Anthropic, the San Francisco-based artificial intelligence firm, inadvertently divulged the entire source code of its AI programming tool, Claude Code, on Tuesday, as reported by NDTV.
This inadvertent disclosure resulted from a fundamental packaging error, which security experts assert should be unequivocally avoided in any polished software release.
On the same day, security researcher Chaofan Shau uncovered the complete source code of Claude Code—an essential command-line tool used by the AI company.
The mishap arose from a 60MB source file map (cli.js.map) incorporated within its npm package, enabling the recreation of the original TypeScript code from its compiled format, the report elucidated.
The npm registry, hosting the file in question, serves as the largest public repository for software packages, facilitating developers in the distribution and acquisition of various tools.
What did the source code reveal?
The exposed source code illuminated the inner mechanisms of the agentic AI platform. Reports indicated that within hours, a multitude of developers had copied and disseminated the approximately 512,000-line TypeScript codebase on GitHub, meticulously scrutinizing its functionalities and internal memory architecture previously restricted to Anthropic’s engineers.
According to BlockBeats, this leak impacts only a segment of the Claude Code tool itself, devoid of any user data or the AI’s pivotal systems, thus imposing no immediate threat to ordinary users.
In layman’s terms, personal information and conversations remain secure. Nonetheless, the public availability of the comprehensive codebase allows anyone to comprehend its construction, operational mechanics, and its methodologies for usage tracking and security.
What is source code?
As illustrated in the NDTV report, source code constitutes the original, human-readable set of instructions authored by developers to create software.
Upon the public release of software, the code is typically compiled or packaged into a more concise and less intelligible format to safeguard the company’s intellectual property and internal logic.
A source map is an auxiliary file utilized during development, linking a program’s compressed, production-ready code back to its original, human-readable version. This tool assists developers in debugging and resolving issues with greater efficacy.
However, such files should not be included in public releases, as they can essentially expose the entirety of the underlying codebase.
BlockBeats further reports that the latest iteration of Claude Code (v2.1.88), unveiled on March 31, still incorporated this file.
It allegedly contained the full code for 1,906 proprietary source files, detailing aspects such as internal API structures, telemetry systems, encryption protocols, and inter-process communication mechanisms.
Second exposure in a year
Emerging reports indicate that this is not the inaugural instance of the AI firm exposing its source code.
Odaily, a blockchain-centric media outlet, disclosed that a prior version of Claude Code suffered a similar fate back in February 2025 due to a comparable oversight. At that time, Anthropic promptly removed the outdated version from npm and eliminated the source map.
Source link: Livemint.com.
