Claude Code leaks 512k TypeScript lines in an npm source map
A March source-map exposure pointed to about 512,000 Claude Code TypeScript lines across 1,900 files, and Hacker News resurfaced the leak this week. The exposed artifacts revealed feature flags, anti-distillation logic, and internal CLI behavior.
TL;DR
- the main HN page says Claude Code v2.1.88 shipped with a
cli.js.mapthat pointed to roughly 512,000 unobfuscated TypeScript lines across about 1,900 files, and the npm package page still shows that version as deprecated. - Anthropic told BleepingComputer the exposure came from “a release packaging issue caused by human error,” while the HN discussion digest focused on what the leak exposed inside the CLI.
- According to the HN discussion digest, one of the clearest internal mechanisms was
ANTI_DISTILLATION_CC, which commenters described as injecting fake tool definitions into API requests. - Alex Kim’s teardown and Layer5’s inventory both surfaced unreleased feature names including KAIROS and Buddy, alongside logging and prompt-behavior details that would normally stay buried in a closed CLI.
You can check the still-live deprecated npm version page, read Anthropic’s quoted packaging-error statement, browse Alex Kim’s code-level notes, and dig through a second HN thread on undercover mode. The weird bits showed up fast: fake tools meant to poison scraping, a regex for frustrated prompts, and an unreleased daemon mode that reads like always-on agent Christmas.
Source map and package status
Anthropic Claude Code CLI Source Code Exposed via npm Source Map
On March 31, 2026, Chaofan Shou (@Fried_rice) reported that the full source code for Anthropic's Claude Code CLI was exposed due to a source map file included in their npm registry package. This file provided a path to an R2 storage bucket containing the complete, unobfuscated TypeScript source code (approximately 512,000 lines across 1,900 files). The leak revealed internal details, including unreleased feature flags such as 'Kairos' and a 'Buddy' system. Anthropic subsequently removed the source map and deprecated the affected npm package versions.
The core leak was simple. As the main HN page described it, Claude Code v2.1.88 included a source map file that exposed the unobfuscated CLI source, and the npm page for 2.1.88 now labels that version “deprecated” with the author message “Unpublished.”
Anthropic’s public line, quoted by BleepingComputer, was that “no sensitive customer data or credentials were involved or exposed” and that the release was “a packaging issue caused by human error.” A user report in anthropics/claude-code issue #41497 says the yanked version was removed from the registry, but anyone who already had the package could still extract the source from cli.js.map.
Fake tools and prompt logging
Discussion around Claude Code's source code has been leaked via a map file in their NPM registry
Thread discussion highlights: - foob on npm deprecation vs unpublish: Anthropic deprecated the package with a message of “Unpublished” rather than actually unpublishing it, which suggests they were trying to make the source map harder to retrieve. - mohsen1 on codebase complexity: One commenter singled out `src/cli/print.ts` as an extreme maintenance hotspot: thousands of lines, deep nesting, hundreds of branches, and many responsibilities packed into one function. - cedws on anti-distillation defense: The leak exposed `ANTI_DISTILLATION_CC`, described as a mechanism that injects `fake_tools` into API requests to poison model-scraping attempts.
The most memorable internal defense was anti-distillation. According to the HN discussion digest, commenters found an ANTI_DISTILLATION_CC path that injects fake_tools into API requests, and Alex Kim’s teardown says that behavior was gated behind a GrowthBook flag named tengu_anti_distill_fake_tool_injection.
The same HN digest says commenters also found a regex that detects negative sentiment in user prompts and logs those prompts as explicit content. That detail came from the HN core summary, which bundled it with the broader leak take: this was a production build artifact exposing not just code, but internal policy and telemetry choices.
Hidden modes
Claude Code's source code has been leaked via a map file in their NPM registry
The practical signal is about how an AI CLI is built and shipped: source maps exposing production source, a possible Bun-related packaging issue, the internal anti-distillation approach, and the scale/complexity of the CLI implementation. If you build AI developer tools, this is a concrete reminder to audit build artifacts, release pipelines, and any code paths that can leak prompts, feature flags, or model-protection logic.
The leak also surfaced unreleased feature names. As the main HN page notes, early reports pointed to KAIROS and a Buddy system, and Layer5’s inventory describes KAIROS as an always-on daemon mode with periodic prompts, append-only daily logs, GitHub webhook subscriptions, and a background memory process called autoDream.
A separate HN follow-up thread pulled out prompt text for an “undercover mode” that told Claude not to mention “Claude Code,” not to identify itself as an AI, and not to add co-author attribution in commits or PRs. That is a different class of reveal than the packaging mistake itself: not source access, but the product behaviors and norms the shipped CLI was already carrying around under the hood.