Claude Code's Source Code Leaked on npm: What Happened and What It Means
Written by the Rafter Team
On March 31, 2026, Anthropic published version 2.1.88 of Claude Code to the npm registry. It contained something it shouldn't have: a 60MB source map file with the complete, readable source code for the entire application.
This wasn't a hack or a security breach. It was a build configuration oversight — the kind of mistake that's easy to make and hard to undo once a package is published. The incident offers some useful lessons for any team that publishes software through package registries.
What Happened
Claude Code is built using the Bun runtime, which generates source maps by default during the build process. Source maps are debugging files that map minified production code back to the original source — they're useful during development, but they're not meant to be included in published packages.
In this case, the source map file (cli.js.map) wasn't excluded from the npm package. The likely fix would have been a single line in .npmignore — something like *.map. That line wasn't there, and the file shipped.
A security researcher, Chaofan Shou, noticed the unusually large package size and extracted the source. Within hours, the code was being analyzed and shared across developer communities.
What Was in the Leak
The source map contained roughly 1,900 files and 512,000 lines of TypeScript code. Analysts found:
- System prompts and tool definitions — the instructions that shape how Claude Code behaves
- Permission and authorization logic — how the tool decides what actions to allow
- Internal feature flags — unreleased features and configuration options
- Internal dependency and package names — the building blocks of the application
Anthropic confirmed the leak, attributed it to human error, and issued DMCA takedown notices. But as anyone familiar with npm knows, published packages are cached broadly. The code is effectively public.
What Happened Next
The more notable consequence was opportunistic. Shortly after the leak, an npm user registered several packages with names matching Claude Code's internal dependencies: audio-capture-napi, color-diff-napi, image-processor-napi, modifiers-napi, and url-handler-napi.
These were empty packages — no malicious code. But the pattern is a well-known precursor to supply chain attacks: register the name, wait for installations (from developers or automated build systems), then push a malicious update later. Security researcher Clément Dumas flagged the typosquatting quickly, noting that they were "empty stubs, but that's how these attacks work."
There's no evidence that any harmful code was delivered through these packages. But the incident illustrates a broader point: even an accidental disclosure can create new openings for opportunistic actors.
Anti-Distillation Defenses
Perhaps the most interesting thing the leak revealed was anti-distillation defenses. Distillation is how AI labs steal each other's homework—you study how a competitor's model behaves, then train your own model to reproduce those behaviors at lower cost. Claude Code's source showed a flag called ANTI_DISTILLATION_CC that silently injects fake tool definitions into the system prompt, so anyone trying to learn from Claude's outputs and replicate them would ingest poisoned data that corrupts their own model's tool-use capabilities. A second mechanism summarizes the model's reasoning between tool calls and returns only the summary with a cryptographic signature, so observers never see the full chain of thought.
This is probably the strongest argument that the leak wasn't intentional — these defenses are significantly less effective now that the mechanism is public. It's also worth noting that Claude Code users reported aggressive rate limit changes shortly after the leak. One possible explanation: Anthropic tightened rate limits to reduce the window for distillation before they could build and ship new defenses.
An internal code comment in the leaked source, dated March 10, noted that a compaction retry bug was wasting roughly 250,000 API calls per day globally. Anthropic shipped a fix for an autocompact loop in the next release but never publicly confirmed the scale of the waste. Whether the rate limit instability was about distillation risk, the compaction bug, or something else entirely is unclear — but the sequence is suggestive.
What This Wasn't
It's important to be precise about what happened:
- Not a security breach. No systems were compromised. No attacker gained access to Anthropic's infrastructure or user data.
- Not a data leak. No user information, API keys, or credentials were exposed.
- Not a vulnerability. The leaked source doesn't reveal exploitable security flaws in Claude Code.
This was a release engineering mistake — a file that should have been excluded from the package wasn't. Embarrassing for Anthropic, but not a crisis for their users.
Lessons for Development Teams
If You Publish npm Packages
Audit what ships in your packages. Run npm pack --dry-run and review the file list before every release. Source maps, test fixtures, .env files, internal documentation, and debug logs have a habit of slipping through.
Use .npmignore or the files field in package.json. The files field is an allowlist approach — only the files you explicitly list get published. It's safer than .npmignore, which is a blocklist that can miss things.
Check your build tool defaults. Different build tools handle source maps differently. Bun generates them by default. If your build pipeline produces artifacts you don't want to publish, make sure your packaging step filters them out.
If You Consume npm Packages
Be aware of what you're installing. Most developers never look at the contents of their node_modules. Occasionally checking the actual size and file contents of key dependencies can surface unexpected inclusions.
Minimize your dependency surface. Anthropic has since deprecated npm installation for Claude Code in favor of a standalone installer. This isn't just about the leak — it's a recognition that for developer tools with broad system access, relying on the npm dependency chain introduces unnecessary risk.
Run dependency scans. Regular scans catch known vulnerabilities and supply chain compromises in your dependency tree. Rafter's Fast Scan can check a project in under a minute and flag issues before they reach production.
The Broader Context
The Claude Code leak happened on the same day as the axios npm supply chain attack — an unrelated but much more serious incident where a North Korean hacking group published backdoored versions of the popular HTTP client library. The two events are coincidental, but together they've prompted a broader conversation about the security of the npm ecosystem and the trust model it relies on.
For Anthropic specifically, the leak has accelerated their move away from npm as a distribution channel. For the rest of the ecosystem, it's a reminder that package registries are public infrastructure, and what you publish to them is — for practical purposes — permanent.