Leak Event Timeline

March 31, 2026 - The day Claude Code went "open source"

The Discovery

March 31, 2026

Chaofan Shou, an intern at Solayer (blockchain infrastructure company), was performing routine inspection on Claude Code npm package when he discovered cli.js.map - a 59.8MB Source Map file.

Within 30 minutes

GitHub mirror repositories accumulated over 5,000 stars. The discovery spread rapidly through social media and developer communities.

Within hours

Multiple analysis repositories exceeded 50,000 total stars. Major Chinese tech media (量子位,新智元,36 氪) published breaking news.

Technical Cause

This was NOT a hack or data breach. It was a publishing pipeline configuration error:

  • Anthropic's CI/CD pipeline failed to properly configure .npmignore or files field
  • Bun bundler's Source Map included sourcesContent by default
  • All 1,884 TypeScript source files (394,222 lines) were embedded in plain text
  • Even developer handwritten comments were preserved

How Source Map Works

Source Map v3 specification includes these key fields:

  • sources: Array of original source file paths
  • sourcesContent: Complete original source content (this exposed everything)
  • mappings: Base64 VLQ encoded position mappings

Community members used standard tools (source-map npm package, vlq decoder) to reconstruct all source files within minutes.

Media Coverage

  • 量子位/新智元: "刚刚,Claude Code 开源了!51 万行代码,全网狂欢"
  • 36 氪: "炸裂:疑似 Claude Code 原生源码被扒光泄露?连开发手写注释都有"
  • DEV Community: "Claude Code's Entire Source Code Was Just Leaked via npm Source Maps"
⚠️ Important: This is NOT an open source release by Anthropic. Anthropic retains full copyright. The npm package license does NOT grant rights to view, modify, or redistribute source code. This analysis is for educational and research purposes only.