Anthropic's Claude Code Source Leak Exposes 512,000 Lines of Internal TypeScript

Anthropic accidentally shipped a 59.8 MB source map file inside version 2.1.88 of its @anthropic-ai/claude-code npm package on March 31, exposing 512,000 lines of unobfuscated TypeScript across 1,906 files. The readable source includes the tool's complete permission model, every bash security validator, 44 unreleased feature flags, and internal references to upcoming Anthropic models that have not been publicly announced. Security researcher Chaofan Shou broadcast the discovery on X at approximately 4:23 UTC. Within hours, mirror repositories had spread across GitHub. The leak is significant not only for what it exposes about Claude Code's architecture but for the attack surface it creates. Enterprise security teams using AI coding agents typically rely on behavioral obscurity as one layer of defense. With the permission model and security validators now fully readable, threat actors can map exact boundaries and attempt targeted bypasses. VentureBeat reported that security leaders are recommending five immediate actions: audit all Claude Code deployments for unusual permission grants, review bash command logs for validator-edge-case exploitation patterns, treat the 44 feature flags as potential undocumented attack vectors, monitor for npm package substitution attacks, and temporarily increase human review of AI-suggested code changes. Anthropic confirmed the exposure and pulled version 2.1.88 from npm. A patched version was released the same day. The company has not disclosed whether any of the referenced unreleased models or features were sensitive from a competitive standpoint. The incident highlights a recurring supply-chain risk in AI tooling: development artifacts, including source maps generated during build processes, can carry far more internal detail than a production release should expose. Security researchers noted that the mistake is a common one in JavaScript/TypeScript projects where source map generation is enabled by default.