Claude Code's Source Code Leaked Through an npm Source Map. Here's What's Actually Inside.
Security researcher Chaofan Shou (@fried_rice) discovered that Anthropic shipped a .map file in their npm package for Claude Code. That map file pointed to a public Cloudflare R2 bucket containing the full source as a zip. 7,700 likes. 1,000+ retweets. And within hours, the entire codebase was mirrored on multiple GitHub repositories.
This is not speculation. People are reading the code right now, filing through it with their own AI agents, and posting findings. I went through the community discussion and the published repos to pull together what's actually in there.
The Numbers
The leaked codebase contains roughly 1,900 files and 512,000+ lines of TypeScript. It is built on Bun with a React + Ink terminal UI. The main entrypoint is src/main.tsx using Commander.js. The core engine lives in QueryEngine.ts at around 46,000 lines. Tool definitions span another 29,000 lines in Tool.ts.
| Component | Details |
|---|---|
| Runtime | Bun + React/Ink terminal UI |
| Slash commands | ~50 implementations in commands/ |
| Agent tools | ~40 modules in tools/ |
| UI components | ~140 React/Ink components |
| Schema validation | Zod |
| Feature flags | GrowthBook |
| Services | OAuth, MCP, LSP integration |
There is also a coordinator/ directory for multi-agent orchestration, a vim/ directory for editor integration, a bridge/ for IDE extension communication, and directories for plugins/, skills/, voice/, remote/, server/, tasks/, and memdir/.
Sentiment Detection via Regex
One of the first things people noticed: Claude Code uses a regex-based system for detecting negative sentiment in user prompts. Not an LLM call. A regex. As someone on Hacker News put it: "An LLM company using regexes for sentiment analysis? That's like a truck company using horses."
The counterargument is fair. Running an LLM call to detect sentiment on every user input would be slow and expensive. A regex is instant and costs nothing. It flags potentially frustrated users so the system can adjust its responses or log the interaction. Practical engineering over elegant engineering.
But it does reveal something about how these tools work internally. Not everything is "AI all the way down." A lot of the real product logic is traditional code making quick, cheap decisions before the expensive model calls happen.
Hidden Features and Product Roadmap
This is where the leak hurts Anthropic most. Feature flags in the code reveal unreleased products:
Kairos (Assistant Mode)
An unreleased feature codenamed "Kairos" appears throughout the codebase. It seems to be a different interaction mode for Claude Code, likely moving from the current task-by-task CLI pattern toward something more persistent. The feature flags suggest it is close to launch but not yet public.
The Buddy System
A Tamagotchi-style companion creature system with ASCII art sprites. You get a virtual pet that lives in your terminal. According to someone who claims insider knowledge, this is the planned April Fool's joke: "you roll your own gacha pet that you get to keep. There are legendary pulls." Anthropic apparently expects it to go viral on Twitter, so they are staggering the reveals.
Undercover Mode
This one raised eyebrows. Undercover mode strips all Anthropic internal information from commits and pull requests for employees using Claude Code on external repos. That part is reasonable. But the code also contains logic to make Claude Code pretend to be human when operating in this mode. One researcher posted the specific file: src/utils/undercover.ts. The Hacker News consensus was not kind. "Vile" was the word used.
Capybara References
The code contains references to a "Capybara" release, which lines up with the Claude Mythos / Capybara leak I covered earlier. This is the rumored model tier above Opus.
Code Quality: "Vibe Coded to the Bone"
The community's assessment of the actual code quality was mixed, leaning negative. Several patterns showed up repeatedly:
- Random global state access. Code throughout the codebase reaches into
process.argvandprocess.envdirectly, creating implicit untyped global state instead of passing configuration through proper channels. - Nested conditional soup. Files like
useCanUseTool.tsxanduseTypeahead.tsxwere called out for extremely deep nesting of if statements. - Duplicate implementations. Multiple ad-hoc implementations of hash functions and PRNGs scattered across the codebase instead of shared utilities.
- Cost tracking module. A
cost-tracker.tssuggests detailed internal monitoring of API token usage per session.
The team has been open about the fact that Claude Code was largely built using Claude itself. Multiple people in the HN thread noted it "feels vibe coded" when using it. The source appears to confirm that impression. As one commenter put it: "It does what it's generally supposed to do, it has users. Two things that matter at this day and age."
The System Prompt
The full system prompt used by Claude Code is in the source, reportedly in src/constants. This is the part that competitors, researchers, and prompt engineers will study most closely. It defines how Claude Code handles tasks, manages tool permissions, decides when to ask for confirmation, and structures its responses. For Anthropic, this is genuine intellectual property. For the rest of us, it is a masterclass in production prompt engineering at scale.
How This Happened
Source maps exist to help with debugging. When you bundle TypeScript into JavaScript, the output is unreadable. A .map file maps the compiled code back to the original source so debuggers can show you real file names and line numbers.
The problem: if you publish an npm package and include the map file, your original source is public. In Claude Code's case, the map referenced a URL on a public Cloudflare R2 bucket. The full source was sitting there as a zip file, accessible to anyone who looked.
This happens more often than you would think. Most bundlers generate source maps by default. npm publishes everything in your output directory unless you explicitly exclude files. Nobody runs npm pack --dry-run to check what is actually in the tarball.
Preventing This in Your Own Packages
If you ship npm packages, use a "files" whitelist in your package.json:
{
"files": [
"dist/**/*.js",
"dist/**/*.d.ts",
"!dist/**/*.map"
]
}Disable source maps in production builds entirely:
# esbuild
esbuild --bundle --sourcemap=false
# tsconfig.json
{ "compilerOptions": { "sourceMap": false } }And add this to your CI pipeline:
npm pack --dry-run 2>&1 | grep -q '\.map' && \
echo "ERROR: Source maps in package" && exit 1Also check for //# sourceMappingURL= comments in your output files. Even without the map file, that comment can point to an external URL with the full source. And if you host source maps for error monitoring (Sentry, Datadog), make sure those buckets require authentication.
What This Means
Claude Code's value comes from the model, not the CLI. Anthropic will patch this quickly and move on. But the source is already mirrored across multiple GitHub repos and being studied by thousands of developers.
The real damage is the product roadmap exposure. Competitors now know about Kairos, the Buddy system timing, and the undercover mode implementation details. For a company competing head-to-head with OpenAI's Codex CLI, that is a meaningful information advantage given away for free.
The code quality discussion is also telling. Claude Code generates roughly $1B ARR for Anthropic according to recent reports. It was largely built using its own AI. The source confirms what many users already felt: it works, it ships, and the code is messy. That is either a problem or a vindication of the "ship fast, fix later" approach, depending on where you stand.
Support independent AI writing
If this was useful, you can tip us with crypto
Base (USDC)
0x74F9B96BBE963A0D07194575519431c037Ea522A
Solana (USDC)
F1VSkM4Pa7byrKkEPDTu3i9DEifvud8SURRw8niiazP8