Claude Code latest npm package contains a 60MB source map, exposing the complete source code continuously.

CoinJie Network news: According to monitoring by 1M AI News, Chaofan Shou, an intern researcher at the blockchain security company Fuzzland, pointed out on X that the npm package of Anthropic’s AI programming tool Claude Code contains a complete source map file (cli.js.map, approximately 60MB), from which all TypeScript source code can be reconstructed. After verification, the latest version released today, v2.1.88, still includes the file, which contains the complete code for 1,906 Claude Code proprietary source files, covering implementation details such as internal API design, analytics telemetry systems, encryption tooling, inter-process communication protocols, and more. A source map is a debugging file used in JavaScript development to map minified code back to the original source code; it should not appear in production release packages. In February 2025, an early version of Claude Code was exposed for the same issue; at the time, Anthropic removed the old version from npm and deleted the source map. But the problem later resurfaced. On GitHub, multiple public repositories have already extracted and organized the reconstructed source code, and ghuntley/claude-code-source-code-deobfuscation has garnered nearly a thousand stars. What was leaked is the client implementation code of the Claude Code CLI tool, which does not involve model weights or user data, and poses no direct security risk to ordinary users. However, the continued exposure of the complete source code means the internal architecture, security mechanisms, and telemetry logic are fully transparent to the outside world.