HIGH·supply-chain

Claude Code — full source leaked via 59.8MB npm sourcemap

Anthropic accidentally exposed the full source code of Claude Code through a 59.8MB JavaScript sourcemap file bundled in the public npm package @anthropic-ai/claude-code v2.1.88. Within hours, the ~512,000-line TypeScript codebase was mirrored across GitHub and analyzed by thousands of developers.

Victim: Anthropic / Claude Code users

What happened

VentureBeat reported on March 31, 2026 that Anthropic's npm publish pipeline shipped a sourcemap referencing every internal file. The sourcemap was 59.8MB; the embedded sources accounted for roughly 512,000 lines of TypeScript. Hours after disclosure, multiple GitHub mirrors held the code, with researchers analyzing internal undocumented features and prompt strings.

Timeline

  1. Anthropic ships @anthropic-ai/claude-code@2.1.88 to npm with bundled sourcemap.

  2. Researchers identify the bundled sourcemap; full TS source is reconstructable.

  3. Multiple GitHub mirrors of the reconstructed source appear publicly.

  4. Alex Kim and others publish technical analyses; embedded prompts and internal tool names exposed.

  5. Anthropic publishes a patched npm version stripping sourcemaps; older version remains in the registry.

Root cause

Build pipeline misconfiguration: sourcemap generation was on by default, and the npm publish step did not strip .map files. Sourcemaps embed every source file path + content; when shipped publicly, they reconstruct the entire source tree that fed the bundler.

Impact

  • 512,000 lines of internal Anthropic TypeScript exposed
  • Multiple GitHub mirrors publicly archive the reconstructed source
  • Internal undocumented features, prompt strings, and tool names visible to researchers
  • Reputational impact + potential trade-secret loss
  • Set precedent that npm-shipped sourcemaps are a routine leak vector
Would Securie have caught it?

Yes. Securie's static-rules pre-filter detects sourcemap files (`.map` artifacts) in npm-publish candidate sets before release. The Vercel deploy-gate's secret-scan layer also flags the source-path strings Securie's secret_scanner specialist sees inside leaked sourcemaps. A pre-publish gate naming the offending sourcemap would have blocked the v2.1.88 release.

Lessons

  • Strip sourcemaps from npm publish artifacts unless deliberately public
  • Run a pre-publish artifact scan on every release pipeline
  • Internal prompt strings and tool names in source are sensitive — treat them as secrets
  • Sourcemap leaks are silent — the package looks normal until reconstruction reveals the source

References