Do Son 
In a major configuration oversight, the source code for Claude Code—Anthropic’s flagship agentic CLI tool—was recently leaked via its own public npm registry. The exposure, first highlighted by security researcher Chaofan Shou (@Fried_rice), wasn’t the result of a sophisticated hack but a common developer error: shipping production code alongside its source map files.
These files act as a “blueprint” that allows anyone to translate scrambled, machine-efficient code back into the original, human-readable TypeScript written by Anthropic engineers.
Claude code source code has been leaked via a map file in their npm registry!
Code: https://t.co/jBiMoOzt8G pic.twitter.com/rYo5hbvEj8
— Chaofan Shou (@Fried_rice) March 31, 2026
While the leak does not grant access to personal user data, it has effectively handed the tool’s proprietary “secret sauce” to the public. The exposed directory structure reveals the inner workings of Claude’s most advanced capabilities:
- The Query Engine (QueryEngine.ts): A massive 46,000-line file that serves as the core for LLM API calls, managing everything from “thinking mode” and retry logic to token counting.
- The Tool System (src/tools/): Detailed implementations of over 40 agent tools, including BashTool for shell execution, FileEditTool for partial modifications, and even AgentTool for spawning sub-agents.
- The Permission System: A critical module that “checks permissions on every tool invocation,” deciding whether to prompt the user or auto-resolve based on configured modes like plan or auto.
The leak also peeled back the curtain on Anthropic’s future roadmap. By analyzing the build-time “feature flags,” the community discovered references to unreleased AI features and upcoming models. Notable flags found in the code include:
- VOICE_MODE: Suggesting upcoming voice input capabilities.
- PROACTIVE and KAIROS: Internal projects likely related to more autonomous agent behaviors.
- BRIDGE_MODE: A bidirectional communication layer designed to connect IDE extensions like VS Code and JetBrains directly with the Claude Code CLI.
The impact of the leak was immediate. Because the unobfuscated source was briefly downloadable as a zip archive from Anthropic’s storage, users have already begun hosting reconstructed versions of the repository on platforms like GitHub.
For a tool as powerful as Claude Code—which can execute shell commands and modify files—the public exposure of its internal logic and system prompts represents a significant blow to Anthropic’s intellectual property security.
Anthropic has since moved to secure the registry, but the “blueprint” for their agentic future is now out in the open.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
