Claude Code完整源码暴露

Odaily Planet Daily, a blockchain news outlet: Blockchain security company Fuzzland intern researcher Chaofan Shou pointed out on X that the npm package of Anthropic’s AI programming tool Claude Code contains the complete source map file (cli.js.map, about 60MB), from which all TypeScript source code can be reconstructed. Verified: the latest version released today, v2.1.88, still includes that file, containing the full code of 1,906 Claude Code proprietary source files, covering implementation details such as internal API design, analytics telemetry systems, cryptographic tools, and inter-process communication protocols.

A source map is a debugging file used in JavaScript development to map minified code back to the original source code, and it should not appear in production release packages. In February 2025, an early version of Claude Code was also exposed for the same issue. At the time, Anthropic removed the old version from npm and deleted the source map. But the problem resurfaced later; on GitHub, multiple public repositories have extracted and organized the restored source code, and ghuntley/claude-code-source-code-deobfuscation has garnered nearly a thousand stars.

What’s leaked is the client implementation code of the Claude Code CLI tool; it does not involve model weights or user data, so it does not pose a direct security risk to ordinary users. However, the continued exposure of the complete source code means the internal architecture, security mechanisms, and telemetry logic are entirely transparent to the outside world.