AI TRENDS | Anthropic's Claude Code Source Map Leak Raises Security Concerns

Blockchain security company Fuzzland's intern researcher, Chaofan Shou, highlighted on X that the npm package of Anthropic's AI programming tool, Claude Code, contains a complete source map file (cli.js.map, approximately 60MB), which can be used to reconstruct the entire TypeScript source code. According to Odaily, the latest version v2.1.88, released today, still includes this file, containing the full code of 1,906 proprietary Claude Code source files, covering internal API design, telemetry analysis systems, encryption tools, and inter-process communication protocols. Source maps are debugging files used in JavaScript development to map compressed code back to the original source code and should not appear in production release packages. In February 2025, an early version of Claude Code was exposed for the same issue, leading Anthropic to remove the old version from npm and delete the source map. However, the problem has resurfaced, with several public repositories on GitHub extracting and organizing the deobfuscated source code, including ghuntley/claude-code-source-code-deobfuscation, which has garnered nearly a thousand stars. The leak involves the client implementation code of the Claude Code CLI tool and does not include model weights or user data, posing no direct security risk to ordinary users. However, the continued exposure of the complete source code means that internal architecture, security mechanisms, and telemetry logic are entirely transparent to the public.