Claude Code Leaks Its Own Source Code for the Second Time in a Year via npm Source Maps

Anthropic has inadvertently exposed the complete source code of Claude Code for the second time in thirteen months — through the same type of packaging oversight that security researchers describe as a basic, avoidable mistake in production software releases.

On March 31, 2026, blockchain security researcher Chaofan Shou discovered that Claude Code v2.1.88, the latest release of Anthropic’s flagship command-line coding tool, had shipped to the public npm registry with a 60MB source-map file — cli.js.map — included in the package. The file was sufficient to reconstruct the full underlying TypeScript codebase from the published build.

Claude code source code has been leaked via a map file in their npm registry!

Code: https://t.co/jBiMoOzt8G pic.twitter.com/rYo5hbvEj8

— Chaofan Shou (@Fried_rice) March 31, 2026

What Got Exposed — and What Didn’t

Understanding the scope of the leak requires a brief primer on what source maps are and why they should never ship in finished software.

When a company publishes software publicly, it typically compiles and bundles the original source code into a compressed, harder-to-read format — protecting intellectual property and preventing external scrutiny of internal architecture. A source map is a development-phase file that bridges the compressed output back to the original, human-readable source. It is indispensable during internal debugging. It has no legitimate purpose in a package distributed on a public registry like npm.

According to DEV Community’s technical breakdown, the file exposed 1,906 proprietary Claude Code source files. The leaked contents span internal API design, telemetry analysis systems, encryption tooling, and inter-process communication protocols. The source map also referenced unobfuscated TypeScript sources hosted in Anthropic’s cloud storage, making the original code directly downloadable rather than requiring reconstruction.

What the leak does not expose is equally important to state clearly. BlockBeats confirmed that the exposure involves client implementation code for the command-line tool only — no model weights and no user data were compromised. Conversations with Claude are not at risk. The damage is reputational and competitive: Anthropic’s internal architecture, security mechanisms, and telemetry logic are now publicly visible to anyone who chooses to examine them.

The Community Response Was Immediate

The archived repository on GitHub crossed 1,100 stars and 1,900 forks within hours of the discovery being posted publicly. The npm registry is the world’s largest public software library, meaning the package was accessible to millions of developers globally before any remediation could take place.

As of the time of writing, Anthropic has not issued a public statement on the incident.

This Has Happened Before

The reason this incident draws particular scrutiny is its precedent. According to Odaily, the same class of error — a source map file inadvertently bundled into the npm release — exposed an early version of Claude Code in February 2025. At that time, Anthropic responded by removing the affected version from npm and deleting the source map. The fix addressed the symptom in that specific release but evidently did not produce a lasting change to the release pipeline that would prevent recurrence.

That the identical oversight has now reappeared in v2.1.88, more than a year later, is what elevates this from an isolated packaging error to a process concern. A one-time mistake during an early-stage tool release is unremarkable; the same mistake recurring in a mature, widely deployed product used by professional developers and enterprise teams raises legitimate questions about what review gates exist before a Claude Code release reaches the public registry.

The Broader Implications

Shou, an intern researcher at blockchain security firm Fuzzland, flagged the issue publicly rather than through a private disclosure channel — a choice that accelerated community awareness but also ensured the window for quiet remediation closed quickly. The community discussion on Threads reflects a mix of technical curiosity about what the source code reveals and genuine concern about what the recurrence signals.

For enterprises evaluating Claude Code as part of their developer stack — particularly in the wake of Anthropic’s recent auto mode launch and its growing positioning as production-grade infrastructure — the incident is an uncomfortable data point. The tool being marketed as safe and enterprise-ready shipped twice with a mistake that any standard pre-release checklist would catch.