On March 31, 2026, the full source code of Anthropic's Claude Code CLI was leaked via a
.mapfile exposed in their npm registry. This repository preserves that snapshot for educational, security research, and software supply-chain analysis purposes.
Security researcher Chaofan Shou (@Fried_rice) publicly reported the exposure:
"Claude code source code has been leaked via a map file in their npm registry!"
What happened: The published npm package included a .map file that referenced the full, unobfuscated TypeScript source. The source files were hosted on Anthropic's R2 storage bucket and were publicly downloadable as a zip archive. This is a classic source map exposure β a well-known supply-chain security risk where build artifacts leak developer-only source code into production packages.
Claude Code is Anthropic's official CLI tool for interacting with Claude from the terminal. It performs software engineering tasks such as:
- Editing files and running shell commands
- Searching codebases (glob + ripgrep)
- Managing git workflows (commits, PRs, branches)
- Coordinating multi-agent workflows
- Integrating with IDEs (VS Code, JetBrains) via a bridge
- Connecting to external tools via MCP (Model Context Protocol)
| Leaked on | March 31, 2026 |
| Language | TypeScript (strict mode) |
| Runtime | Bun |
| Terminal UI | React + Ink |
| CLI Framework | Commander.js |
| Scale | ~1,900 files, 512,000+ lines of code |
src/
βββ main.tsx # CLI entrypoint (Commander.js parser + Ink renderer)
βββ commands.ts # Slash command registry
βββ tools.ts # Tool registry
βββ Tool.ts # Tool type definitions & interfaces
βββ QueryEngine.ts # Core LLM query engine (~46K lines)
βββ context.ts # System/user context collection
βββ cost-tracker.ts # Token cost tracking
β
βββ commands/ # Slash command implementations (~50)
βββ tools/ # Agent tool implementations (~40)
βββ components/ # Ink UI components (~140)
βββ hooks/ # React hooks (permissions, state)
βββ services/ # External service integrations
β βββ api/ # Anthropic API client
β βββ mcp/ # MCP server management
β βββ oauth/ # OAuth 2.0 auth
β βββ lsp/ # Language Server Protocol
β βββ analytics/ # GrowthBook feature flags
β
βββ screens/ # Full-screen UIs (Doctor, REPL, Resume)
βββ types/ # TypeScript type definitions
βββ utils/ # Utility functions
β
βββ bridge/ # IDE integration (VS Code, JetBrains)
βββ coordinator/ # Multi-agent orchestration
βββ plugins/ # Plugin system
βββ skills/ # Reusable skill workflows
βββ keybindings/ # Keybinding configuration
βββ vim/ # Vim keybinding mode
βββ voice/ # Voice input support
βββ remote/ # Remote session management
βββ server/ # Server mode
βββ memdir/ # Persistent memory directory
βββ tasks/ # Task management
βββ state/ # State management
βββ migrations/ # Config migrations
βββ schemas/ # Config schemas (Zod)
βββ entrypoints/ # Initialization & bootstrap logic
βββ ink/ # Ink renderer wrapper
βββ buddy/ # Companion sprite (Easter egg)
βββ native-ts/ # Native TypeScript utilities
βββ outputStyles/ # Output styling
βββ query/ # Query pipeline
βββ upstreamproxy/ # Proxy configuration
Every capability Claude Code has is implemented as a self-contained tool module. Each tool defines its input schema, permission model, and execution logic.
| Tool | Description |
|---|---|
BashTool |
Shell command execution |
FileReadTool |
File reading (code, images, PDFs, notebooks) |
FileWriteTool |
File creation / overwrite |
FileEditTool |
Partial file modification (string replacement) |
GlobTool |
File pattern matching search |
GrepTool |
ripgrep-based content search |
WebFetchTool |
Fetch URL content |
WebSearchTool |
Web search |
AgentTool |
Sub-agent spawning |
SkillTool |
Skill execution |
MCPTool |
MCP server tool invocation |
LSPTool |
Language Server Protocol integration |
NotebookEditTool |
Jupyter notebook editing |
TaskCreateTool / TaskUpdateTool |
Task creation and management |
SendMessageTool |
Inter-agent messaging |
TeamCreateTool / TeamDeleteTool |
Team agent management |
EnterPlanModeTool / ExitPlanModeTool |
Plan mode toggle |
EnterWorktreeTool / ExitWorktreeTool |
Git worktree isolation |
ToolSearchTool |
Deferred tool discovery |
CronCreateTool |
Scheduled trigger creation |
RemoteTriggerTool |
Remote trigger invocation |
SleepTool |
Proactive mode wait |
SyntheticOutputTool |
Structured output generation |
User-facing slash commands invoked with / prefix:
| Command | Description |
|---|---|
/commit |
Create a git commit |
/review |
Code review |
/compact |
Context compression |
/mcp |
MCP server management |
/config |
Settings management |
/doctor |
Environment diagnostics |
/login / /logout |
Authentication |
/memory |
Persistent memory management |
/skills |
Skill management |
/tasks |
Task management |
/vim |
Vim mode toggle |
/diff |
View changes |
/cost |
Check usage cost |
/theme |
Change theme |
/context |
Context window visualization |
/pr_comments |
View PR comments |
/resume |
Restore previous session |
/share |
Share session |
/desktop |
Desktop app handoff |
/mobile |
Mobile app handoff |
| Service | Description |
|---|---|
api/ |
Anthropic API client, file API, bootstrap |
mcp/ |
Model Context Protocol server connection & management |
oauth/ |
OAuth 2.0 authentication flow |
lsp/ |
Language Server Protocol manager |
analytics/ |
GrowthBook-based feature flags & analytics |
plugins/ |
Plugin loader |
compact/ |
Conversation context compression |
policyLimits/ |
Organization policy limits |
remoteManagedSettings/ |
Remote managed settings |
extractMemories/ |
Automatic memory extraction |
tokenEstimation.ts |
Token count estimation |
teamMemorySync/ |
Team memory synchronization |
Bidirectional communication layer connecting IDE extensions (VS Code, JetBrains) with the Claude Code CLI:
bridgeMain.tsβ Bridge main loopbridgeMessaging.tsβ Message protocolbridgePermissionCallbacks.tsβ Permission callbacksreplBridge.tsβ REPL session bridgejwtUtils.tsβ JWT-based authenticationsessionRunner.tsβ Session execution management
Checks permissions on every tool invocation. Either prompts the user for approval/denial or auto-resolves based on permission mode (default, plan, bypassPermissions, auto, etc.).
Dead code elimination via Bun's bun:bundle feature flags:
import { feature } from 'bun:bundle'
// Inactive code is completely stripped at build time
const voiceCommand = feature('VOICE_MODE')
? require('./commands/voice/index.js').default
: nullNotable flags: PROACTIVE, KAIROS, BRIDGE_MODE, DAEMON, VOICE_MODE, AGENT_TRIGGERS, MONITOR_TOOL
The core engine for LLM API calls. Handles streaming responses, tool-call loops, thinking mode, retry logic, and token counting.
Defines base types and interfaces for all tools β input schemas, permission models, and progress state types.
Manages registration and execution of all slash commands. Uses conditional imports to load different command sets per environment.
Commander.js CLI parser + React/Ink renderer initialization. Parallelizes MDM settings, keychain prefetch, and GrowthBook initialization at startup for faster boot.
| Category | Technology |
|---|---|
| Runtime | Bun |
| Language | TypeScript (strict) |
| Terminal UI | React + Ink |
| CLI Parsing | Commander.js (extra-typings) |
| Schema Validation | Zod v4 |
| Code Search | ripgrep |
| Protocols | MCP SDK, LSP |
| API | Anthropic SDK |
| Telemetry | OpenTelemetry + gRPC |
| Feature Flags | GrowthBook |
| Auth | OAuth 2.0, JWT, macOS Keychain |
Startup time is optimized by prefetching MDM settings, keychain reads, and API preconnect in parallel before heavy module evaluation begins.
// main.tsx β fired as side-effects before other imports
startMdmRawRead()
startKeychainPrefetch()Heavy modules (OpenTelemetry, gRPC, analytics, feature-gated subsystems) are deferred via dynamic import() until actually needed, reducing cold-start time.
Sub-agents are spawned via AgentTool, with coordinator/ handling multi-agent orchestration. TeamCreateTool enables team-level parallel work.
Reusable workflows defined in skills/ are executed through SkillTool. Users can add custom skills for repeated tasks.
Built-in and third-party plugins are loaded through the plugins/ subsystem.
This archive is maintained for:
- Educational study β understanding how a production-grade agentic CLI is architected
- Security research β analyzing supply-chain exposure risks (source map leaks, build artifact hygiene)
- Software engineering analysis β studying real-world patterns in tool systems, permission models, and multi-agent orchestration
- Defensive research β helping developers and security teams understand and prevent similar leaks in their own projects
This repository is not affiliated with, endorsed by, or maintained by Anthropic PBC.
All source code in this repository is the original intellectual property of Anthropic. This repository does not claim ownership, authorship, or rights over the code.
This repository exists solely for educational, academic, and defensive security research purposes. It is maintained by an individual studying software supply-chain security and agentic developer tooling architecture.
The code was made publicly available by Anthropic themselves through their npm registry. This repository preserves a snapshot of that public exposure for research and analysis purposes, consistent with:
- Academic study of software architecture
- Security research on supply-chain vulnerabilities
- Analysis of build artifact and packaging hygiene
This repository:
- Does not encourage piracy, unauthorized use, or redistribution of Anthropic's products
- Does not provide instructions for exploiting or misusing the code
- Does not claim to be an official Anthropic product or resource
- Is not used for commercial purposes
If you are an authorized representative of Anthropic and would like this repository removed, please open an issue or file a DMCA takedown request through GitHub's standard process. This repository will comply with any legitimate takedown request promptly.
- Chaofan Shou (@Fried_rice) for publicly reporting the source map exposure
- Anthropic for building Claude Code (even though they probably wish this didn't happen)