Claude Code Source Leak: NPM Registry Map File Exposes AI Assistant's Core Code

The source code for Anthropic's Claude Code AI assistant has been publicly exposed through a map file in its official NPM registry package. This leak provides a rare, unredacted view into the proprietary architecture and internal logic of a leading AI coding tool, raising immediate security and intellectual property concerns. The exposure appears to have occurred via the inclusion of a source map file within the published npm package, a development oversight that effectively unpacked the application's core logic for anyone to examine.

The leak, first flagged in a Hacker News thread that garnered over 950 comments, centers on the `claude-code` npm package. Source map files are typically used for debugging by mapping minified production code back to the original source. In this case, the map file remained bundled with the public package, allowing the reconstruction of significant portions of Claude Code's original source code. A dedicated site, ccleaks.com, has reportedly been set up to host and navigate the leaked material. Related discussions detail findings within the code, including references to internal tools, 'frustration regexes', and an 'undercover mode', suggesting the leak reveals more than just basic function structures.

For Anthropic, this incident represents a significant operational security failure, exposing competitive algorithms and potentially creating vulnerabilities if malicious actors analyze the code for weaknesses. The AI coding assistant sector is fiercely competitive, with tools like GitHub Copilot and others vying for developer trust. The exposure of core source code could undermine confidence in Claude Code's security posture and provide rivals with unintended insights into its implementation. The scale of the discussion indicates the technical community is actively dissecting the findings, which could lead to further scrutiny of Anthropic's software supply chain practices and pressure to disclose the full impact of the breach.