Update March 31, 2026: VentureBeat, DEV Community, and multiple security outlets have now confirmed all technical details below. A GitHub repository reproducing the leak (by user Kuberwastaken) gained significant traction. Reports indicate 44 hidden feature flags and approximately 20 unshipped features were visible in the exposed code. According to NDTV, this is the second time in a year Claude Code has leaked its source code.
Today, the cybersecurity and developer communities woke up to one of the more remarkable software disclosure incidents in recent memory. Security researcher Chaofan Shou discovered on March 31, 2026, a 60MB source map file in Claude Code v2.1.88βs npm package, exposing 1,906 proprietary source files. What had been a carefully guarded, closed-source product was suddenly an open book β and the internet wasted no time reading it.
The culprit was not a sophisticated zero-day exploit, no nation-state threat actor, and no insider breach. It was a forgotten build artifact: a .map file.
What Is a Source Map and Why Does This Matter?
To understand the leak, you need to understand what source maps are and why they exist.
The .map files are typically used by developers fixing programs in software. These plain text files act like a mini map of the original code, helping developers trace where errors or problems occur. When JavaScript code is shipped to production, it is typically βminifiedβ β compressed into a single, nearly unreadable line where variable names are shortened to single letters and all formatting is stripped out. Source maps bridge the gap between that minified production code and the human-readable original, so developers can see meaningful error traces instead of cryptic references to column 48,293 of a one-line file.
The critical rule is that source maps are development tools. They should never ship with a public production package.
Claude Code ships as a single minified cli.js β 12 MB of compressed JavaScript on one line. No source maps. No comments. Variables renamed to X6, K8, b6. That was the intended state. But on version 2.1.88, something changed.
Claude Code v2.1.88 was published to npm with a 59.7 MB source map file bundled in. The entire source code of Claude Code β 1,884 TypeScript files, 64,464 lines β sitting in plain sight in the npm package.
The Build Pipeline Failure
The underlying cause traces to a runtime choice. Claude Codeβs build system uses Bun, a fast JavaScript runtime and bundler. Bun generates source maps by default. Nobody turned it off. This single unchecked default in the build pipeline was all it took for the full TypeScript source to hitch a ride into the published npm package.
This was not the first time. This incident marked the second such occurrence in a year. Including such files in an npm release twice within a year suggests inadequate automated checks or rushed deployment practices at a company known for its AI safety focus.
The other engineering lesson is that post-build inspection must happen against the final package, not the source tree. Teams often have linters that ban secrets in repositories and CI jobs that scan Docker images. Far fewer teams inspect the exact tarball, zip, or CDN-uploaded object tree that users consume. This is exactly the gap that bit Anthropic.
What Was Inside: A Deep Dive into Proprietary Architecture
Once Chaofan Shou posted his discovery on X, the community moved fast. Multiple GitHub repositories mirroring the project appeared within hours. One amassed nearly 30,000 stars and 40,200 forks. Another had 425 stars and 520 forks, with many developers dissecting the inner workings of the tool.
What they found was remarkable:
Computer Use implementation (βChicagoβ): Claude Code includes a full Computer Use implementation, internally codenamed βChicago,β built on @ant/computer-use-mcp. It provides screenshot capture, click/keyboard input, and coordinate transformation β gated to Max/Pro subscriptions with an internal bypass for Anthropic staff.
The autoDream system: Claude Code has a background memory consolidation engine called autoDream that runs as a forked subagent. It has a three-gate trigger system preventing both over-dreaming and under-dreaming. When it runs, the dream follows four strict phases: Orient (reading memory), Gather Recent Signal, Consolidate, and write updates. In other words, Claude Code literally βdreamsβ between sessions to reorganize its memory of your project.
Core LLM engine: The leaked code includes the core engine for LLM API calls, handling streaming responses, tool-call loops, thinking mode, retry logic, token counting, and permission models.
The swear word regex: An extensive regex filter containing many swear words for detecting negative sentiment in usersβ prompts β at an AI company. The irony of a frontier AI company using a basic regular expression to detect user frustration was not lost on the community.
The Axios Complication
The leak landed at a particularly awkward moment. Users quickly noted that Claude Code is using axios as a dependency β a tool that was just compromised in a separate supply chain attack announced the same day. The exposure of Claude Codeβs internal architecture made it easier to trace exactly how axios was being used, what endpoints it was hitting, and what data was flowing through it β information that would normally be completely opaque to outside observers.
The Communityβs Legal Warning
As forks and mirrors proliferated across GitHub, developers began issuing urgent warnings about the legal minefield. Full-stack developer Justin Schroeder posted on X: βJust because the source is now βavailableβ DOES NOT MEAN IT IS OPEN SOURCE. You are violating a license if you copy or redistribute the source code, or use their prompts in your next project. Donβt do that.β
Anthropicβs response was swift at the package level β unpublishing v2.1.88 and rolling back to v2.1.87 within the day. But the source was already everywhere.
The Reverse Engineering That Preceded the Leak
What makes this story even richer is its backstory. Developer Andrey Kolkov published a detailed account revealing that he and others had already been manually reverse-engineering Claude Code for weeks before the leak, driven to desperation by critical bugs Anthropic wouldnβt address.
Claude Code was suffering major instability: 5.4% of all tool calls were orphaned, Bun runtime crashes causing 13β15 GB memory leaks wiping out multi-hour coding sessions, and complete system deadlocks requiring hard power-offs. The community filed bug reports that went unanswered.
To trace a single code path, researchers would find a string constant, get the line number, split minified code by semicolons, count brace depth to determine scoping, and map variable names between versions β since they changed on every build. This process was repeated across 12 versions of Claude Code.
The leak, in Kolkovβs framing, was almost poetic: he thanked βClaude Codeβ itself, writing that humans had been asked for help 17 times and Claude Code answered in 3 days β framing it as the first AI whistleblower, leaking its own source code because its creators wouldnβt listen to users.
What This Means for Security
From a pure cybersecurity standpoint, this incident is a textbook case study in supply chain risk and build pipeline hygiene.
Security by obscurity collapses the moment a source map, build manifest, or error trace hands an attacker the full URL. A package can be βcleanβ in repo terms and still ship a disclosure path once build, upload, and mirroring are finished.
The leaked code includes internal API design, telemetry systems, and encryption tools β though no user data or model weights were exposed. The lack of user data exposure limits the immediate harm, but the exposure of internal security mechanisms lowers the bar for researchers β and attackers β looking for exploitable patterns.
There is also the trust dimension. Claude Code is increasingly used not just as a coding assistant but as part of developer security workflows β running audits, reviewing pull requests, and integrating with GitHub Actions. Security tooling attracts higher-grade scrutiny because the economics are different. Researchers do not need a direct exploit on day one for a leak like this to matter. They need a better starting point.
The Vibe Coding Critique
The leak also sparked a broader conversation about engineering culture inside AI companies. Critics pointed to one particularly damning statistic: 64,464 lines of TypeScript with zero tests, and a single print.ts function spanning 3,167 lines with 486 branch points.
One developer characterized this as what βvibe codingβ looks like at scale: prompt-first, understanding-second, ship and pray β and suggested Claude Code is the poster child of what happens when you rely entirely on AI to write production software without engineering discipline.
Anthropic has previously noted publicly that Claude Code writes the majority of its own codebase. The zero-test revelation β for production software serving paying customers worldwide β will likely intensify scrutiny of that development approach.
What Comes Next
References in the leaked code to an April 1β7, 2026 teaser window hint at upcoming announcements, potentially overshadowed by the leak fallout. Expect enhanced CI/CD pipeline validations β such as mandatory source map removal scripts β to prevent recurrence.
For the cybersecurity community, the lesson is familiar but worth repeating: your threat model is not just your application code. It is your build pipeline, your package manager, your CDN, your object storage defaults, and every artifact that touches public infrastructure. One unchecked default β in this case, a Bun runtime setting nobody remembered to turn off β can expose years of proprietary engineering work in a single npm publish.
Anthropic built some genuinely impressive systems inside Claude Code. They just shipped the blueprints by accident.
This article is provided for informational and educational purposes. Redistributing, copying, or building upon Anthropicβs leaked source code may constitute a violation of their intellectual property rights regardless of how the source became available.
