Security researcher discovers Anthropic's Claude Code CLI tool shipped with a source map file exposing complete TypeScript source code, marking the third such incident for the company.
Anthropic's Claude Code CLI tool suffered a significant exposure when version 2.1.88 shipped with a source map file that revealed the complete TypeScript source code. Security researcher Chaofan Shou discovered on March 31 that the @anthropic-ai/claude-code package included a debugging artifact that should never have been bundled with the production release.
The source map file referenced the full, unobfuscated TypeScript source hosted on Anthropic's own R2 cloud storage bucket, making it directly downloadable as a ZIP archive. Within hours of the discovery being posted on X, the complete codebase had been archived to multiple GitHub repositories, rapidly accumulating tens of thousands of stars and forks.
Anthropic characterized the incident as "a release packaging issue caused by human error, not a security breach," noting that no customer data or credentials were involved. The company stated it is rolling out measures to prevent recurrence, though this marks the third time Anthropic has shipped source maps in its npm packages.
What Went Wrong
The root cause was a .map file—a debugging artifact that maps minified production code back to its original source—getting bundled into the published npm package. Claude Code uses the Bun runtime, which generates source maps by default unless explicitly disabled. Preventing this is straightforward: add *.map to .npmignore, maintain an explicit whitelist in package.json's files field, or run npm pack --dry-run before publishing to audit what gets included.
As developer and security analyst Gabriel Anhaia wrote in his DEV Community analysis: "A single misconfigured .npmignore or files field in package.json can expose everything."
Scope and Impact
It's important to note that this exposure affects the Claude Code CLI tool, not the claude.ai web application or the LLM models themselves. The CLI is a JavaScript application bundled with a runtime, meaning the minified source has always been technically accessible. However, having the full annotated TypeScript with original variable names, comments, and module structure provides a qualitatively different level of exposure.
Among the findings from the leaked codebase:
- Approximately 1,900 TypeScript files and over 512,000 lines of code
- Roughly 40 discrete tools, each with its own permission gating
- A query engine of approximately 46,000 lines handling LLM API calls, streaming, caching, and orchestration
- Multi-agent coordination allowing spawning and managing parallel worker agents
- IDE bridge integrations using JWT authentication
- A persistent memory system
Unreleased Features and Internal Architecture
The source revealed multiple unreleased features hidden behind feature flags:
- KAIROS: An autonomous daemon mode where Claude Code operates as a background agent, performing memory consolidation while the user is idle
- ULTRAPLAN: Designed for offloading complex planning tasks to cloud infrastructure
- BUDDY: A Tamagotchi-style AI companion complete with species, rarity tiers, and stats
Internal model codenames were also visible, with Capybara mapping to a Claude 4.6 variant and Fennec to an Opus 4.6 variant.
One particularly notable subsystem was "Undercover Mode," designed to prevent Claude Code from revealing internal information when contributing to public open-source repositories. The system prompts the model to inject instructions that instruct it not to reference internal codenames, unreleased version numbers, internal Slack channels, or the fact that it is an AI. The irony was not lost on observers: Anthropic built an entire subsystem to prevent its AI from leaking internal details, but a build configuration oversight exposed the entire codebase.
Security Implications
A Reddit commenter highlighted the security implications of the leaked orchestration logic: "If you know where and how prompt injection defenses are applied, you can more easily find a bypass. If you know the system prompts, an attacker doesn't have to guess the preamble anymore to craft content that uses the right language to subvert the model."
Compounding Factors
Compounding the timing, a separate and unrelated supply-chain attack hit the axios npm package on the same day. Between 00:21 and 03:29 UTC on March 31, malicious versions of axios (1.14.1 and 0.30.4) containing a Remote Access Trojan were published to npm. Because Claude Code depends on axios, anyone who installed or updated it during that window may have pulled in the compromised dependency. Developers should check their lockfiles for these specific versions or the dependency plain-crypto-js.
Context and Timing
This incident comes less than a week after internal documents describing an upcoming model called Claude Mythos were discovered in a publicly accessible data cache, making this the second significant exposure in rapid succession for Anthropic. For enterprise teams that rely on Claude Code as part of their development infrastructure, this raises uncomfortable questions about the company's release processes and security practices.
Anthropic has not yet publicly detailed specific remediation steps beyond unpublishing the affected npm versions. The incident serves as a stark reminder that even sophisticated AI companies can make basic configuration errors with significant consequences, and that source maps—often overlooked as mere debugging artifacts—can become vectors for exposing proprietary code when included in production packages.
Comments
Please log in or register to join the discussion