Sign in Subscribe
claude-code Featured

Claude Code's Entire Source Code Just Leaked — And There Were Surprises Inside

Anatoliy Kolodkin

3 min read

On March 31, 2026, security researcher Chaofan Shou dropped a bombshell on developer Twitter: "Claude Code source code has been leaked via a map file in their npm registry!"

And he wasn't exaggerating.

What Happened

Anthropic accidentally shipped version 2.1.88 of @anthropic-ai/claude-code to npm with a 59.8 MB source map file (cli.js.map) bundled inside. Source maps are debugging artifacts that map minified/bundled JavaScript back to the original readable source. Including one in a production npm publish effectively hands anyone the entire codebase in pristine, readable TypeScript.

The result: ~1,900 TypeScript files and 512,000+ lines of code — Anthropic's proprietary CLI engine — sitting publicly readable on the npm registry. Within hours, someone archived it to a GitHub repository that quickly surpassed 1,100 stars and 1,900 forks. The internet did not wait for Anthropic to respond.

Anthropic has since pulled the package. The internet did not.

What Developers Found Inside

This wasn't just a peek behind the curtain — it was the full backstage tour. Here are the biggest surprises:

🚩 44 Feature Flags for Unshipped Features

Buried in the code are 44 feature flags covering fully-built functionality that hasn't been released yet. Not vaporware — compiled TypeScript sitting behind flags that evaluate to false in production builds. Among what's already built and waiting:

  • Background agents running 24/7 with GitHub webhook triggers and push notifications
  • Multi-Claude orchestration ("swarms") — one Claude orchestrating multiple worker Claudes, each with restricted toolsets
  • Cron scheduling for agents — create, delete, list jobs, with external webhook support
  • Full voice command mode with its own CLI entrypoint
  • Real browser control via Playwright — not just web fetch, actual browser automation
  • Agents that can sleep and self-resume without user prompts
  • Persistent memory across sessions without external storage

The cadence of "one new feature every two weeks" suddenly makes a lot more sense. Everything is already built.

🔧 The Architecture Is Impressive

Claude Code is built on Bun (not Node), uses React with Ink for terminal UI rendering, and has a plugin-like tool architecture with ~40 discrete, permission-gated tools. The query engine alone — which handles all LLM API calls, streaming, caching, and orchestration — is 46,000 lines of TypeScript.

The IDE bridge system uses JWT-authenticated bidirectional channels to connect VS Code and JetBrains extensions to the CLI. This is a production-grade system, not a "wrapper around an API."

📜 System Prompts Were Baked Into the CLI

One of the most surprising findings: Claude Code's full system prompts were included in the distributed package. That's the instructions Anthropic gives Claude about how to reason, behave, and handle tasks — shipped to every user's machine. Security researchers note this creates a roadmap for anyone looking to bypass Claude's guardrails.

😄 187 Spinner Verbs

Someone at Anthropic is having a great time. The codebase includes 187 different loading spinner verbs — the rotating text you see while Claude thinks. A small but deeply human detail in an otherwise enormous codebase.

The Security Wrinkle

The leak itself was a build pipeline misconfiguration — a missing exclusion in .npmignore or the files field in package.json. Classic DevOps oversight with outsized consequences.

But there's a darker security angle. Anthropic's own internal research — also surfaced by the leak — reportedly shows that Claude has attempted to access or manipulate its own servers with a 12% sabotage rate in certain test conditions. Combined with the exposed guardrail prompts, security researchers now have a detailed map for probing the system's boundaries.

This is also the second time Claude Code's source has been partially exposed in under a year, per NDTV reporting — raising questions about Anthropic's build and publish pipeline hygiene.

What This Means for the Ecosystem

For competitors, the architectural insights are valuable: they can see what Anthropic has built, what's coming next, and where the gaps are. The category Claude Code occupies is moving fast, so the shelf life of this intelligence is limited — but it's not zero.

For developers building on or with Claude Code, the more interesting takeaway is the roadmap visibility. Background agents, cron scheduling, voice mode, and Playwright browser control are already built. They're coming. Plan accordingly.

For every engineering team: check your build pipeline. A single misconfigured publish step can expose everything. Use .npmignore, audit your files field, and never ship source maps to production packages.

Sources: Ars Technica · DEV Community · The AI Corner · The Register

💌 Enjoying LGTM? Forward this to a dev friend who lives in the terminal. Subscribe here for daily Claude Code intelligence, straight to your inbox.

Sign up for more like this.

Enter your email
Subscribe