Inside the Black Box: Analyzing the Claude Code Source Leak
In the world of proprietary AI, source code is the “secret sauce.” It’s guarded by layers of security, legal teams, and non-disclosure agreements. But on March 31, 2026, that vault swung wide open—not because of a sophisticated state-sponsored hack, but because of a single missing line in a configuration file.
As a researcher, I’ve spent the last few days digging through the 512,000 lines of TypeScript that make up Anthropic’s Claude Code. Here is what happened, how it was used, and what it means for the future of AI security.
The “How”: A Billion-Dollar Typo
The leak wasn’t a breach in the traditional sense. It was a supply chain oversight. When Anthropic pushed version 2.1.88 of Claude Code to npm, they included a cli.js.map file. For those unfamiliar, source maps are like “answer keys” that help developers debug minified code by linking it back to the original, readable source. They are never supposed to leave the development environment.
Inside that 59.8MB file was a URL pointing to an unauthenticated Cloudflare R2 bucket. Anyone who clicked that link downloaded the entire, unobfuscated source code of Claude Code. The root cause? A missing *.map entry in the .npmignore file, compounded by a known bug in the Bun runtime that generates these maps even in “production” mode.
The “What”: What Was Actually Leaked?
Having access to the source code is like being handed the blueprints to a fortress. My analysis of the repository reveals several key areas of interest:
- Internal Tooling: The leak exposed Anthropic’s internal “Trellis” and “Forge” systems, giving competitors a look at how they handle massive-scale code refactoring and testing.
- Hidden Features: Buried in the code were references to “Starling” configurations and “Casino” modules, hinting at experimental features for agent-based betting or high-risk autonomous tasks that haven’t been publicly announced.
- Security Logic: Perhaps most critically, the leak revealed the exact logic Claude uses to sanitize inputs and prevent “prompt injection.” Security researchers can now study these guardrails to find potential bypasses.
How the Leaked Code Is Being Used
Since the discovery by researcher Chaofan Shou, the code has spread across the internet faster than Anthropic’s legal team could issue DMCA takedowns. Here is how different groups are leveraging it:
- Competitor Benchmarking: Other AI labs could/would use the code to understand Anthropic’s architectural choices, specifically how they manage context windows and agent “memory” during long coding sessions.
- Security Auditing: White-hat hackers could be currently scanning the code for vulnerabilities. If a flaw exists in how Claude handles file permissions or terminal access, it’s now visible to the world.
- Community Forks: Developers are already working on “de-Anthropized” versions of the CLI, stripping out the API keys and cloud dependencies to create a local, open-source alternative.
Final Thoughts
This incident serves as a stark reminder that in the age of AI, “security through obscurity” is a failing strategy. While Anthropic has since patched the npm package and scrubbed the R2 bucket, the code is out there. For researchers and developers, it’s a rare glimpse behind the curtain at how the industry’s most powerful coding agents are actually built.
Have you looked through the leaked code? Did you find any interesting “Easter eggs” or hidden modules? Let’s discuss in the comments.