Claude Code source map leak reveals minified JavaScript was already public on npm

What actually happened with the "leak"

A .map source map file meant for internal debugging was accidentally included in version 2.1.88 of the @anthropic-ai/claude-code package on npm. Security researcher Chaofan Shou spotted it and posted on X. Anthropic confirmed this was a "release packaging issue caused by human error, not a security breach." The package was pulled, but it had already been mirrored everywhere.

This is the second time this happened - a nearly identical source map leak occurred in February 2025, thirteen months earlier.

The code was already public

Claude Code ships as a single bundled JavaScript file - cli.js - distributed via npm. It's 13MB, 16,824 lines of JavaScript, and has been publicly accessible on unpkg.com/@anthropic-ai/claude-code/cli.js since the product launched.

The file is minified but not obfuscated. Here's the difference:

• Minification (what every bundler like esbuild, Webpack, Rollup does by default) shortens variable names and removes whitespace
• Obfuscation encrypts strings, flattens control flow, injects dead code, adds anti-tamper mechanisms

Claude Code has standard minification with variable name mangling and whitespace removal, but none of the obfuscation techniques:

• String encryption/encoding: No
• Control flow flattening: No
• Dead code injection: No
• Self-defending / anti-tamper: No
• String array rotation: No
• Property name mangling: No

Extracting the plaintext content

All 148,000+ string literals sit in plaintext. Every system prompt, every tool description, every behavioral instruction is readable with a text editor. No source maps needed.

Using a simple AST-based extraction script, the full 13MB file can be parsed in 1.47 seconds to extract 147,992 strings. After categorizing:

• 1,017 system prompts and instructions
• 431 tool descriptions
• 837 unique telemetry event names (all prefixed with tengu_ - Claude Code's internal codename)
• 504 environment variables controlling the product's behavior
• 3,196 error messages
• Hardcoded endpoints, OAuth URLs, a DataDog API key, the complete model catalog

Community reaction

Within a single day after the source map discovery:

• Code dumps appeared on GitHub (like nirholas/claude-code), DMCA'd by Anthropic within hours but forked hundreds of times
• Claw Code - a full Rust rewrite of the Claude Code architecture - hit 50,000 GitHub stars in 2 hours, making it the fastest repo in history to reach that milestone
• ccleaks.com popped up - a fully designed breakdown site cataloging every unreleased feature, hidden command, and build flag found in the source
• Dozens of analysis articles on DEV Community, YouTube, and tech blogs dissecting every detail

Geoffrey Huntley published a full "cleanroom transpilation" of Claude Code months before this incident.