Claude Code source code leaked to NPM via accidentally published map file

Summary

Anthropic's Claude Code source code leaked to NPM after the company accidentally published a .map file during a production build. Map files are compiler-generated debug artifacts that reverse-engineer minified code back to its original source. The file was published directly to the NPM registry and remained accessible for download until removed.

The leak exposed internal code names (Capybara, Numbat, Fennec), roadmap features, and an "undercover mode" feature designed to let Claude Code contribute to projects without disclosing its involvement. An April Fools joke planned by Anthropic was also spoiled by the early leak.

Map files act as blueprints to entire codebases. Publishing one to a public registry amounts to uploading floor plans while locking every door. NPM packages download at massive scale, so even a brief window of exposure reaches thousands of machines. The Axios HTTP client alone draws 300 million weekly downloads. In this case, the source code remained available long enough for security researchers and others to capture and redistribute it across social media.

Whether the leak materially damages Anthropic's business remains unclear. Claude Code is open source, and source code alone does not constitute the full competitive advantage. Process, training, and ongoing development matter more. However, the leak does hurt brand trust around code security at a moment when developers are already on edge following the Axios supply chain attack hours earlier, in which malware poisoned the npm registry and reached 100 million weekly downloads in under seven minutes.

AnthropIc is dogfooding Claude Code internally, with 100% of recent contributions to the Claude Code project written by Claude Code itself. The irony cuts sharp: a security-focused AI company's tool for secure code generation leaked its own source code.