the backup branch `nirholas/claude-code`.
Scope of the Exposure
The leaked codebase encompasses the entire `src/` directory of Claude Code, consisting of approximately 1,900 files and over 512,000 lines of strict TypeScript code. The architecture utilizes the Bun runtime and a React + Ink terminal UI framework. Critical subsystems of the CLI tool are included in the leak, such as:
– QueryEngine.ts: Approximately 46,000 lines driving the core large language model (LLM) API engine, including streaming, tool loops, and token tracking.
– Tool.ts: Around 29,000 lines defining all agent tool types and permission schemas.
– commands.ts: About 25,000 lines responsible for registering and executing the tool’s slash commands.
The exposed architecture details approximately 40 agent tools, including `BashTool`, `FileReadTool`, `FileEditTool`, and `AgentTool` for sub-agent spawning. Additionally, it reveals roughly 85 slash commands covering Git workflows, code review, memory management, and multi-agent orchestration.
Internal feature flags such as `PROACTIVE`, `VOICE_MODE`, `BRIDGE_MODE`, and `KAIROS` were also disclosed, indicating product features not yet publicly released.
Understanding Source Map Vulnerabilities
Source map files (`.map`) are standard tools used by developers to map compiled or minified JavaScript back to its original source code for debugging purposes. However, if these files are inadvertently included in production npm releases, they can expose proprietary source code to the public, effectively bypassing any obfuscation measures. This incident is not the first of its kind for Anthropic; a similar source map exposure was reportedly patched in early 2025.
Implications and Recommendations
The breach raises serious intellectual property concerns for Anthropic, as the exposed code includes internal API client logic, OAuth 2.0 authentication flows, permission enforcement mechanisms, multi-agent coordination protocols, and even undisclosed feature pipelines. As of now, Anthropic has not issued a public statement regarding the incident.
Organizations integrating Claude Code into their development workflows should monitor Anthropic’s official security advisories for updates. Developers are urged to review the official npm registry for patched releases and avoid using third-party mirrors of the leaked source.
