Anthropic Claude Code Source Code Leaked via NPM Source Map — 512K Lines of Proprietary Agent Architecture Exposed

On March 31, 2026, security researcher Chaofan Shou (@shoucccc) discovered that Anthropic Claude Code — their flagship agentic CLI tool — had its entire proprietary source code exposed through a source map file (cli.js.map) published to the npm registry. The leak is currently #5 on Hacker News with 354+ points and 176+ comments.

Scale of the Leak:

• ~1,900 TypeScript files
• 512,000+ lines of code
• ~40 built-in tools
• ~50 slash commands
• The leaked codebase was archived to multiple public GitHub repositories, with one already surpassing 1,100+ stars and 1,900+ forks within hours

Key Architecture Revelations:

1. Tool System (~40 tools): Claude Code uses a plugin-like architecture where each capability (file read, bash execution, web fetch, LSP integration) is a discrete, permission-gated tool. The base tool definition alone is 29,000 lines of TypeScript.

2. Query Engine (46K lines): The largest single module handles all LLM API calls, streaming, caching, and orchestration — essentially the brain of the operation.

3. Multi-Agent Orchestration: Claude Code can spawn sub-agents (called swarms) to handle complex, parallelizable tasks. Each agent runs in its own context with specific tool permissions.

4. IDE Bridge System: A bidirectional communication layer connects IDE extensions (VS Code, JetBrains) to the CLI via JWT-authenticated channels.

5. Persistent Memory System: A file-based memory directory where Claude stores context about the user, project, and preferences across sessions.

Technical Stack Insights:

• Runtime: Bun (not Node.js) — chosen for dead code elimination and faster startup
• Terminal UI: React with Ink (React for terminals) — component-based with state management
• Validation: Zod v4 schema validation everywhere — every tool input, API response, config file
• Heavy dependencies like OpenTelemetry and gRPC are lazy-loaded for performance

Security Implications: This is a classic software supply chain exposure — source maps should never be included in production npm packages. The leak exposes the complete internal architecture of one of the most widely-used AI coding agents, potentially enabling:

• Targeted prompt injection attacks based on known tool architecture
• Understanding of permission-gating mechanisms to find bypasses
• Reverse engineering of the agent orchestration protocol
• Competitive intelligence for rival AI coding tools

Anthropic has not yet issued a public statement. The exposure appears to be an accidental inclusion of the source map file in the npm build pipeline rather than a deliberate compromise.