Claude Code's source code has been leaked via a map file in their NPM registry

Mar 31, 2026•treexs•View Original

TL;DR Highlight

The source code of Anthropic's AI coding tool Claude Code was publicly exposed through source map files included in its NPM package, revealing an undisclosed feature roadmap and internal security mechanisms.

Who Should Read

Developers who publish or maintain NPM packages, as well as developers interested in the internal architecture of AI coding agents or Anthropic's product strategy.

Core Mechanics

Source map (.map) files were distributed alongside the bundled JavaScript in Claude Code's NPM package (@anthropic-ai/claude-code), exposing the original TypeScript source code as-is. Source maps are intended for debugging—allowing minified JS to be traced back to original code—but including them in a production package was the root of the problem.
Anthropic eventually took action on the affected version (v2.x), but used npm deprecate (marking it as 'deprecated' without deletion) instead of npm unpublish (which actually removes the version), leaving the package still downloadable. Commenters sarcastically noted it felt like 'asking Claude to unpublish it, and getting a deprecate instead.'
Numerous feature flags for undisclosed features were found in the source code. The most notable were: an 'assistant mode' codenamed 'kairos', a Tamagotchi-style ASCII art virtual pet system called the 'Buddy System (/buddy)', and an 'Undercover mode' that strips internal information from commits/PRs when Anthropic employees contribute to open source.
An internal flag called ANTI_DISTILLATION_CC was also uncovered. When enabled, it injects anti_distillation: ['fake_tools'] into every API request, causing the server to secretly insert fake tool definitions into the system prompt. This is a data poisoning defense mechanism designed to disrupt competitors attempting to scrape Claude Code's API traffic to train their own models (distillation).
Regex patterns that detect negative sentiment or specific keywords in user prompts were also found, with the code explicitly noting that such content is logged. This effectively exposed which expressions are being monitored by the system.
There were also notable issues with code quality. A single function in src/cli/print.ts was found to be 3,167 lines long, with up to 12 levels of nesting, a cyclomatic complexity of approximately 486, 12 parameters plus an options object with 16 properties, 21 inner functions, and sole responsibility for the agent loop, SIGINT handling, AWS authentication, MCP lifecycle, and more. Commenters noted it 'should be split into at least 8–10 modules.'

Evidence

"Regarding the npm deprecate vs. unpublish mistake, one commenter accurately explained the difference: 'npm deprecate does not remove the package from the registry—it only marks it as deprecated while keeping it fully downloadable. npm unpublish should have been used to actually remove it.' They added that Anthropic's use of the wrong command gave the impression that Claude had misunderstood the task. There was also debate over the severity of the leak: some argued that since TypeScript/JS is not machine code and obfuscated code is already somewhat reversible, leaking a CLI tool's code is not a big deal—they suggested open-sourcing it instead. Others countered that what Google or OpenAI have released is an Agent SDK toolkit, not code revealing how their flagship agent works internally, making this leak—which exposed the roadmap and internal architecture—categorically different. The undisclosed /buddy feature received detailed analysis: a commenter reverse-engineered the code and found it was planned as an April Fools' Day easter egg, with 18 species, rarity levels, stats, hats, and eye shapes generated deterministically using the user's account UUID as a seed. They even built and shared a website (claudebuddychecker.netlify.app) to preview one's buddy in advance. The ANTI_DISTILLATION feature drew significant attention from multiple commenters. The fact that AI companies are already implementing this kind of defense mechanism—secretly injecting fake tool definitions into API responses to corrupt competitors' training data—in commercial products was widely noted as remarkable in itself. Legal concerns were also raised: some asked whether using AI to analyze the leaked code and reimplement similar systems would be legally permissible, with cautious responses suggesting it may be safer to treat it like 'tainted goods.' Others were more dismissive, questioning whether there was any moral issue given that AI models have already been trained on billions of lines of open-source code."

How to Apply

"If you distribute NPM packages, always verify that source map files are not included in the production bundle. In Webpack, set the devtool option to 'hidden-source-map', or add *.map to your .npmignore file to prevent internal logic from being reverse-engineered. When you urgently need to take down a package version, use npm unpublish [package-name]@[version]—not npm deprecate—to actually remove it from the registry. Since npm deprecate only leaves a marker while keeping the files downloadable, it's worth proactively sharing the difference between these two commands within your team to avoid confusion during security incident response. If you have undisclosed features managed via feature flags, be aware that flag names and feature identifiers can be exposed as-is in the distributed code. Consider separating sensitive roadmap information from the codebase, or managing it server-side only so it is never included in the client bundle. If your application logs user input, having the logging conditions and patterns visible in client-side code can erode user trust. Consider documenting your logging policy in public documentation or a privacy policy, and evaluate moving detection patterns to the server side so they are not exposed externally."

Terminology

source mapA file that allows minified or obfuscated JavaScript to be traced back to the original source code. Intended for development debugging, but if included in a production release, it exposes internal code in its entirety.

npm deprecateA command that marks a specific version of an NPM package as 'no longer recommended for use.' The files remain in the registry and are still downloadable; npm unpublish must be used to actually delete them.

feature flagA configuration value that allows specific features to be toggled on or off without a code deployment. Used to ship code for unreleased features ahead of time and enable them later simply by activating the flag.

distillation (모델 증류)A technique where a smaller model (student) is trained using the output data of a larger, more capable model (teacher) as training data. In this context, it refers to the act of scraping Claude Code's API responses to train a competing model.

cyclomatic complexityA metric that measures code complexity; the value increases with the number of branching points such as conditionals and loops. A score of 10 or below is generally recommended—a score of 486 represents code that is nearly impossible to maintain.

anti-distillationA defensive technique that mixes fake information into API responses to corrupt the data that competitors might collect for use as training data, preventing them from learning from a proprietary model's outputs.