Ilya Kabanov

Deep dive into Claude Code's source code leak

On March 31, version 2.1.88 of @anthropic-ai/claude-code shipped to npm with a 60 MB source map file (cli.js.map) that embedded the full original TypeScript source via the sourcesContent field. Approximately 500,000 lines across 1,900 files were reconstructable from it, including the system prompt and tool-use logic that controls how Claude Code operates.

What is a source map?

A source map is a .map file generated during the build step that links compiled code back to original TypeScript/JavaScript for debugging. When it includes a sourcesContent field, the full text of every original source file is embedded in the JSON.

Open-source packages like SDKs routinely ship source maps so developers can debug stack traces, but proprietary packages should not, because source maps expose the original source code.

All major bundlers (esbuild, Bun, webpack) have source maps off by default. Developers turn them on for debugging or error monitoring. The .map file lands in the same output directory as the compiled .js. The most common mistake is forgetting to exclude it from npm publish.

npm package publish configuration comparison
npm package publish configuration comparison

Key findings from Anthropic, OpenAI, Google packaging practices:

  • Claude Code's package.json has no "files" whitelist, and development files like bun.lock ship in the tarball. The same issue persists in @anthropic-ai/claude-agent-sdk.
  • OpenAI employs a cleaner practice, whitelisting only bin/ in @openai/codex via "files": ["bin"] (npm always adds package.json, README, and LICENSE regardless). Google does the same with @google/gemini-cli via "files": ["bundle/"].
  • The Claude Code team uses Bun as its package manager for both Claude Code and Agent SDK. bun.lock, a development lockfile with no purpose in a published package, ships in both tarballs.

My take:

1. Anthropic's npm publish pipeline has no downstream gate.

According to Fortune, the same type of leak occurred in February 2025. It happened again in March 2026, but the presence of bun.lock shows that the fix is upstream. There's no gate that verifies the package content before publishing. It will break again when a build config changes.

2. This is not one team's mistake. It is a Claude-wide gap.

Claude Code and Claude Agent SDK probably have a different owner than the Anthropic SDK, but both use equally bad patterns to ship everything in the directory: no "files" field in one case, ["**/*"] in the other. The different configurations also suggest no shared packaging standard. By contrast, OpenAI and Google both use whitelists.

3. Anthropic still ships like a research lab, not a software company.

Five days earlier, Anthropic's CMS was found exposing 3,000 unpublished assets through a public-by-default setting. CMS defaults to public, npm ships everything, the same npm leak happens twice. This is not negligence. It is a culture that has not yet built operational discipline.

4. Claude Code put Anthropic in enterprise supply chains. This leak may trigger reconsideration.

Claude Code is the only proprietary CLI of the three. OpenAI Codex and Google Gemini CLI are fully open source. The leak wiped out that advantage. In addition, enterprises will now weigh Claude Code's capabilities against the risk of immature DevOps practices in their supply chain.

5. CI/CD pipeline review is the highest-ROI security investment.

I wrote in the TeamPCP supply chain cascade that investing in CI/CD review generates the best return. The Claude Code leak confirms it.

Sources:

  1. Anthropic Claude Code source leak (Fortune)
  2. Claude Code source code accidentally leaked in npm package (BleepingComputer)
  3. @anthropic-ai/claude-code (npm)
  4. @openai/codex (npm)
  5. @google/gemini-cli (npm)
  6. Publishing what you mean to publish (npm blog)