It’s a developer’s worst nightmare: you ship a product, and then you accidentally ship the source code along with it. That’s exactly what happened to Anthropic this week, and the fallout has already sent shockwaves through the tech community. A security researcher spotted a massive error in the npm registry, revealing a 57MB source map file containing the full, unobfuscated source code for Claude Code.
How a 57MB Mistake Exposed Millions of Lines
Claude Code is a massive hit. It’s an agentic AI coding assistant that lives inside your terminal, capable of editing files and managing entire projects locally. Anthropic distributes it as a closed-source, obfuscated npm package for security reasons. If you use it, you’re trusting the company to keep the internal logic under wraps. The problem is, on Tuesday, a package on the npm registry—specifically Claude Code v.0.9.9—contained more than it should have.
According to reports, the .map file included 512,000 lines of code across 1,900 files. You see, source map files are usually used by developers to debug errors, not distributed to users. This one, however, contained the full, unobfuscated TypeScript source code. The code includes the core engine for LLM API calls, streaming responses, tool-call loops, permission models, and even token counting. Some eagle-eyed developers on Hacker News even found a regex filter designed to detect and block negative sentiment in user prompts, complete with a list of swear words.
Open Source? Not So Fast
But the leak doesn’t stop there. Multiple mirrors have already been published on GitHub, with one repository amassing nearly 30,000 stars and 40,200 forks, while another sits at 425 stars with 520 forks, where users are busy dissecting the tool’s inner workings. The exposed source code makes it incredibly easy to reverse-engineer the tool, identify security risks, or steal intellectual property.
Here’s the kicker: just because the source is now “available” doesn’t mean it’s open source. Full-stack developer Justin Schroeder was quick to point out on X that this is a violation of Anthropic’s license. “You are violating a license if you copy or redistribute the source code, or use their prompts in your next project,” he warned. So, while the catwalk is open, you can’t just waltz in and take a piece of it without risking legal action.
Looking Forward
It’s a bizarre twist for a company that built its reputation on responsible AI development. They haven’t released an official statement yet, but Cybernews has reached out for comment. In the meantime, the tech world is watching Anthropic’s next move closely, wondering what a 57MB source map file will cost them. If you’ve been following Anthropic, you’re likely asking yourself how a team handling some of the most sensitive AI code on the planet let this slip through the cracks.
