Anthropic's Claude Code Source Code Exposed Through Map File in NPM Package

Source code for Anthropic's Claude Code, the company's terminal-based AI coding assistant, has been inadvertently exposed through a JavaScript source map file included in the tool's published NPM package, according to a post surfaced on Hacker News on Tuesday. Source map files are typically used during development to link minified or compiled JavaScript back to original source code for debugging purposes. When accidentally included in a production NPM release, they expose the underlying unminified source, including internal logic, comments, and implementation details that the publisher may have intended to keep private. Claude Code is Anthropic's command-line tool for agentic software development, allowing engineers to delegate coding tasks, navigate codebases, and run automated code modifications. The tool has gained significant adoption among professional developers since its release and is positioned as a commercial product with a paid subscription tier. The exposure does not constitute a security breach in the traditional sense. no customer data or credentials appear to have been leaked. but it gives competitors and researchers access to Anthropic's proprietary implementation choices for the tool, which the company has not open-sourced. Source map leaks in production packages are a known category of accidental disclosure. Companies typically prevent them by configuring their build toolchain to strip map files before publishing to NPM. The issue can be remedied by releasing a new version without the map file, though previously published versions remain accessible. Anthropic had not issued a public statement acknowledging the disclosure at time of publication. The company did not respond to requests for comment.