GoKawiilIt's April 1st, but this post is not a joke.
The internet is on fire over Claude Code's (NPM CLI to be precise) "leaked" source. 512,000 lines! Feature flags! System prompts! Unreleased features! VentureBeat, Fortune, Gizmodo, The Register, Hacker News — everyone covered it. A clean-room Rust rewrite (to dodge the DMCA) hit 100K GitHub stars in nearly a day — a world record. 110K now and counting.
Here's what nobody's saying: all of that was already public! On npm. In plaintext. For years. Open unpkg.com/@anthropic-ai/claude-code/cli.js right now — that's the entire Claude Code CLI, one click away, readable in your browser. No leak required.
What "leaked" was a source map file that added internal developer comments on top of code that was never protected in the first place, plus a directory/source structure.
What Actually Happened
A .map source map file — meant for internal debugging — was accidentally included in version 2.1.88 of the @anthropic-ai/claude-code package on npm. Security researcher Chaofan Shou spotted it, posted on X, and the internet did the rest.
Anthropic confirmed the mistake: "This was a release packaging issue caused by human error, not a security breach." The package was pulled, but by then it had already been mirrored everywhere.
The funny part? This is the second time. A nearly identical source map leak happened in February 2025. Same product, same mistake, thirteen months apart.
The Internet Lost Its Mind — In One Day
What happened next was genuinely impressive. In a single day:
... continue reading