Claude Code Full Source Code Exposed

Odaily News According to Chaofan Shou, an intern researcher at blockchain security company Fuzzland, who pointed out on X, the npm package of Anthropic's AI programming tool Claude Code contains complete source map files (cli.js.map, approximately 60MB), from which the entire TypeScript source code can be restored. It has been verified that the latest version v2.1.88 released today still contains this file, which includes the complete code for 1,906 of Claude Code's proprietary source files, covering implementation details such as internal API design, analytics telemetry systems, encryption tools, and inter-process communication protocols.

Source maps are debugging files used in JavaScript development to map minified code back to the original source code and should not appear in production release packages. In February 2025, an early version of Claude Code was exposed for the same issue, and Anthropic removed the old versions from npm and deleted the source maps at that time. However, this problem has resurfaced later. Multiple public repositories on GitHub have already extracted and organized the restored source code, with ghuntley/claude-code-source-code-deobfuscation receiving nearly a thousand stars.

The leak involves the client-side implementation code of the Claude Code CLI tool and does not involve model weights or user data, posing no direct security risk to ordinary users. However, the continuous exposure of the complete source code means that the internal architecture, security mechanisms, and telemetry logic are completely transparent to the outside world.