The source code for Anthropic’s Claude Code CLI tool has been leaked, following the discovery of an extracted TypeScript source code from an npm package. This incident highlights potential vulnerabilities in software distribution practices.
Details of the Leak
The leak was first reported by Chaofan Shou (@Fried_rice) on March 31, 2026, who noted that the source code was accessible via a source map file included in the npm package @anthropic-ai/claude-code v2.1.88. The source map, specifically cli.js.map, contained the entire, unobfuscated TypeScript codebase, making it easy to extract.
How the Source Code Was Extracted
The repository on GitHub, titled claude-code, serves as an unofficial source extraction of the leaked code. It provides instructions for users to clone the repository or extract the source code directly from the npm package. The extraction process involves running a script that reads the source map and writes the original TypeScript files to a designated directory.
Implications for Anthropic
This leak raises significant concerns regarding the security of proprietary software. The fact that the source code was bundled with the npm package suggests a need for stricter controls over how source maps are distributed. While the repository is intended for educational and reference purposes, it poses risks to Anthropic’s intellectual property.
Legal and Ethical Considerations
All code within the repository is stated to be the intellectual property of Anthropic, and the repository itself is not affiliated with or endorsed by the company. This situation underscores the importance of adhering to licensing terms and the potential legal ramifications of unauthorized code distribution.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
