Version analyzed: March 31, 2026 leak
Package: @anthropic-ai/claude-code
Discovery: Chaofan Shou (@Fried_rice)

Timeline

March 31, 2026 - The Discovery

Security researcher Chaofan Shou (@Fried_rice on X/Twitter) discovered that Anthropic had accidentally published source maps alongside their minified npm package. His tweet:
“Claude code source code has been leaked via a map file in their npm registry!” @Fried_rice, March 31, 2026
The discovery spread rapidly through the developer and security communities.

What Happened

The Source Map File

When Anthropic published @anthropic-ai/claude-code to npm, they included a .map file (JavaScript source map) in the package. Source maps are typically used for debugging — they map minified/compiled code back to the original source. The source map contained a reference to a zip archive hosted on Anthropic’s R2 storage bucket (Cloudflare’s S3-compatible object storage). This archive contained the complete, unobfuscated TypeScript source code.

How Anyone Could Access It

# Step 1: Download the npm package
npm pack @anthropic-ai/claude-code

# Step 2: Extract the tarball
tar -xzf anthropic-ai-claude-code-*.tgz

# Step 3: Find the source map
cd package
cat *.js.map

# Step 4: The source map contained a URL to the full source
# Anyone could download the zip from that URL
The source was publicly accessible — no authentication required, no credentials needed, no systems breached.

What Was NOT a Hack

This is important to understand:
This was NOT:
  • A hack or exploit
  • A breach of Anthropic’s systems
  • Unauthorized access
  • Credential theft
  • A vulnerability exploitation
  • Illegal activity
This WAS:
  • An accidental publication by Anthropic
  • Publicly available on npm (the official package registry)
  • Accessible to anyone who ran npm pack
  • A configuration mistake in their build/release process

Why This Matters

The distinction is crucial:
  • No laws were broken - The files were public
  • No systems were compromised - Everything was on npm’s public registry
  • No credentials were stolen - The source was openly accessible
  • No exploitation occurred - This was a publishing mistake, not a security breach

What Was Exposed

The leak revealed approximately:
ComponentScale
Files~1,900 TypeScript files
Lines of Code512,000+ lines
Directories~35 major directories
Tools40+ tool implementations
Commands50+ slash commands

Key Exposed Components

  1. Complete Source Code
    • All TypeScript implementation files
    • Tool definitions and schemas
    • Command implementations
    • Service integrations
  2. System Prompts
    • Agent instructions
    • Tool usage guidelines
    • Context assembly logic
    • Model-specific prompts
  3. Architecture
    • Internal design patterns
    • State management approach
    • API integration details
    • Permission system implementation
  4. Configuration
    • Schema definitions (Zod)
    • Environment variable handling
    • Settings hierarchy
    • Feature flags
  5. Experimental Features
    • Feature-gated code paths
    • Internal experiments
    • Beta functionality
    • Ant-only (Anthropic employee) features

Why Source Maps Were Included

Source maps are commonly included in npm packages for debugging purposes. However, they’re typically configured to:
  1. Point to local files - Not remote URLs
  2. Be excluded from production builds - Via .npmignore
  3. Reference minified sources - Not full original source
  4. Be stripped in public releases - For proprietary code
Anthropic’s build configuration appears to have:
  • Generated source maps pointing to a remote archive
  • Included those source maps in the published package
  • Made the remote archive publicly accessible
  • Not caught this in their release process
This suggests a misconfiguration in their:
  • Build tooling (likely Bun’s bundler)
  • Release pipeline
  • Quality assurance checks
  • .npmignore or package.json files configuration

Community Response

Immediate Reaction

The security and developer communities responded quickly:
  1. Analysis began - Developers started examining the source
  2. Documentation efforts - Community members began documenting findings
  3. Security review - Researchers looked for vulnerabilities
  4. Educational use - Developers studied the architecture and patterns

What the Community Learned

The leak provided unprecedented insight into:
  • How production AI agents are built - Real-world agentic architecture
  • Tool system design - How to structure tool-calling systems
  • Permission models - Balancing autonomy with safety
  • Prompt engineering - Production-grade system prompts
  • State management - Handling complex agent state
  • MCP integration - Model Context Protocol implementation

Ethical Considerations

The community generally agreed on ethical guidelines:
Community Consensus:
  • Analyze for educational purposes ✅
  • Document architecture and patterns ✅
  • Study security implications ✅
  • Create transformative educational content ✅
  • Reproduce large code blocks verbatim ❌
  • Redistribute the source code ❌
  • Use for competing products ❌
  • Claim ownership or affiliation ❌

Anthropic’s Response

As of the documentation date, Anthropic has not publicly commented on the leak. The source maps remain in published npm packages, though future versions may address this. Typical responses to such incidents include:
  • Removing source maps from future releases
  • Updating build configurations
  • Reviewing release processes
  • Potentially rotating sensitive credentials (if any were exposed)
The source code remains copyrighted by Anthropic PBC. The leak does not change ownership or licensing.

Fair Use

Community documentation and analysis likely fall under fair use:
  • Educational purpose - Teaching about AI agent architecture
  • Transformative use - Explaining, not reproducing
  • Limited reproduction - Short snippets for illustration
  • No market harm - Educational docs don’t compete with the product

No Liability for Viewers

Accessing publicly available npm packages is not illegal. Anyone who:
  • Downloaded the package via npm pack
  • Viewed the source maps
  • Analyzed the source code
…did nothing wrong. The files were public.

Lessons for the Industry

This incident highlights important considerations for software companies:

Build Pipeline Security

  1. Review source map configurations - Ensure they don’t expose proprietary code
  2. Audit published packages - Check what actually gets uploaded to npm
  3. Implement pre-publish checks - Automated validation before release
  4. Use .npmignore properly - Exclude sensitive files

Release Process

  1. Manual review of packages - Human verification before publish
  2. Staging environments - Test package contents before production
  3. Automated scanning - Tools to detect sensitive data in packages
  4. Rollback procedures - Quick response if issues are discovered

Transparency

  1. Clear licensing - Make intentions explicit
  2. Public communication - Address incidents openly
  3. Community engagement - Work with researchers constructively

Impact on Claude Code

The leak has had several effects:

Positive

  • Increased understanding - Developers better understand how it works
  • Community contributions - Bug reports and feature suggestions
  • Educational value - Real-world example of production AI agents
  • Transparency - Users can verify security and privacy claims

Neutral

  • No security breach - No credentials or user data exposed
  • No service disruption - Claude Code continues to function normally
  • No competitive advantage - Architecture is complex to replicate

Potential Concerns

  • Intellectual property - Proprietary implementation details exposed
  • Security research - Easier to find vulnerabilities
  • Competitive analysis - Competitors can study the approach

Introduction

Back to the main introduction page

Architecture Overview

Understand the system architecture revealed by the leak

Security Overview

Security implications and considerations

Project Structure

What the leaked source code contains