Anthropic's Claude Code command line interface source code has leaked online after a packaging error in a recent release. The incident exposed over 512,000 lines of code from nearly 2,000 TypeScript files. The company described it as human error with no sensitive data involved.
Anthropic released version 2.1.88 of its Claude Code npm package on March 31, 2026. The package inadvertently included a source map file, granting access to the full codebase. Security researcher Chaofan Shou first highlighted the issue on X, sharing a link to an archive of the files. The code soon appeared in a public GitHub repository, which has been forked tens of thousands of times since then. No customer data or credentials were exposed, according to Anthropic officials, who called it a release packaging issue caused by human error, not a security breach. The company stated: “Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.” Developers quickly began analyzing the leaked code. For instance, one overview detailed Claude Code’s memory architecture, including background memory rewriting and validation steps. Another analysis noted around 40,000 lines for a plugin-like tool system and 46,000 for the query system, describing it as a sophisticated, production-grade developer tool beyond a simple API wrapper. Prior community efforts had partially reverse-engineered Claude Code, but this leak provides unprecedented completeness. The exposure offers competitors insights into Anthropic’s architecture and potential vulnerabilities in its guardrails.
