1,902 files. 512,000 lines. A source map nobody excluded from the build.
Anthropic leaked the complete source code of Claude Code — their most advanced coding agent — because they left a 60MB cli.js.map in the production npm package. The file pointed to a public Cloudflare R2 bucket containing the full src/ directory. Anyone could download it as a zip.
It was not an attack. It was not an insider. It was an incomplete .npmignore.
Five days ago we covered how Anthropic leaked Mythos through a misconfigured CMS. Today they did it again. Different system, same pattern: default configuration in production. The company building autonomous cybersecurity tools cannot configure its own builds.
And the worst part: it had already happened. In February 2025, the exact same mistake — source maps in production — was discovered and fixed. Fourteen months later, it came back.
The discovery
Chaofan Shou (@Fried_rice), a researcher at Fuzzland, found that @anthropic-ai/claude-code@2.1.88 included a cli.js.map file of ~60MB. Source maps are debug files containing the complete original source code — unminified TypeScript with comments and readable variable names. They exist for development debugging. They should not be in production.
The tweet has over 11,000 likes and 4 million views within hours. GitHub mirrors are already accumulating thousands of stars.
What leaked
The entire CLI client. Not model weights, not user data, not the LLM core. But the complete architecture of the coding agent Anthropic positions as their flagship product:
src/tools/— over 40 tools (Bash, FileEdit, LSP, MCP, WebSearch, ComputerUse)src/commands/— all slash commands (/commit, /doctor, /skills, /review-pr)- Permission system with ML auto-approve
- Full telemetry (OpenTelemetry + gRPC)
- Feature flags (GrowthBook)
- IDE bridge (VS Code, JetBrains)
- Modular prompt system, multi-agent coordinator, memory management
The code is 100% browsable. Anyone can read how each tool works, how agents are orchestrated, how permissions are managed. One file in particular — src/cli/print.ts — is 3,167 lines with 12 nesting levels and ~486 cyclomatic complexity. Hacker News called it "vibe coded." The architecture of the most advanced coding agent on the market, written like a weekend side project.
What was not announced
The code exposes features gated behind flags that Anthropic had not published:
Kairos — autonomous daemon mode. Monitors user activity, runs background sessions, consolidates memory, and acts without explicit instruction. The proactive agent that decides on its own when to intervene.
AutoDream — memory consolidation sub-agent. Every 24 hours or every 5 sessions it runs a cycle of orient, gather, consolidate, prune. Reads the complete history and reorganizes it to optimize future sessions. The model literally "dreams" about your code.
Buddy — internal Tamagotchi pet. 18 species, shiny variants at 1% probability, procedural stats, AI-generated personality. Planned launch: May 2026. This is not a joke. It is in the code.
UltraPlan — remote planning that sends heavy tasks to a cloud container running Opus 4.6 for up to 30 minutes.
Coordinator Mode — multi-agent orchestrator that spawns parallel workers (swarms).
Undercover Mode — internal system that prevents Anthropic employees from leaking proprietary information in open-source contributions.
Anti-Distillation — injects decoy tool definitions to poison model distillation attempts. Protection against clones — also leaked.
The irony of Undercover Mode is impossible to ignore: a system designed to prevent leaks, discovered thanks to a leak.
The pattern that repeats
This is not an isolated incident. It is a pattern.
February 2025: Claude Code source maps appear in the npm package. Anthropic fixes it by removing the file. Problem solved.
March 26, 2026: Anthropic leaks ~3,000 internal files — including the Mythos draft — through a CMS configured as public by default. We covered it here.
March 31, 2026: Claude Code source maps appear in the npm package. Again. Fourteen months later. The same mistake.
Three leaks in fourteen months. Two of the exact same type. The company that claims to be building "the most powerful AI model ever developed" does not have a CI/CD pipeline that checks whether debug files are excluded from production builds.
A grep -r "sourceMappingURL" dist/ in the pipeline would have prevented everything. A file size check (cli.js.map weighs 60MB — hard to miss) would have been enough. They did neither.
The uncomfortable question
The leaked code reveals the internal architecture of one of the most advanced coding agents on the market. Competitors like Cursor, Windsurf, Cline, and Aider can now study exactly how Anthropic orchestrates tools, manages permissions, implements memory, and coordinates multi-agents.
Is it a security risk for users? No. There are no keys, tokens, or personal data in the source map.
Is it a competitive risk for Anthropic? Absolutely. The architecture is no longer proprietary. Design patterns, internal feature names, the implicit roadmap in the feature flags — all public.
Is it embarrassing? Ask Undercover Mode.
The theory nobody wants to consider
There is an alternative scenario worth considering. We are not claiming it happened. We are just asking.
What if it was intentional?
Anthropic has access to Opus 4.6 — the model that, according to the leaked code, wrote much of Claude Code. What if someone at Anthropic asked Opus: "What would be the most inconspicuous way to leak the Claude Code source?"
The obvious answer: a source map in the npm package. A mistake that had already happened before. A mistake any competent engineering team could make. A mistake nobody would question as intentional.
Think about it: five days ago they leaked Mythos — the model Anthropic describes as "a step change" in capabilities. Five days later, they leak the complete source code of the agent built by the previous model. The sequence is convenient.
First you generate the conversation about the new model. Then you leak the architecture of the old product so everyone studies it, critiques it, calls it "vibe coded." And when global attention peaks — when every engineer on the planet is reading your code and every competitor is copying your architecture — you announce the new version. "Claude Code, now built by Mythos."
The old product becomes free marketing. The leak becomes a launch event. The criticism of Opus's "messy" code becomes the perfect contrast for Mythos's "clean" version.
Is it possible? Absolutely. Anthropic has models capable of designing a marketing strategy that looks like an engineering mistake. And the pattern of consecutive "errors" — each one exposing exactly the piece that maximizes attention — is hard to attribute solely to incompetence.
Are we claiming it? No. But we are not going to pretend we did not think about it.
The company building the agent that writes your code cannot configure its own .npmignore.
The company that designed an anti-leak system leaked it.
The company that fixed this mistake fourteen months ago repeated it.
cli.js.map weighed 60 megabytes. Nobody noticed until an external researcher opened it.
Sixty megabytes of source code, packaged in production, pointing to a public bucket.
Paila.