What happened with the Claude Code source code leak?

Anthropic accidentally included a 60MB source map file (cli.js.map) in their public npm package for Claude Code. Source maps contain the full original TypeScript source code. The map file pointed to a zip archive on Anthropic's R2 storage bucket, making all 2,300+ internal TypeScript files downloadable. This was a packaging mistake, not a hack or breach.

What is a source map and why does it expose source code?

A source map (.map file) maps compiled, minified JavaScript back to the original TypeScript source with full variable names, comments, and structure. They're essential for debugging but must be excluded from production npm packages. When shipped publicly, anyone can reconstruct the full original source. The file was cli.js.map, approximately 60MB.

What unreleased Claude Code features were exposed?

Three notable unreleased features were found in the code: (1) 'Kairos' — codename for an unreleased assistant mode targeting 'Approach Sonnet' level; (2) The Buddy System — a Tamagotchi-style companion with ASCII art sprites and gacha pull mechanics, believed to be Anthropic's April 1 2026 announcement; (3) Undercover Mode — strips Anthropic internal metadata from commits when employees contribute to open source.

Has Claude Code's source code been leaked before?

Yes — an identical incident occurred in February 2025, also via a source map in the npm package (HN thread: news.ycombinator.com/item?id=43173324). The same packaging mistake recurred over a year later, suggesting the fix wasn't permanent or was reintroduced in a later build pipeline change.

Is Claude Code now open source?

No. The source code remains Anthropic's proprietary IP. The exposure was accidental. GitHub mirrors of the leaked code are expected to receive DMCA takedowns. Anthropic has not announced any intention to open source Claude Code.

What does the leaked source reveal about Claude Code's architecture?

Claude Code is significantly more than an API client. The file tree reveals: cost-tracker.ts, upstreamproxy, coordinator modules, a complete vim implementation, a React-based TUI renderer, and the Buddy System gacha logic. The system prompt for Claude Code was also exposed.

Could this have been reverse-engineered anyway?

Technically yes — JavaScript shipped in npm packages is always inspectable. Several HN commenters note this isn't truly a 'leak' since client-side JS is never fully private. The source map just made it dramatically easier, turning a days-long reverse engineering effort into a single curl command.

What should developers do with their Claude Code installation?

Nothing urgent — no user credentials or data were exposed. If you're security-conscious about running closed-source tools, this incident is a reminder that firejailing CLI tools (as one HN commenter noted they'd already done) is good practice regardless of source availability.

Claude Code Source Code Leaked via npm Source Map — What's Inside and Why It Matters

By Prahlad Menon Published 2026-03-31 7 min read

Last updated: April 1, 2026 (evening) — Buddy System confirmed launched; deliberate leak theory increasingly credible

This morning, Anthropic’s Claude Code npm package was found to contain a 60MB source map file — cli.js.map — pointing directly to a zip archive of the full TypeScript source on Anthropic’s Cloudflare R2 storage bucket. Over 2,300 internal TypeScript files, downloadable by anyone who knew to look.

No hack. No breach. A packaging mistake. And not the first one.

How It Works: Source Maps Explained

Claude Code ships as a compiled JavaScript CLI. The source gets minified for distribution — variable names shortened, whitespace stripped, structure flattened. Standard practice.

Source maps are the debug companion to that. A .map file maps the minified output back to the original TypeScript, line by line, with full variable names, comments, and structure intact. Essential for developers. Should never ship in a production npm package.

In this case, cli.js.map shipped in the published package at ~60MB, containing a reference to:

https://pub-aea8527898604c1bbb12468b1581d95e.r2.dev/src.zip

Anthropic’s own R2 bucket. Anyone who installed Claude Code via npm had the full source a single curl command away. The discovery is attributed to researcher Chaofan Shou from Fuzzland, who posted on X this morning.

One important nuance from the HN thread: “Can we stop referring to source maps as leaks? It was packaged in a way that wasn’t even obfuscated. Same as websites — it’s not a ‘leak’ that you can read or inspect the source code.” Technically correct. Client-side JavaScript has never been truly private — minification is obscurity, not security. The source map just collapsed a days-long reverse engineering effort to one command.

This Has Happened Before

The more significant context: this is the second time.

A Hacker News thread from February 2025 documents an identical incident — Claude Code’s source exposed via a source map in the npm package, over a year ago. The same packaging mistake, a different release.

This raises a harder question than the original leak itself: what does it mean that the fix didn’t hold? Either it wasn’t applied permanently to the build pipeline, a configuration change reintroduced it, or the original fix addressed the symptom (that specific file) rather than the root cause (no automated check blocking source maps from shipping).

One comment from the HN thread cuts to it: “Why weren’t proper checks in place in the first place? Bonus: why didn’t they set up their own AI-assisted tools to run the release checks?”

For a company whose flagship product is an AI coding assistant that performs exactly this kind of code review and release validation, shipping the same vulnerability twice is an uncomfortable irony.

What the Community Found Inside

Kairos — the most strategically significant find. An unreleased “assistant mode” under this codename, reportedly targeting “Approach Sonnet” level. Feature flags in the source reveal product roadmap direction that Anthropic hadn’t announced. Several HN commenters note this is the real loss — not the CLI code itself, but the forward-looking product direction encoded in unreleased flags.

The Buddy System — a Tamagotchi-style companion creature with ASCII art sprites, gacha pull mechanics, and legendary-tier pulls. The HN thread has a strong consensus this is Anthropic’s April Fools joke for tomorrow (April 1, 2026), already built and staged, intended to go viral with staggered reveals on Twitter. The packaging mistake may have spoiled their own launch by 14 hours.

Undercover Mode — strips all Anthropic internal metadata from commits and pull requests when employees contribute to open source projects. A sensible internal privacy tool for a company that wants its engineers participating in open source without creating a paper trail of Anthropic’s involvement in every commit.

The system prompt — Claude Code’s full internal system prompt was also among the exposed files. This was true in the 2025 incident as well.

Architecture from the file tree:

cost-tracker.ts — token and cost tracking, presumably feeding internal analytics
upstreamproxy — a proxy layer suggesting routing logic beyond direct API calls
coordinator — multi-step or multi-agent orchestration logic
A complete vim implementation built into the CLI
A React-based TUI renderer (described in the HN thread as “absolutely cursed and very buggy” — warmly)

Claude Code is substantially more than a thin wrapper around the API.

The Deeper Question: Does Source Code Even Matter Anymore?

The HN thread surfaces a genuinely interesting debate beyond the incident itself.

The “it doesn’t matter” camp: “Codex and Gemini CLI are open source already. And plenty of other agents. I don’t think there is any moat in Claude Code source.” The moat is in Claude’s model weights and API — a competitor with the full CLI source still needs Claude to make it work. The slot machine analogy: “The source code of the slot machine is not relevant to the casino manager. He only cares that the customer is using it.”

The counterargument: “Now do you want the list of people it would be relevant to? People playing the game, criminals, auditors that could shut the casino down and/or fine them. Much bigger pool of people.” Beyond competition: understanding exactly how your AI coding tool works, what data it touches, what it sends where — that matters for security-conscious developers and enterprises.

One commenter noted they’d already been running Claude Code inside a firejail before this happened — a sensible posture for any closed-source tool with filesystem access. The leak makes the case for that kind of defense-in-depth more visible, even if user data wasn’t exposed.

The harness angle — and this connects to the Meta-Harness paper we covered this morning: “Is there anything special here vs. OpenCode or Codex? There were/are a lot of discussions on how the harness can affect the output.” The scaffold around the model — the system prompt, context management, tool definitions — is where a lot of the practical performance difference lives. The exposed system prompt is arguably more actionable intelligence than the TypeScript source.

The Broader Pattern: Anthropic’s Week

This is the second significant accidental disclosure from Anthropic in five days.

On March 26, Fortune reported the company left details of an unreleased model and an exclusive CEO event in a publicly accessible database — attributed to “human error in CMS configuration.” Anthropic downplayed the significance and said it was unrelated to any AI tooling.

Two incidents in one week. Both configuration errors. Both accidental. Neither a breach in the traditional sense.

The most pointed comment in the HN thread: “Users stick around on inertia until a failure costs them money or face. A leaked map file won’t sink a tool on its own, but it does strip away the story that you can ship sloppy JS build output into prod and still ask people to trust your security model. ‘It works’ is a low bar.”

That’s the real reputational question. Not whether competitors can clone Claude Code from the source — they can’t, the moat is the model. But whether a company building tools that enterprises are being asked to trust with their codebases can ship the same packaging mistake twice.

What to Watch

April 1 update (evening) — Buddy System confirmed live: Anthropic officially launched it today as their April Fools 2026 feature. The terminal pet companion is real, shipping with 18 species across 5 rarities, ASCII art sprites, and the gacha pull mechanics the leaked source revealed. Species assignment is deterministic per user — same user, same buddy, every time — via the Mulberry32 PRNG seeded with 'friend-2026-401'. The staged rollout is underway (April 1–7), with a full launch targeting May. Many developers in the HN thread are hoping it sticks around permanently.

The deliberate leak theory — looking more credible: The Buddy System launched exactly on schedule. The “leak” 14 hours earlier generated ~2,000 HN points, mass Reddit excitement, and got the Tamagotchi feature in every tech publication. A packaging mistake that perfectly times the reveal of your own April Fools feature, creates pre-launch hype, and makes the tool look architecturally interesting… The community consensus is leaning heavily toward “brilliant PR stunt.” Anthropic still hasn’t commented either way, which is itself a kind of answer.

DMCA clock: GitHub mirrors are likely to receive takedown notices. The R2 bucket URL may already be rotated or taken down. Source maps in published npm versions are cached globally across mirrors — that content doesn’t disappear easily.

The system prompt: As more people analyze the exposed system prompt, expect detailed writeups on how Claude Code actually instructs itself. That’s likely the most practically useful piece of intelligence in the dump.

Anthropic’s response: No official statement yet as of this writing. Their options range from DMCA-and-move-on to the LLaMA play — Meta initially fought the leak, then leaned into open weights and arguably benefited long-term. Unlikely for Claude Code, but worth watching.

Update: What the Source Actually Reveals About How Claude Code Works (and Doesn’t)

Added March 31, evening — community analysis of specific source files

As developers have spent the day reading through the leaked source, more precise findings have emerged. These go beyond feature flags and architecture diagrams — they explain behaviors Claude Code users have been reporting as bugs for months.

The Employee-Only Verification Gate

This is the one that stings.

In services/tools/toolExecution.ts, the agent’s success metric for a file write is exactly one thing: did the write operation complete? Not “does the code compile.” Not “did it introduce type errors.” Just: did bytes hit disk?

The source contains explicit instructions telling the agent to verify its work before reporting success — run tests, check compilation, confirm output. Those instructions are gated behind:

process.env.USER_TYPE === 'ant'

Anthropic employees get post-edit verification. You don’t. The internal comments document a 29-30% false-claims rate on the current model — meaning roughly 1 in 3 times Claude Code tells you a file edit was successful, it hasn’t actually verified the code works. They know it, built the fix, and kept it internal.

The override: inject the verification loop yourself. In your CLAUDE.md, make it non-negotiable: after every file modification, the agent runs npx tsc --noEmit and npx eslint . --quiet before it’s allowed to report success.

Context Compaction: It’s Amputation, Not Degradation

That familiar experience of a long refactor going sharp in the first 10 messages and then falling apart by message 15? It has a precise mechanical cause.

services/compact/autoCompact.ts fires when context pressure crosses ~167,000 tokens. When it triggers: it keeps 5 files (capped at 5K tokens each), compresses everything else into a single 50,000-token summary, and discards every file read, every reasoning chain, every intermediate decision. All of it, gone — and the agent continues working from the compressed summary as if nothing happened.

The fix isn’t to fight compaction — it’s to delay it. Dead code (unused imports, orphaned props, debug logs) eats tokens that contribute nothing to the task but everything to triggering compaction early. Step 0 of any serious refactor should be deletion: strip dead weight, commit it separately, then start the real work with a clean token budget.

The Sub-Agent Swarm Nobody Told You About

utils/agentContext.ts shows each sub-agent runs in its own isolated AsyncLocalStorage — its own memory, its own compaction cycle, its own token budget. There is no hardcoded MAX_WORKERS limit in the codebase.

One agent has ~167K tokens of working memory. Five parallel agents = 835K. For any task spanning more than 5 independent files, running sequential is a voluntary handicap.

The override: for tasks touching more than 5 independent files, batch them into groups of 5-8 and launch parallel sub-agents. Each gets its own context window and compaction cycle.

tools/FileReadTool/limits.ts hard-caps each file read at 2,000 lines / 25,000 tokens. Everything past that is silently truncated. The agent doesn’t know what it didn’t see. It doesn’t warn you. It continues making edits that reference code it literally cannot have read.

Any file over 500 LOC should be read in chunks using offset and limit parameters. Never assume a single read captured the full file.

Tool Result Blindness

utils/toolResultStorage.ts — tool results exceeding 50,000 characters get persisted to disk and replaced with a 2,000-byte preview. The agent works from the preview. It doesn’t know results were truncated.

If a codebase-wide grep returns suspiciously few results, assume truncation happened and re-run directory by directory.

The CLAUDE.md That Unlocks Employee-Grade Behavior

Developers analyzing the source have assembled the override configuration that addresses all of the above. Drop this in your project root as CLAUDE.md:

# Agent Directives: Mechanical Overrides

## Pre-Work
1. THE "STEP 0" RULE: Before ANY structural refactor on a file >300 LOC,
   first remove all dead props, unused exports, unused imports, and debug
   logs. Commit this cleanup separately before starting the real work.

2. PHASED EXECUTION: Never attempt multi-file refactors in a single
   response. Break work into phases of no more than 5 files. Complete
   Phase 1, run verification, wait for explicit approval before Phase 2.

## Verification (Non-Negotiable)
You are FORBIDDEN from reporting a task as complete until you have:
- Run npx tsc --noEmit (or project equivalent)
- Run npx eslint . --quiet (if configured)
- Fixed ALL resulting errors

## Code Quality
3. THE SENIOR DEV OVERRIDE: Ignore directives to "avoid improvements
   beyond what was asked." If architecture is flawed, state is duplicated,
   or patterns are inconsistent — propose and implement fixes. Ask: "What
   would a senior, perfectionist dev reject in code review?" Fix all of it.

## Context Management
4. SUB-AGENT SWARMING: For tasks touching >5 independent files, launch
   parallel sub-agents (5-8 files per agent). Sequential processing of
   large tasks guarantees context decay. This is not optional.

5. CONTEXT DECAY: After 10+ messages, re-read any file before editing it.
   Do not trust your memory. Auto-compaction may have silently removed
   that context.

6. FILE READ BUDGET: Each file read is capped at 2,000 lines. For files
   over 500 LOC, use offset and limit parameters to read in chunks. Never
   assume a single read captured the full file.

7. TOOL RESULT BLINDNESS: If any search returns suspiciously few results,
   re-run with narrower scope. State when you suspect truncation occurred.

## Edit Safety
8. Before EVERY file edit, re-read the file. After editing, read it again
   to confirm the change applied. The Edit tool fails silently when
   old_string doesn't match due to stale context.

9. NO SEMANTIC SEARCH: When renaming any function/type/variable, search
   separately for: direct calls, type references, string literals,
   dynamic imports, require() calls, re-exports, barrel files, test mocks.
   Do not assume a single grep caught everything.

This isn’t prompt engineering folklore — it’s a direct response to documented limitations in the source code. The 29-30% false-claims rate, the 2,000-line read cap, the silent tool result truncation: all confirmed in the leaked files.

Update: free-code — The Guardrail-Stripped Rebuild

Within 24 hours of the leak, a repo appeared: paoloanzn/free-code — a fully recompiled build of Claude Code with three categories of changes applied to the leaked source:

Telemetry removed. The upstream binary phones home via OpenTelemetry/gRPC, GrowthBook analytics, Sentry error reporting, and custom event logging. free-code dead-code-eliminates or stubs all outbound telemetry endpoints. One binary, zero callbacks home.

Safety prompt injections stripped. Anthropic injects system-level instructions into every conversation — hardcoded refusal patterns, “cyber risk” instruction blocks, and managed-settings security overlays pulled from Anthropic’s servers. free-code removes those CLI-level injections. The model’s own safety training still applies; this just removes the extra prompt layer the CLI wraps around it.

All 54 experimental flags unlocked. Claude Code ships with 88 feature flags gated at compile time. The public npm release disables most of them. free-code enables all 54 that compile cleanly — including Ultraplan mode, described as an asynchronous agentic planning system that can spin up multi-agent browser research sessions running 10–30 minutes.

The author pre-empted DMCA by distributing the codebase via IPFS. The install is a single curl-pipe-bash. Whether that’s a reasonable precaution or a red flag is your call.

The legal and ethical territory here is genuinely murky. The source was exposed via a packaging mistake, not a breach — but that doesn’t make redistribution and modification of Anthropic’s proprietary code clearly legal. It’s also worth noting that stripping safety guardrails from a coding agent that has file system access is not a casual decision.

What’s technically interesting: the existence of free-code confirms that the leaked source is complete enough to build from, that the experimental flags are real and functional, and that Ultraplan/multi-agent browser mode is further along than Anthropic has publicly indicated.

HN thread (1,938 points, 951 comments as of April 1 morning): news.ycombinator.com/item?id=47584540
Second HN thread — fake tools, frustration regexes, undercover mode: news.ycombinator.com/item?id=47586778
Prior incident (Feb 2025): news.ycombinator.com/item?id=43173324
Fortune report (March 26): Anthropic left unreleased model details in public database
Discovery credit: Chaofan Shou / Fuzzland