Claude Code exposed by a source map: the human failure that leaked almost 2,000 files and reopened the debate on closed code

A human error today made news a product that Anthropic had so far kept closed: part of Claude Code's source code was accidentally published and quickly spread into public repositories and warehouses. The leak occurred when a version of the package was uploaded to NPM including a very large source map file containing the original text of the code, which allowed the complete structure of the project to be rebuilt.

The initial discovery was pointed out in networks by Chaofan Shou ( see publication) and from there the copy was spread through GitHub and other sites. Anthropic has recognized the incident and said that no sensitive customer data or credentials were published; the company describes what happened as a failure in the packaging of the version, resulting from a human error and not from an external intrusion. You can consult the indirect release and removal efforts in the rights notice repository in GitHub where the company has started to request withdrawals by DMCA: DMCA notice.

To understand why a single file allowed to recover all the code you have to remember what the source maps are. When the JavaScript code is compiled or packaged for production, the source maps serve to link the final code to the original files and facilitate the debugging. However, if that map includes in its interior a field that incorporates the original content (known as "sourcesContent"), it is enough to extract the map to rebuild the complete source files. In this case, the NPM publication included a cli.js.map file of about 60 MB containing exactly that embedded text; the result reported by several researchers was a recovery of about 1,900 files and half a million code lines.

The volume and detail of the filtered material attract attention for two reasons. On the one hand, they expose internal functionalities that Anthropic had not yet made public, as experimental modes described by those who have analyzed the code: a "Proactive" mode designed to keep the assistant generating code recurently and another mode baptized as "Dream," oriented to a thought in the background to develop ideas or improve user plans. On the other hand, although Anthropic claims that no credentials or customer data were leaked, the availability of the code facilitates analysis to discover undocumented behaviors, internal routes, default configurations and potential abuse vectors that were previously hidden behind the owner code barrier.

The reaction of the technical community has been immediate: developers are reviewing the reconstructed tree in search of unpublished functions, errors, and any information that will better understand how Claude Code works. Anthropic tries to contain dissemination by withdrawal requests, but the nature of the Internet makes the effect of these measures limited: once something is copied into multiple repositories and myrors, the complete removal becomes complicated.

In addition to filtration, the user community has reported an operational problem: it seems that the limits of use in Claude Code are running out much faster than expected. Many users are seeing their quotas consumed in minutes, even in short-interaction contexts and without large contexts. Anthropic has recognized that it investigates a bug that causes an accelerated exhaustion of the limits and has identified it as a top priority in its public communications; researcher Lydia Hallie published updates on the subject on her account ( see thread), and other observers have shared findings and assumptions in networks, including references to the finding of experimental modes in the code by Alex Finn ( see publication).

What lessons does this episode leave? First, that the mechanisms of publication of packages require very strict controls: exclude source maps from the buildings intended for public distribution, ensure that the field "sourcesContent" does not include full text, and review the packaging rules (.npmignore or file configuration) before publishing. Resources on how the source maps work and why they are sensitive can be found in reliable technical documentation, for example in MDN on the use of source maps Here. and in the official npm documentation on packaging and publication Here..

In terms of safety and product, the proprietary code exposure changes the equation. Although there is no personal data on the leak, the code reveals design decisions, shortcuts, internal tests and possible default configurations that can help attackers or competitors replicate behaviors. It also opens the possibility for independent researchers to find serious errors that were previously hidden, which can be a bitter blessing for safety: on the one hand it accelerates the detection of failures, on the other it exposes the risk window until patches are applied.

For end-users, the immediate recommendation is to retain caution: to review Anthropic's official communications on credentials, to monitor accounts for unusual activity and to follow the company's instructions if actions such as rotating keys or changing configurations are requested. For development teams, the urgency is technical and operational: to review building and publishing processes, to automate checks that detect maps with embossed sources and to apply access and review controls on each release to minimize the possibility of human errors.

This episode is a reminder that security is not just defending itself from external intruders: many leaks occur from internal process failures. Anthropic has said that it will implement measures so that it does not happen again, but the reputational damage and the technical consequences will take longer to dilute. Meanwhile, the discussion on transparency in IA models and the tension between open source and intellectual property is intensified: incidents such as this reopen questions about how to balance security, competition and responsibility when critical and complex technologies move from closed experiments to widely used products.

If you want to follow the original thread of research and relevant publications, here are some direct sources cited: the initial track in X by Chaofan Shou ( publication), the public update on DMCA ( notice in GitHub), and the discussion about the bug of limits published by Lydia Hallie ( see here). To technically understand why a source map can filter code, MDN documentation is a good starting point: technical explanation.

In short, the filtration of Claude Code is a clear example of how a single error in the delivery chain can have broad consequences: exposure of intellectual property, intensification of public scrutiny and concern among users for operational reliability. The issue is evolving as Anthropic and the technical community act; official sources and security updates should be followed over the next few hours and days.