Anthropic Accidentally Exposes Claude Code Source via npm Source Map File - infoq.com

Detailed Analysis

Anthropic inadvertently exposed the full proprietary source code of Claude Code, its AI-powered coding assistant, on March 31, 2026, through a straightforward but consequential packaging error. The company published npm package version 2.1.88 containing a 59.8 MB source map file (`cli.js.map`) that included approximately 512,000 lines of unminified TypeScript code spread across roughly 2,000 files. The root cause was human error during the release process: the team used Bun as the bundler, which generates source maps by default for debugging purposes, but failed to disable that behavior, exclude the `.map` file via `.npmignore`, or configure the `package.json` `files` field to block debugging artifacts from the published package. Security researcher Chaofan Shou identified the exposure within hours of publication, noting that the source map's `sourcesContent` field rendered every file, comment, internal constant, and system prompt readable in plain JSON format through standard npm tooling. The exposed map also referenced a TypeScript source zip archive hosted on Anthropic's Cloudflare R2 storage, making the full codebase trivially downloadable and decompressible by anyone who noticed it.

Anthropic moved quickly to contain the damage, removing version 2.1.88 from the npm registry the same day and issuing a statement characterizing the incident as a packaging misconfiguration rather than a security breach. The company confirmed that no sensitive customer data or API credentials were exposed in the leak, and committed to implementing process changes to prevent a recurrence. However, the response window was narrow enough that the code had already been widely downloaded, mirrored across third-party repositories, and analyzed by the developer and security research communities before removal. Cybersecurity expert Joseph Steinberg highlighted the residual risks: even absent credentials, a fully reconstructed codebase exposes proprietary business logic, internal architectural decisions, and potentially exploitable vulnerabilities that bad actors could study at leisure after the package was pulled.

The incident is notable for being, by Anthropic's own implicit acknowledgment, a repeat occurrence — a similar source map exposure had happened the previous month. That pattern suggests a systemic gap in Anthropic's release pipeline rather than an isolated mistake. Source maps are a well-understood class of accidental disclosure in the JavaScript and TypeScript ecosystem; mature publishing workflows routinely strip or exclude them via `files` whitelisting or explicit `.npmignore` rules. The fact that two consecutive releases made the same error points to an absence of automated publishing gates — such as CI/CD checks that validate the contents of an npm package before it reaches the registry — that are now considered standard practice for security-conscious open-source and commercial projects.

More broadly, the incident illustrates the tension that AI companies face as they ship developer tooling at speed. Claude Code occupies an increasingly competitive market alongside GitHub Copilot, Cursor, and Google's Gemini Code Assist, and rapid iteration creates release pressure that can erode procedural discipline. The exposure of system prompts in particular is commercially sensitive: system prompts encode the behavioral and instructional architecture of AI products, and competitors or adversarial actors gaining access to them can reverse-engineer differentiation strategies or craft targeted jailbreaks. While Anthropic's assertion that no customer data was compromised is credible, the broader reputational dimension — a company whose core product is a trusted AI assistant being unable to keep its own source code private — carries its own weight in an industry where trust is a primary selling point.

The episode adds to a growing catalogue of supply chain and packaging vulnerabilities in the AI tooling space, where the combination of novel build systems like Bun, rapid product cycles, and large, complex TypeScript codebases creates fertile ground for accidental disclosure. It reinforces calls within the security community for AI developers to treat npm publishing with the same rigor applied to container image scanning or secrets management — including mandatory pre-publish audits, automated artifact size anomaly detection, and strict allowlisting of published file paths. Anthropic's stated commitment to preventive measures will be tested by whether a third similar incident occurs, and the broader industry will be watching.