Claude Code's Entire Source Code Leaked via npm Source Map — Security Researcher Exposes 60MB .map File
It happened again — and this time the exposure was massive. On March 31, 2026, security researcher Chaofan Shou (@shoucccc) discovered that Anthropic’s Claude Code CLI had inadvertently published its entire source code inside a 60MB source map file (cli.js.map) bundled within its npm package. Within hours, the community had mirrored the code, opened GitHub repos cataloguing the exposure, and the story had broken across cybersecurity news outlets worldwide. This is reportedly the second time in a year that Claude Code’s source has leaked through the same vector. ...