Over 510,000 lines of TypeScript code, more than 40 utility modules, and several unreleased features of Claude Code were inadvertently disclosed due to an error at the packaging level. The leak did not affect the core model weights of Claude. Industry experts believe this incident will significantly lower the barriers for AI Agent engineering, accelerating the evolution of competition within the developer ecosystem. At the same time, the event has raised questions about Anthropic's security maturity from external observers.
Anthropic has suffered what could be considered the largest-scale code leak in the industry. The full source code of Claude Code was completely exposed to the public due to a basic packaging error. More than 510,000 lines of TypeScript code, over 40 tool modules, and several unreleased core functionalities have now been laid bare to developers worldwide.
This is both an accident and a warning. Although the leak did not involve the core model weights or user data of Claude, it fully exposed the internal architectural logic, system prompt design, and tool invocation mechanisms of Claude Code, while also revealing several unreleased features and potential security logic to the public.
Industry insiders believe this incident will significantly lower the knowledge barrier for AI Agent engineering, accelerating competition and evolution within the developer ecosystem.
Notably, this is not the first time Anthropic has made such a mistake. In February 2025, an early version of Claude Code was exposed due to a similar oversight involving source maps. This latest leak has further raised questions about the software supply chain security maturity of this AI star company, which is valued at over $18 billion.
A .map file triggered the exposure of 510,000 lines of code.
Chaofan Shou, a researcher at blockchain security company Fuzzland, was the first to disclose this incident on X. The official npm package @anthropic-ai/claude-code version 2.1.88 inadvertently included a cli.js.map file approximately 60MB in size.
Within the cli.js.map file, there are two critical arrays: sources (a list of file paths) and sourcesContent (the corresponding full source code). These two are indexed one-to-one. This means that anyone who downloads this JSON file can extract all the original code with minimal effort.
Analysis shows that the source map file contains content from a total of 4,756 source files, including 1,906 TypeScript/TSX source files from Claude Code itself and 2,850 node_modules dependencies. The overall code volume exceeds 512,000 lines.
Within hours of the incident being exposed, the number of stars on mirrored repositories on GitHub surged past 5,000. Anthropic has since removed the source map from the npm package. However, earlier versions of the npm package have been archived by multiple parties, and related content continues to circulate within the developer community.
Full architecture exposed for the first time.
The restored source code provides the most comprehensive view of the Claude Code architecture to date.
The code reveals that Claude Code uses the React and Ink frameworks to build a terminal interface, runs on the Bun runtime, and has a core REPL loop that supports natural language input and slash commands. Underlying interactions are handled through a tool system and LLM API.
At the tool level, the code includes more than 40 independent modules covering file read/write operations, Bash command execution, LSP protocol integration, and sub-agent generation capabilities, forming a fully functional 'universal toolbox.'
At the reasoning level, a core file named QueryEngine.ts contains as many as 46,000 lines of code, handling all inference logic processing, token counting, and 'chain of thought' loops.
At the multi-agent level, the leaked code includes a coordinator (multi-agent coordinator) module and a bridge module, which connects mainstream IDEs such as VS Code and JetBrains, showing that Claude Code has the engineering capability for multi-machine collaboration and deep integration into development environments.
Unreleased features unexpectedly revealed
Among the revelations in this leak, the most notable may be several features that have never been publicly released.
A mode codenamed Kairos is the most eye-catching. The code shows that it is an autonomous daemon with a persistent lifecycle, supporting background sessions and memory integration, meaning Claude can function as a resident AI agent in the background, continuously processing tasks and accumulating understanding of projects.
Additionally, a set of "Buddy System" virtual pet systems is embedded in the code, including 18 species, rarity levels, shiny variants, and attribute statistics — a design clearly reflecting the playful spirit of Anthropic engineers, coexisting alongside the core architecture in the codebase.
At the mode design level, the code also reveals 'Coordinator Mode,' allowing Claude to schedule subordinate agents running in parallel, and 'Auto Mode,' an AI classifier capable of automatically approving tool permissions, aimed at simplifying operational confirmation processes.
Furthermore, a feature named 'Undercover Mode' has sparked controversy. According to the code description, this mode is automatically activated when Anthropic employees operate in public repositories, erasing AI-related traces from submission records and cannot be manually disabled.
Security Risks and Supply Chain Warnings
Security researchers pointed out that although this leak did not directly involve model weights or user privacy data, the potential risks should not be ignored.
According to reports, the leaked content fully exposed the internal security logic and may reveal attack vectors such as Server-Side Request Forgery (SSRF), providing an entry point for subsequent security research. The open-source community has begun exploring forked versions based on the leaked code and attempting to integrate it with other proxy frameworks.
In terms of industry context, npm is the largest JavaScript package repository globally, handling millions of downloads daily. Such packaging errors remind enterprises that while pursuing rapid release cycles, it is essential to strengthen source file review mechanisms within CI/CD pipelines.
A direct warning to all developers publishing npm packages is: always check whether .map files are included in the release before publishing. A single sourcesContent field can expose the complete source code to the public.
The Agent Ecosystem May Reach an Acceleration Turning Point
From the perspective of industrial impact, the significance of this incident may go beyond being merely a technical accident.
The unexpected disclosure of the complete engineering implementation plan for a top-tier AI Agent will significantly lower knowledge barriers in this field. Developers can directly refer to Claude Code’s architectural design, prompt logic, and tool invocation mechanisms for learning and reference, shortening the exploration period for independent research and development.
Meanwhile, this incident also inadvertently demonstrates Anthropic's technological accumulation in the direction of Agent engineering—whether it's the multi-agent coordination mechanism or the design of persistent background daemon processes, both showcasing engineering depth surpassing similar products.
Claude Code, as an extension tool within the Anthropic ecosystem, primarily targets professional developers and competes with AI coding assistants such as GitHub Copilot and Cursor. The industry is closely monitoring whether the recent release of its source code can, under intensifying competitive pressures, inversely accelerate collective innovation in AI Agent architecture and how it will respond subsequently.
Looking to pick stocks or analyze them? Want to know the opportunities and risks in your portfolio? For all your investment-related questions,just ask Futubull AI!
Editor/Liam