Anthropic Left Claude Code’s Source Code in Its npm Package for Anyone to Download
By the time the community had finished reading Shou’s post on X, the code had already been archived across multiple GitHub repositories, accruing over 1,100 stars and 1,900 forks within hours of discovery.
Chaofan Shou, a security researcher and intern at Fuzzland, was poking around the @anthropic-ai/claude-code npm package on March 31, 2026, when he found something that should not have been there: a source map file pointing to a public Cloudflare R2 storage bucket containing the full, unobfuscated TypeScript source code of one of the most commercially significant AI tools on the market.
The entire codebase. 1,906 files. Over 512,000 lines. Downloadable as a zip.
By the time the community had finished reading Shou’s post on X, the code had already been archived across multiple GitHub repositories, accruing over 1,100 stars and 1,900 forks within hours of discovery.
How the Leak Actually Happened
Source maps are a build artifact. When you compile TypeScript or bundle JavaScript with a tool like esbuild or webpack, the output is minified — compressed to a single dense file that no human wants to read. Source maps bridge the gap: they record a mapping from that minified output back to the original source so that when something crashes in production, the stack trace shows you the actual file and line number instead of line 1, column 284719.
They are a debugging convenience. They have no business shipping in a production npm package.
When Anthropic published the Claude Code CLI, the build pipeline included a .map file that referenced the full source tree. That source tree was sitting in a public R2 bucket. Anyone who knew to look at the source map file could reconstruct the exact URL and download the archive directly.
This is not a sophisticated attack. There is no CVE here. No firewall was bypassed. The file was publicly accessible because the build configuration said it should be. A missing entry in .npmignore or an incomplete files field in package.json is all it took.
Worth noting: this is not the first time. Earlier versions of Claude Code had exposed source maps in February 2025. The same class of error, same mechanism, different package version.
What the Codebase Actually Contains
The leaked source reveals that Claude Code is not a thin wrapper around an API with some bash sugar on top. The architecture is substantially more complex than public documentation suggested.
The query engine is the largest single module at around 46,000 lines of TypeScript. It handles LLM API calls, streaming, response caching, token budget management, and the orchestration logic that decides when to invoke tools versus when to respond directly. This is the part that does the actual work.
The tool system comprises approximately 40 discrete tools, each gated by its own permission layer. File reads, file writes, bash execution, web fetching, LSP integration, MCP server communication, and computer use capabilities are all separate, auditable modules. The base tool definition alone runs to 29,000 lines. Every tool input goes through Zod v4 schema validation before execution.
Multi-agent orchestration is in there and fully implemented. Claude Code can spawn what the codebase calls “swarms” of sub-agents to handle tasks in parallel. Each sub-agent runs in an isolated context with its own tool permission set. This explains some of the latency characteristics users have reported on complex tasks.
The IDE bridge is a bidirectional communication layer, JWT-authenticated, that connects the CLI to VS Code and JetBrains extensions. The architectural separation between the terminal process and the IDE extension is cleaner than most people assumed.
The memory system is file-based persistence. Claude stores context about your project, your preferences, and session history in a local directory that survives restarts. The implementation is straightforward but the scope of what gets stored is broader than the public feature descriptions implied.
The runtime choice is Bun, not Node. They get faster startup times and dead code elimination on feature flags, which matters for a CLI tool where cold start latency is directly visible to the user. The terminal UI is built with Ink, which is React for terminal rendering. State management in a shell tool runs on the same component model as a web app.
The Feature Flag List Is a Roadmap
The constants file for beta features is, effectively, Anthropic’s near-term shipping roadmap with dates attached.
Some notable entries:
'context-1m-2025-08-07' // 1M token context window
'structured-outputs-2025-12-15' // Structured output format
'advanced-tool-use-2025-11-20' // Advanced tool use
'effort-2025-11-24' // Effort level control
'task-budgets-2026-03-13' // Task budget management
'fast-mode-2026-02-01' // Fast mode (Penguin)
'redact-thinking-2026-02-12' // Redacted thinking
'afk-mode-2026-01-31' // AFK mode
'token-efficient-tools-2026-03-28' // Token-efficient tool schemas
“Fast mode (Penguin)” is a codename. “AFK mode” suggests some form of autonomous background execution. “Redacted thinking” implies extended reasoning output that gets stripped before the user sees it. These are not announced features. They are internal flags that shipped in a file that should have been excluded from the package.
There is also an entire gacha system in the codebase, gated behind a BUDDY compile-time feature flag. Species names are obfuscated via character code arrays. Rarity tiers, shiny variants, procedurally generated stats, an initial description written by Claude on first hatch. It is unclear whether this was ever intended for production or exists purely as internal developer entertainment. Either way, it is now documented publicly.
The Build Pipeline Is the Attack Surface
The security angle here is not about the contents of the leaked code. It is about what the leak demonstrates.
Anthropic built a production-grade AI coding agent with sophisticated permission systems, sandboxing, and safety controls. The code itself shows careful engineering around what Claude can and cannot do without user approval. And then a misconfigured build step shipped the entire thing in readable form to the public npm registry.
The .npmignore file controls what gets excluded from published packages. The files field in package.json controls what gets included. One of these failed. The consequence was total source exposure for one of the company's primary commercial products.
For any team shipping npm packages: audit your publish configuration. Run npm pack --dry-run before every release and inspect the file list. Check that .map files are excluded. Check that source directories are excluded. Add this to your CI pipeline, not as a manual step. Manual steps get skipped.
The --source-maps flag or sourceRoot config in your bundler controls whether map files reference external source. If you need source maps for internal debugging, generate them without shipping the originals to the registry. Tools like esbuild support --sources-content=false and excluding the source root from the map entirely. Use that.
What the Community Did With It
Within hours of the archive going public, multiple forks appeared. One repository added an MCP server on top of the leaked source, letting any MCP-compatible client query the codebase interactively. Another person ported the core architecture to Python using an AI orchestration workflow, pushing before sunrise the same day.
The community reaction is roughly split between developers studying the architecture for legitimate research and people who want to understand what a production agentic coding system actually looks like from the inside. There is a subset just enjoying the irony.
The code is now permanently available. Anthropic can remove the source map from future package versions, and presumably already has, but the archive is mirrored across enough repositories that the genie is not going back in the bottle.
What This Actually Means
Claude Code is reportedly a significant revenue driver for Anthropic. The company has positioned itself carefully around safety, responsible development, and rigorous engineering practice. A source exposure this complete, from a packaging error this basic, lands differently than an external breach would.
The architecture is impressive. The query engine, the tool permission model, the multi-agent orchestration, the IDE bridge work, the Bun runtime choice, the Zod validation layer. This is not a weekend project. Real engineering went into this.
And then someone forgot to exclude .map files from the npm publish.
The lesson is not that Anthropic is incompetent. The lesson is that secure systems fail at their boundaries, and the boundary between source code and a public package registry is exactly where that failure happened. No amount of internal code quality protects you from a build configuration that does not match your assumptions about what is public.
Check your build pipeline. Not once. On every release.
Want to see the source code for yourself? Download it here for free.
More stories from Aeon Flex:
