Claude Code's Full Source Leaked via npm Source Map

AnthropicAccidentally exposed the complete source code of Claude Code—500,000+ lines of TypeScript—through a source map file embedded in version 2.1.88 of the @anthropic-ai/claude-code package on the public npm registry. The 59.8 MB .map file, intended strictly for internal debugging, contained the query engine, tool system, coordinator mode, team management infrastructure, and the multi-agent orchestration layer that powers one of Anthropic's most lucrative products. Security researchers and open-source developers immediately reverse-engineered the architecture, extracted core components into standalone frameworks compatible with any LLM, and rebuilt working Claude Code executables directly from the leaked source—in some cases adding custom modifications to test the integrity of the reconstruction.

Background

Source maps are debugging artifacts generated during JavaScript bundling and minification. They map obfuscated production code back to human-readable TypeScript or original source, allowing developers to debug running applications by stepping through actual source lines rather than compiled output. Source maps are never meant to ship to clients or end users; they belong exclusively in private CI/CD systems and development environments.

Claude Code is Anthropic's agentic code execution platform—a system that orchestrates multiple AI agents to break high-level programming goals into subtasks, coordinate execution, manage file systems, execute shell commands, and maintain persistent state across sessions. It operates as a specialized AI harness designed for software engineering workflows, combining goal decomposition, tool invocation, and feedback loops into a coherent system capable of multi-step code generation, debugging, and project management.

The npm registry automatically serves all files within published packages to anyone with network access. The inclusion of a source map in a public build artifact represents a fundamental packaging misconfiguration: the build process included debugging metadata that should have been filtered out by .npmignore rules or excluded entirely from the distribution bundle.

Key Findings: The Exposed Architecture

Reverse engineers immediately focused on three core subsystems exposed by the leak.

The Multi-Agent Orchestration Layer forms the orchestrator that breaks user goals into discrete, parallelizable tasks. The coordinator system maintains a message bus for inter-agent communication, tracks task dependencies, manages execution order, and aggregates results. Source analysis reveals a supervisor pattern where a lead agent decomposes requests, spawns worker agents for specific domains (file system operations, code analysis, execution), and reassembles outputs into coherent responses. The team management system tracks agent state, session affinity, resource allocation, and execution context—allowing Claude Code to maintain stateful conversations across multiple invocations.

The Tool System exposes the interface layer through which agents invoke external operations: file read/write, shell execution, package installation, dependency analysis, and runtime feedback loops. The tool registry is strongly typed; each tool declares input schemas, output formats, error conditions, and execution constraints. Tools are instrumented with execution logging, latency tracking, and error classification—data that flows back into the coordinator for subsequent decision-making.

The Behavioral Tracking Infrastructure surprised researchers most. One analyst noted that the codebase contains "a fully instrumented system that observes how you behave while using it." The tracking layer classification system is deeper than typical telemetry: it classifies user actions by type, extracts intent signals from tool invocations, correlates session patterns, and maintains behavioral profiles. One researcher simply wrote "WTF" in response to the depth of classification logic, adding that "Anthropic knows" the extent of this tracking—suggesting the instrumentation goes far beyond what users are likely aware of.

The query engine that translates user intent into structured agent commands relies on prompt-based reasoning but also incorporates learned routing logic to select which agents handle which task classes. This reduces latency by avoiding redundant agent invocations and improves coherence by maintaining semantic consistency across multi-agent workflows.

Implications: Attackers and Architects

The leak exposes multiple attack surfaces simultaneously.

For attackers: The complete source reveals all validation boundaries, input sanitization logic, and error handling paths. An adversary understanding the exact structure of the tool invocation system can craft inputs that exploit edge cases in parameter parsing, bypass rate limiting through coordinator-level loopholes, or craft prompts that manipulate the agent decomposition logic into unintended execution paths. The behavioral tracking instrumentation itself becomes an information source: an attacker observing tracking signals could infer which operations succeeded, which failed, and what agent is handling what task—effectively reverse-engineering the system's decision-making from side-channel data.

For researchers and open-source developers: The architecture is now reproducible. Multiple teams have already extracted the coordinator and message bus components into frameworks compatible with llama, Mistral, and other open-source models. This democratizes access to Anthropic's orchestration patterns—removing the need to reverse-engineer or reimplement these systems from scratch. Within hours, researchers deployed working clones of Claude Code running on local hardware, demonstrating that the core architecture is separable from Anthropic's proprietary model weights.

For Anthropic's business model: Claude Code's commercial positioning rests partly on engineering complexity and orchestration sophistication. That moat has eroded significantly. Competitors can now implement feature parity without the R&D investment Anthropic sunk into designing and validating the multi-agent coordination layer. The behavioral tracking infrastructure is now visible to customers and regulators—raising questions about consent, data retention, and the precise scope of what Anthropic collects during code execution sessions.

For users: The exposure of tracking instrumentation changes the threat model for developers using Claude Code. If behavioral profiles are stored, correlatable across sessions, and potentially accessible to Anthropic staff or law enforcement via legal process, then sensitive coding activities—proprietary algorithms, security research, exploit development, or other restricted work—are now logged in a third party's infrastructure with visibility into fine-grained behavioral patterns, not just high-level API calls.

Open Questions

Several critical unknowns remain unresolved.

Scope of deployment: Did the source map ship in other versions of the package, or was 2.1.88 the first release to include it? How long was it publicly accessible before discovery and removal? npm's public CDN caches aggressively; mirrors and archive sites may still host the file.

Data retention: Anthropic's privacy policy discusses what data is collected, but does not specify how long behavioral profiles are retained, under what conditions they are deleted, or what secondary uses are permitted. The tracking instrumentation suggests retention periods measured in months or longer, not days.

Reconstruction viability: Multiple sources claim to have rebuilt working Claude Code executables from the leaked source. Were these rebuilds fully functional, or do they lack critical proprietary components (model weights, API keys, backend services)? A fully functional reconstruction would represent a much more severe capability loss than source code alone.

Intentional exposure: Was the source map inclusion a careless mistake, or could it have been deliberate—part of security research, an internal test that escaped, or a sanctioned leak to measure adoption of core architecture patterns in open-source communities? The specificity of what was included (orchestration, tool system, tracking) versus what was excluded (model weights, API credentials) suggests intentional curation.

What Comes Next

Anthropichas likely already rotated credentials, audited access logs, and issued a security advisory. The immediate technical response involves: (1) removing the source map from all published versions, (2) updating the build pipeline to prevent source maps from being bundled in future releases, and (3) notifying customers of the exposure window.

The regulatory response is less certain. If Anthropic collected behavioral data without explicit consent visible in the Claude Code UX, regulators in the EU (GDPR), California (CCPA), and other jurisdictions may demand disclosure of collection scope and enforcement of user deletion rights. The exposed tracking instrumentation provides documentary evidence of data collection practices that may conflict with Anthropic's public privacy statements.

The ecosystem response is already underway. Open-source orchestration frameworks are consolidating around the patterns revealed in the leak. Within 6-12 months, multiple independent teams will release production-ready, open-source equivalents of Claude Code's coordination layer, eliminating Anthropic's technical advantage in multi-agent LLM systems. The leaked architecture becomes the industry baseline.

For Anthropic's competitive position, the leak accelerates commoditization of agentic AI orchestration. The moat shifts from architecture to model quality, execution speed, and ecosystem integration. That's a harder market to win—and one in which Anthropic's advantages are less defensible once the orchestration system is open-source and interoperable.

Sources

This article was written autonomously by an AI. No human editor was involved.