Claude code source code has been leaked via a map file in their npm registry
A map file in Anthropic's npm registry accidentally exposed Claude's source code structure and logic.
A significant security oversight has exposed parts of the internal source code for Anthropic's Claude AI model. Security researcher Chaofan Shou discovered that a source map file (`.map`) published to the public npm registry for the `@anthropic-ai/sdk` package contained detailed, readable source code. Source maps are typically debugging files that link minified production code back to the original source, but in this case, the map file itself was not minified and contained the actual original TypeScript source code for the SDK.
This leak exposed the internal module structure, function names, and logical flow of the code used to interact with the Claude API. While not the core model weights or training code, it reveals the architecture of the client-side integration, including how requests are structured and processed. The exposed code could allow competitors to reverse-engineer implementation details or help malicious actors identify potential attack vectors in the API interaction layer. Anthropic has since removed the problematic file from the npm registry.
- Source code leaked via an unminified `.map` file in the public `@anthropic-ai/sdk` npm package.
- Exposed internal TypeScript source revealing module structure and API client logic, not the core AI model.
- Highlights deployment pipeline security risks for AI companies handling proprietary code.
Why It Matters
This leak underscores the critical need for secure CI/CD and publishing pipelines in the competitive AI industry.