Claude Code CLI source map revealed full TypeScript code
An npm package for Claude Code included a cli.js.map file that exposed full TypeScript source; multiple GitHub mirrors have published copies and builds are circulating.
Anthropic exposed the source code for its Claude Code command-line tool when an npm package the company published included a cli.js.map file containing unobfuscated TypeScript source. The discovery was posted on X by user Chaofan Shou.
The package contained Claude Code v2.1.88. The cli.js.map file was reported to be about 57MB, mapped roughly 1,900 files and approximately 512,000 lines of code, and appeared to include full TypeScript rather than only symbol mappings.
The files reportedly include the tool’s core engine for LLM API calls, handling of streaming responses, tool-call loops, a “thinking” mode, retry logic, token counting, permission models, integrations for external tools, and internal filters. Inspectors cited a large regular-expression filter used to detect profanity and negative prompts.
Anthropic removed the npm package after the exposure, but multiple users had already mirrored the repository on GitHub. One public mirror attracted nearly 30,000 stars and about 40,200 forks, while another mirror collected roughly 425 stars and 520 forks.
Developers have begun examining the codebase and publishing builds; some users are advertising their own compiled versions of Claude Code.
Security observers warned that the exposed internal logic could make it easier to reverse-engineer the tool, identify potential security flaws, or appropriate intellectual property. Some contributors noted that Claude Code depends on the axios HTTP client, a library that was recently targeted in an unrelated compromise.
The leak did not include Anthropic’s underlying AI models or user data. Legal advisers and developers posted reminders that making source available does not change software license terms and that copying or redistributing the code could violate those terms.
Chaofan Shou’s post drew millions of views and thousands of comments on X. Full-stack developer Justin Schroeder posted on X that availability does not make the code open source and warned against copying or redistributing the source.
Content on BlockPort is provided for informational purposes only and does not constitute financial guidance.
We strive to ensure the accuracy and relevance of the information we share, but we do not guarantee that all content is complete, error-free, or up to date. BlockPort disclaims any liability for losses, mistakes, or actions taken based on the material found on this site.
Always conduct your own research before making financial decisions and consider consulting with a licensed advisor.
For further details, please review our Terms of Use, Privacy Policy, and Disclaimer.
Tags
Articles by this author
