Claude Code unintentionally open source: Source map reveals all

The source code for Anthropic's CLI tool Claude Code was apparently unintentionally made publicly accessible on March 31, 2026. According to consistent reports, the trigger was a co-published source map file in the npm registry. Security expert Chaofan Shou pointed it out via X, and shortly thereafter, a complete snapshot of the code appeared in a public GitHub repository.

According to the repository, the mirrored code comprises around 1900 files with over 512,000 lines. Claude Code is a command-line tool that allows developers to access Anthropic's AI models using natural language and perform typical tasks such as editing files or executing commands.

Source Map as an Entry Point

Source maps are actually intended to map compressed or bundled code back to the original source files. However, if they end up in published packages, they can enable access to the original code. In this case, the file apparently pointed to unminified TypeScript sources that could be downloaded.

A faulty package configuration during publication via npm is considered the likely cause. Anthropic reacted quickly: the affected package version has already been removed from the npm registry and replaced with a cleaned-up version without source maps. The company had not issued an official statement at the time of this report.

Modular Architecture with Bun and React

An initial look at the material reveals a modular codebase. The tool thus uses the Bun JavaScript runtime environment and, for the terminal interface, relies on React in combination with the Ink library. Furthermore, the code includes, among other things, a command system, an interface to development environments, and mechanisms for controlling permissions.

The spread initially occurred via social networks and developer forums on Reddit. In parallel, the repository was created on GitHub, mirroring the code for analysis purposes and explicitly classifying it as research and teaching material.

(fo)