Claude Code Source Leak Exposes 1,906 Files – Inside the Security Mishap

At the end of the workday the author received a link to a GitHub repository named instructkr/claude-code, which appeared to contain the source code of Anthropic’s Claude Code CLI after a suspected source‑map leak.

The leak occurred because the npm package for Claude Code bundled a cli.js.map file (about 60 MB). Source maps map minified JavaScript back to the original TypeScript, and because the map was not excluded via .npmignore or the files field, anyone could reconstruct the entire codebase: 1,906 files, more than 512,000 lines. Anthropic had suffered the same mistake when Claude Code launched in February 2025, removed the map, and now repeated the error in March 2026.

Technical stack details: Claude Code is written in TypeScript and runs on the Bun runtime. Its terminal UI uses React together with Ink (React components rendered in the terminal). CLI parsing is handled by Commander.js, and request/response schemas are validated with Zod v4.

The tool system is highly modular: over 40 independent tools each declare their own input schema, permission model, and execution logic. Examples include BashTool for shell commands, FileReadTool for reading files, GrepTool (which wraps ripgrep) for content search, and AgentTool for spawning sub‑agents. The command layer offers more than 50 slash commands (e.g., /commit, /review, /vim, /doctor) covering the full development workflow.

Feature flags are pervasive. The code uses a pattern like:

const voiceCommand = feature('VOICE_MODE') ? require('./commands/voice/index.js').default : null

During Bun’s compile‑time constant folding, disabled flags are completely stripped. Flag names such as KAIROS, PROACTIVE, TORCH, TUNGSTEN, and FENNEC hint at internal experiments, many of which are unseen by external users. The most playful flag, BUDDY, implements an ASCII‑style electronic pet intended as an April‑Fools Easter egg that leaked before release.

A runtime check process.env.USER_TYPE === 'ant' distinguishes Anthropic staff from external users, granting staff access to extra tools like ConfigTool, TungstenTool, and REPLTool.

The author also examined a security audit report that highlighted several concrete bugs:

Plan‑file whitelist matching is too broad: the code uses startsWith to validate a plan file, so a plan slug like blue-fox also accepts blue-fox-backup.md or blue-fox-evil.md, bypassing permission checks.

File‑write logic only resolves a single level of symlink. Multi‑level symlinks (link1 → link2 → target) cause intermediate symlinks to be overwritten by regular files, silently breaking the link chain.

WebSocket reconnection behaves differently on Node vs. Bun, potentially causing message loss after a disconnect.

Despite these bugs, the permission system itself is robust, having undergone extensive hardening against UNC paths, shell expansion, symlink escape, and glob bypasses. The issues stem from the system’s complexity rather than sloppy coding.

From an engineering perspective, a noteworthy optimization appears in main.tsx: the first 20 lines execute side‑effects that read MDM configuration and pre‑fetch macOS keychain entries before any imports, exploiting a ~135 ms window to parallel‑warm resources and saving about 65 ms of startup time. Heavy modules such as OpenTelemetry (~400 KB) and gRPC (~700 KB) are loaded lazily via dynamic import(), further reducing initial latency.

The leak does not affect ordinary users because only the CLI client code was exposed; model weights and user data remain private. However, the repeat mistake harms Anthropic’s reputation, especially as Fortune reported simultaneous exposures of unpublished model details and internal executive activities. A simple CI/CD check for .npmignore and files entries could have prevented the incident.

The GitHub repository quickly amassed over 5,400 stars and 8,800 forks, sparking lively discussion on Hacker News and various developer communities. Some commenters likened the code to “vibe coding,” while others praised its engineering rigor.

Final takeaway for developers: always verify that source‑map files, .env files, and internal configurations are excluded from npm packages before publishing.