Claude Code Source Leaked via npm: What It Reveals & How to Avoid It

Ship source maps in production for easier debugging, or strip them out to keep your source private?

March 31, 2026: one choice exposed 512,000 lines of Anthropic’s code.

Security researcher Chaofan Shou found the complete Claude Code source sitting in a 59.8 MB .map file inside the @anthropic-ai/claude-code npm package. Hours later, the codebase was mirrored across GitHub. 1,900 TypeScript files. Everything.

Here’s the realization that matters: if Anthropic – the company behind Claude, $19 billion ARR as of March 2026 – can ship their entire CLI source in an npm package by accident, you probably can too. Let’s check yours first, then dig into what actually leaked.

Audit Your Own Packages Right Now

Open a terminal in any npm project you publish:

npm pack --dry-run

See .map files? Your source is being published.

What’s already live:

npm view your-package-name dist.tarball

Download that URL. Extract. .map file inside? Your code is public right now.

Watch out: Most devs assume .npmignore handles this. Wrong if you’re using the files field in package.json – it overrides .npmignore completely. Use files as an allowlist, not .npmignore as a denylist.

How the Leak Happened

Source maps = debugging tools. Bundle JavaScript or TypeScript, output gets minified (variables become a, b, c). Source map is JSON that maps minified code back to your original source. Browser DevTools show readable stack traces.

The problem: sourcesContent field. Array of strings. Each string = FULL text of an original source file.

Anthropic built Claude Code for npm. Their bundler generated a source map. Leak analysis confirms Claude Code uses Bun’s bundler. Bun generates source maps by default unless you turn them off.

Someone forgot.

The .map file shipped to npm. Once it’s in the tarball, anyone running npm pack gets the entire codebase in JSON. 512,000+ lines.

The irony: leaked code includes Undercover Mode. Designed to prevent Claude from accidentally revealing Anthropic’s internal info (model codenames like “Capybara” or “Fennec”) when employees use Claude Code on open-source repos. The AI is instructed: “Do not blow your cover.” Then they shipped the source in a .map file.

What the Leak Reveals That Matters

Most coverage lists architecture – 46,000-line QueryEngine, 40 tools, React terminal UI. For the rest of us:

The Feature Roadmap Is Already Built

44 feature flags in the source. Per The AI Corner, 20 features are fully coded but not shipped yet. Gated behind flags that compile to false in public builds.

KAIROS, referenced 150+ times: autonomous background mode. When you’re idle, Claude Code runs “autoDream” – consolidates memory, resolves contradictions, sharpens vague insights. You return, your session context is pre-tidied.

BUDDY: Tamagotchi-style AI pet system. 18 species (duck, dragon, axolotl, capybara). Rarity tiers. Five stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK. Fully implemented, just not turned on.

Not vaporware. Anthropic releases a new feature every two weeks because everything’s already done.

Internal Model Performance Is Visible

Code confirms internal model names: Capybara (Claude 4.6 variant), Fennec (Opus 4.6), Numbat (still in testing). Comments note Capybara v8 has 29-30% false claims rate – worse than v4’s 16.7%.

Competitors don’t usually get this. Now they know the ceiling for current agentic performance and the specific weaknesses Anthropic is struggling with.

The Memory Architecture Is the Real Crown Jewel

Three-layer memory system (per VentureBeat analysis). Key insight: agents treat their own memory as a “hint.” Before acting, Claude verifies facts against the actual codebase.

Why Claude Code performs reliably over long sessions – it doesn’t trust its own memory. Every tutorial about “building agents” misses this: skeptical memory beats perfect memory.

Three Edge Cases No One Else Covers

The Axios Supply Chain Attack Happened the Same Day

March 31, 2026, between 00:21 and 03:29 UTC: compromised axios maintainer account published [email protected] and [email protected] to npm. Both injected a malicious dependency ([email protected]) that deployed a cross-platform RAT (per StepSecurity).

Installed or updated Claude Code via npm during that window? Your package-lock.json might have pulled one of those axios versions as a transitive dependency.

Check right now:

grep -r "plain-crypto-js" package-lock.json yarn.lock bun.lockb

Found it? Your system is compromised. Rotate all credentials. Rebuild from a clean image.

The RAT self-destructs after running, so checking node_modules won’t show evidence. It wrote to /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%wt.exe (Windows), or /tmp/ld.py (Linux). Check those paths.

Bun Generates Source Maps by Default

Most build guides assume webpack or esbuild, where source maps are opt-in. Bun? ON by default. You must disable them.

Bundling with Bun, add this:

bun build ./src/index.ts --outdir=./dist --sourcemap=none

Or in config:

{
 "sourcemap": "none"
}

Not false. Not "off". "none".

The Malicious Package Self-Cleans

Axios attack is nastier than most because evidence disappears. After the RAT installs, plain-crypto-js deletes its own setup.js and replaces package.json with a clean decoy.

Inspect node_modules/plain-crypto-js after the fact? Looks normal. Only detection: check your lockfile for version 4.2.1 or search filesystem timestamps for suspicious activity in the attack window.

New pattern. Most malware leaves traces. This one doesn’t.

How to Actually Prevent This in Your Builds

Three steps:

1. Disable source maps in production config. React (Create React App): GENERATE_SOURCEMAP=false npm run build. Webpack: devtool: false in production config. esbuild: omit --sourcemap. Bun: --sourcemap=none.

2. Use files field in package.json as allowlist. Only dist/, lib/, README.md, LICENSE. Don’t rely on .npmignore – if files exists, .npmignore is ignored.

3. Run npm pack --dry-run in CI before every publish. Add a step checking output for .map files. Fails build if any found.

Need source maps for error tracking (Sentry, Datadog)? Generate them, upload to your monitoring service, delete from build output before packaging. Professional approach: readable stack traces in production without exposing source.

What This Means for You

Two immediate actions:

Installed anything via npm on March 31, 2026 between midnight and 4 AM UTC? Check lockfiles for [email protected], [email protected], or plain-crypto-js. Present? Treat machine as compromised. Isolate. Rotate all credentials accessible from that machine. Rebuild from clean snapshot.

Publish npm packages? Audit today using npm pack --dry-run. Source maps leaking? Yank affected versions, republish with maps removed. One misconfigured build exposes years of proprietary work.

Context: Claude Code generates $2.5 billion in annualized revenue (per VentureBeat as of March 2026). 80% from enterprise clients who pay assuming the tech is proprietary and protected. That assumption took a hit March 31.

Real lesson: your CI/CD pipeline is a security boundary. Treat it like one. Review build configs in code review, not just application logic. Pin bundler versions. Run automated checks verifying published artifacts don’t contain sensitive content.

One .map file turns a proprietary codebase into public knowledge. Check your builds now.

Frequently Asked Questions

Can I trust Claude Code after this leak?

The leak exposed the CLI wrapper, not the model. Claude’s weights and training data remain private. The CLI is a wrapper calling Anthropic’s API – the leak shows how tool orchestration and memory management work, but doesn’t compromise the core AI. Bigger concern: were your credentials exposed during the simultaneous axios attack? Check lockfiles for plain-crypto-js and rotate keys if necessary.

How do I check if my source maps are exposed in production web apps, not just npm?

Open your production site in Chrome or Firefox. DevTools (F12) → Sources tab. See a webpack:// or src/ folder with original source code listed? Source maps are loading.

Alternative: view-source on your site, find a <script src="..."> tag, append .map to the script URL (e.g., main.js becomes main.js.map). Downloads? You’re leaking. Automated scanners specifically look for .js.map files.

Fix: don’t serve .map files in production, or gate them behind authentication so only your error monitoring service can access them.

What’s the difference between hidden-source-map and no source maps at all?

devtool: 'hidden-source-map' (webpack): source map file is generated but the //# sourceMappingURL= comment is omitted from your bundled JS. Browsers won’t auto-load it. The .map file still exists on disk – upload it to Sentry or another monitoring service for server-side error decoding, but users won’t see it. devtool: false or GENERATE_SOURCEMAP=false: no .map file created at all. Former gives private source maps for debugging production errors; latter is maximum security but harder to debug. For npm packages, use false or none – no reason to generate maps for distributed libraries.