Anthropic's Claude Code Source Code Leaked via NPM Registry Map File

The proprietary source code for Anthropic's Claude Code AI coding assistant has been exposed in a significant leak. The incident occurred when a source map file, intended for debugging, was inadvertently published within the tool's public NPM (Node Package Manager) registry package. This file contained the original, unminified TypeScript source code, effectively laying bare the internal logic and architecture of a key commercial AI product.

The leak centers on the `claude-code` package hosted on npmjs.com. Source map files are common in web development, linking minified production code back to its original source for easier error diagnosis. However, their inclusion in a public package without proper vetting represents a critical oversight. The exposed code provides a detailed look at Claude Code's implementation, including potential prompts, internal structures, and logic flows that Anthropic considers intellectual property and a competitive advantage.

This breach poses immediate risks to Anthropic's commercial security and competitive positioning. Competitors and researchers can now analyze the code's construction, potentially reverse-engineering techniques or identifying vulnerabilities. For a company like Anthropic, which operates in the highly competitive and secretive frontier AI sector, such an exposure undermines technical secrecy and could influence future development roadmaps. The incident also serves as a stark warning to other AI firms about the operational security risks inherent in standard software distribution channels.