Anthropic shipped their proprietary source code to the public npm registry. Again.

Security researcher Chaofan Shou discovered this morning that Claude Code v2.1.88 contained a 60MB source map file, cli.js.map, sitting right there in the published package.¹ Inside it: 1,906 TypeScript source files, roughly 510,000 lines of code.¹ System prompts. Encryption tooling. Telemetry systems. Internal API design. Inter-process communication protocols. Anyone who ran npm install got the whole thing.

The exact same thing happened in February 2025. Anthropic pulled the file. Apparently nobody fixed the build pipeline.²

Quick explainer on source maps, because it matters here. When developers compile or minify JavaScript for production, the output is intentionally unreadable. A source map is a separate file that maps that minified code back to the original, human-readable source. It exists so developers can debug production issues without staring at a wall of compressed symbols. The .map file doesn’t just point to the source; it embeds it verbatim inside a JSON blob. These files are pure development artifacts. They have no business in a production npm package. Excluding them takes one line in a build config.

This one also referenced unobfuscated TypeScript sources hosted directly on Anthropic’s cloud storage.³ Not reconstructable from the map. Directly downloadable by URL.³

The community response was immediate and not subtle. A GitHub repository archiving the leaked code hit 5,000 stars in under 30 minutes.⁴ At least one project was already rewriting portions in Rust. Multiple archive repositories materialized faster than any takedown effort could touch them. The code is out. That’s just a fact now.

As of early afternoon on March 31, Anthropic had not issued a public statement and v2.1.88 was still live on npm with the file intact.¹

Here’s what makes this worse than a one-time screwup. When this happened in early 2025, the fix was to remove the file. That’s it. No root cause analysis surfaced publicly, no pipeline change, no “we’ve added a pre-publish check that validates no source maps are included.” Just: file deleted, move on. Thirteen months later, a bigger release ships with the same artifact at larger scale. That’s not bad luck. That’s what a manual fix without a systemic correction looks like.

The contents aren’t just embarrassing. System prompts are competitive intelligence. Encryption tooling and telemetry internals are exactly what a sophisticated adversary would want to understand before targeting the product or its users. This isn’t “oh no, someone can read their variable names.” It’s the architecture of a widely deployed AI coding tool, handed out for free.

March has not been kind to Claude Code. The tool was impersonated in a malvertising campaign on March 11. Today, alongside this leak, two CVEs dropped for the same product: CVE-2025-59536 (remote code execution) and CVE-2026-21852 (API key theft). Quite a confluence.

But the source map issue is the one that should stick with you, because it’s a signal about something broader. Release engineering discipline is a form of security posture. A vendor that ships a debug artifact to production twice in thirteen months, with no apparent pipeline fix in between, is telling you something about how tightly they control their build and release process. That’s not a judgment about their researchers or their models. It’s a question worth sitting with: if this slips through twice, what else might?

One config line. That’s all it takes to exclude source maps. It’s been one config line the whole time.