If you’ve integrated Anthropic’s Claude Code into your workflow, you’ve seen what it can do. It’s impressive, sure. But what if the magic didn’t stay behind the scenes? On March 31, 2026, a security researcher stumbled upon a massive leak that exposed the entire source code of the Claude Code CLI tool. We’re talking about 510,000 lines of TypeScript, not a snippet, but the complete blueprints. It’s a story of accidental transparency, and it’s a stark reminder that even the most advanced AI tools can have human breaks in their defenses.
How the npm Registry Unlocked Anthropic’s Vault
The incident began when Chaofan Shou (@shoucccc) noticed something odd in the npm registry. Anthropic had included a source map file in the distribution of the Claude Code package. For those new to this, source maps are usually a developer tool—they bridge the gap between minified code and the original source, helping you debug. Here, however, that bridge led straight to the treasure chest. The source map pointed Anthropic’s storage bucket to unobfuscated TypeScript sources, making them publicly downloadable.
It’s a textbook example of a supply chain failure. A build artifact meant for debugging became a treasure trove for everyone else. The leaked code quickly found its way to GitHub, where it’s already gathered over 1,100 stars. The repository contains roughly 1,900 TypeScript files, 50 slash commands, and 40 built-in tools. It looks like a production-grade, heavily architected system running on Bun, featuring a modular architecture that any engineer would appreciate studying.
What’s Inside the Leaked Claude Code
The leak reveals that Claude Code is far more than a simple chat wrapper. Its tool system, with 40 distinct capabilities, uses a plugin-like architecture where each feature is a discrete, permission-gated entity. The base tool definition alone spans 29,000 lines of TypeScript. Then there’s the Query Engine, which handles LLM API calls, streaming, and orchestration. It’s the largest single module, clocking in at 46,000 lines.
It’s a complex, interconnected system. Claude Code supports multi-agent orchestration, capable of spawning sub-agents to handle complex, parallelizable tasks. Each agent runs in its own context with specific tool permissions. The tool even features a bidirectional IDE Bridge System, connecting VS Code and JetBrains extensions via JWT-authenticated channels. Anthropic just put it all on display.
Anthropic’s Acknowledgment: “Human Error” and a New Model
Anthropic isn’t hiding from the leak. A statement to Fortune acknowledged a “human error” in the configuration of their CMS had caused draft content to become publicly accessible. This wasn’t just about the npm source map, though. The leak also exposed a new, powerful model, later dubbed “Claude Mythos.” Anthropic confirmed that the leak revealed a step-change in capabilities, even if they are currently testing the model.
It’s a wake-up call for the industry. As more teams integrate AI agents into their workflows, the attack surface grows. If Anthropic, a leader in the space, can have a build pipeline slip, what about everyone else? The solution isn’t paranoia—it’s rigor. We need better supply chain hygiene and a renewed focus on what we actually need to expose.
From my perspective, this is less about the leaked code and more about the trust equation. We trust Anthropic with our codebases; they need to reciprocate that trust with impeccable security. If the tool is going to edit files and run commands, the pipeline delivering it better be bulletproof. This leak is a painful reminder that even the biggest players are human.
