Claude Code Source Code Leaked: 512K Lines Exposed via npm
What Happened
On March 31, 2026, security researcher Chaofan Shou (@shoucccc) discovered that Anthropic's flagship AI coding tool Claude Code had its entire source code exposed through a source map file in the npm registry.
The scale is staggering: ~1,900 TypeScript files, 512,000+ lines of code, including the complete tool library, slash commands, multi-agent orchestration system, and more. Within hours, GitHub mirrors were forked over 41,500 times.
How It Happened
The root cause is simple and ironic: a source map file was included in the npm package.
Claude Code uses Bun as its bundler, which generates source maps by default. The .map file contained a reference to a zip archive hosted on Anthropic's Cloudflare R2 storage bucket, which anyone could download and decompress.
Anthropic confirmed: "This was a release packaging issue caused by human error, not a security breach. No sensitive customer data or credentials were involved."
What Was Exposed
1. Complete Tool Architecture (~40 Built-in Tools)
Claude Code uses a plugin-like tool architecture where each capability (file read/write, Bash execution, web fetch, LSP integration) is a discrete, permission-gated tool. The base tool definition alone spans 29,000 lines of TypeScript.
2. The Query Engine (46K Lines)
The brain of the operation — handles all LLM API calls, streaming, caching, and orchestration. It's the largest single module in the codebase.
3. Multi-Agent Orchestration
Claude Code can spawn sub-agents (internally called "swarms") to handle complex, parallelizable tasks. Each agent runs in its own context with specific tool permissions.
4. IDE Bridge System
A bidirectional communication layer connecting IDE extensions (VS Code, JetBrains) to the CLI via JWT-authenticated channels.
5. Capybara Model Codename
The code further confirms Anthropic is preparing to launch a new model codenamed Capybara with "fast" and "slow" variants, positioned above Opus as the most powerful commercial model. This aligns with the previously leaked "Mythos" blog draft reported by Fortune.
6. Undercover Mode
Perhaps the most ironic finding: the code contains a system specifically designed to prevent Anthropic's internal information from leaking — called "Undercover Mode." It leaked along with everything else.
Engineering Highlights
From a technical perspective, the leaked code reveals impressive engineering:
- Bun over Node.js: Leveraging dead code elimination and faster startup
- React + Ink for terminal UI: Component-based terminal rendering
- Zod v4 validation: Schema validation everywhere
- ~50 slash commands: From
/committo/review-pr - Lazy-loaded modules: OpenTelemetry, gRPC loaded on demand
Two Leaks in One Week
This is Anthropic's second data leak in a single week. Days earlier, Fortune reported the company had accidentally made ~3,000 files public, including a draft blog post about a powerful upcoming model (Mythos/Capybara) described as presenting unprecedented cybersecurity risks.
Impact Analysis
Competitive landscape: Competitors can reverse-engineer Claude Code's agentic harness. Open-source alternatives may emerge based on the leaked code.
Security concerns: Researcher Roy Paz warned that the code reveals how Claude Code connects to Anthropic's internal systems, potentially creating exploitation opportunities even without encryption keys.
Lessons for developers:
- Always run
npm pack --dry-runbefore publishing - Source maps ARE source code — never include them in production packages
- Even the biggest companies make basic mistakes — build pipeline security reviews are non-negotiable
Conclusion
The Claude Code leak is both a major embarrassment for Anthropic and a rare technical window into the state of the art in AI coding tools. 512,000 lines of code reveal the full architectural picture of today's most advanced AI programming assistant — tool systems, permission controls, multi-agent orchestration, IDE bridges, and persistent memory.
For AI Agent practitioners, these architectural patterns are worth studying deeply. And for every developer who publishes npm packages, remember: check your .npmignore.