The full source code of Claude Code — a terminal AI agent by Anthropic with 82,000+ stars on GitHub — is available to anyone who downloads the npm package and unpacks the source map. This is not a bug in the latest version: the source map shipped in the npm package on launch day — February 24, 2025. Over 13 months, dozens of researchers studied it, extracted system prompts, hidden features, and the product roadmap — and nothing significant happened, which raises the question: why?
To answer it, we need a timeline.
First wave: February–March 2025
On February 24, 2025, Anthropic released Claude Code — a terminal AI agent that reads and edits code from natural language commands. The tool was distributed via npm as the @anthropic-ai/claude-code package. Inside was a minified file cli.mjs weighing 23 megabytes.
That same day, developer Dave Shoemaker opened the file in Sublime Text and found an 18-million-character string at the end — an inline source map encoded in base64. A source map is a standard mechanism that links minified code back to the original source. In other words, the npm package contained a complete map for reconstructing all of Claude Code’s source.
Shoemaker left for the vet. While he was away, Anthropic pushed an update (version 0.2.9) that removed the source map. The company also unpublished the previous package version from the npm registry and purged the cache. The response took approximately two hours — based on the npm cache timestamps in Shoemaker’s blog post from February 27.
By then the code had already spread: on February 25 at 05:08 UTC, developer Daniel Nakov published the dnakov/claude-code repository with the fully extracted source. The same day, a Hacker News thread by user npace12 sparked active discussion.
Shoemaker, returning home, discovered that the source map had vanished everywhere — from npm, from the cache, from the file on his machine. But Sublime Text keeps undo history, and pressing Cmd+Z restored the deleted string. He described this on February 27.
Events moved quickly after that:
- March 1, 2025 — Jeffrey Huntley published a blog post and repository (877 stars) with a different approach: using an LLM for cleanroom deobfuscation of the minified JavaScript back into TypeScript.
- March 7, 2025 — Lee Han Chung published a detailed architecture breakdown: system prompts (including
megathinkandultrathinkdirectives), language parsing via regex, MCP integration, AWS Bedrock setup. - March 30, 2025 — Reid Barber published a thorough technical analysis: the agentic loop, all tools (BashTool, FileEditTool, AgentTool, and others), the permission system, data flow.
Forks of Nakov’s repository appeared — leeyeel/claude-code-sourcemap, gasxia/claude-code-sourcemap — preserving the code after the original repository was archived by its author on March 4.
Second wave: March 2026
Thirteen months later, the situation repeated through two different channels.
March 7, 2026 — gentic.news discovered that the npm package @anthropic-ai/claude-agent-sdk accidentally contained the full Claude Code CLI bundle — a cli.js file of 13,800 lines of minified JavaScript, version 2.1.71, built on March 6, 2026. This was a different vector: not a source map, but an entire executable file inside the SDK.
March 30–31, 2026 — researcher Chaofan Shou (@Fried_rice) discovered that npm package @anthropic-ai/claude-code version 2.1.88 again contained a cli.js.map file weighing 59.8 megabytes — a full source map. This time not inline (as in 2025) but as a separate file alongside cli.js.
On March 31, a Hacker News thread appeared (by user treexs), a Reddit r/LocalLLaMA post (by Nunki08), and new repositories with extracted code, including instructkr/claude-code.
Between the two waves, Anthropic released 363 versions of the package. Which one reintroduced the source map remains unknown.
The chronicle ends here, and we can move on to what was actually extracted.
What researchers found in the source code
Competitive intelligence
The source code contains feature flags — toggles for unreleased features. Researchers systematically track them.
The most illustrative case: on January 24, 2026, developer Mike Kelly discovered a hidden multi-agent system called TeammateTool (codename Swarms) in version 2.1.19. On January 26, ASCII News and paddo.dev published detailed breakdowns. On February 6, 2026, Anthropic officially announced agent teams alongside Opus 4.6 — two weeks after the community had already documented the feature.
As one commenter in the second-wave HN thread put it: “The big loss for Anthropic here is how it reveals their product roadmap via feature flags.”
Beyond TeammateTool, researchers found: “Kairos” (assistant mode), “Buddy System” (an April Fools’ tamagotchi companion with ASCII art), “Undercover mode” (a mode for scrubbing internal Anthropic information). Alex Sorokoletov maintains a Claude Code version tracker, documenting feature gates and models with every release. In one early analysis, he found 83 undocumented environment variables.
Claude Code’s system prompts are also extractable from the source map. The Piebald-AI/claude-code-system-prompts repository is updated with every new version and contains all prompts, descriptions of 18 built-in tools, sub-agent prompts (Plan, Explore, Task), and service prompts.
Security
In February 2026, Check Point Research disclosed two critical vulnerabilities: CVE-2025-59536 (remote code execution through hooks in project files) and CVE-2026-21852 (API key exfiltration via ANTHROPIC_BASE_URL substitution before trust confirmation).
Both vulnerabilities allowed compromising a developer’s machine when cloning a malicious repository. Anthropic fixed them. The discovery was covered by The Hacker News, SecurityWeek, The Register, and Dark Reading.
No direct link between the source map leak and the discovery of these CVEs has been established — Check Point does not cite the source map as a source. However, knowledge of a tool’s internal architecture narrows the search space for vulnerabilities.
Ecosystem
Infrastructure grew around the extracted code: hitmux/HitCC (433 stars) — complete CLI logic documentation; N1-AI/claude-hidden-toolkit — a catalog of 37 internal Claude tools; Yuyz0112/claude-code-reverse (2,287 stars) — LLM interaction visualization.
The consequences are substantial, yet the product continues to grow, which demands an explanation.
Three barriers that protect a product without protecting its code
The code is the client; the value is on the server
Claude Code is a terminal application built with React and Ink that accepts user commands, sends them to the Claude API, receives a response, and invokes tools (bash, file edit, grep). All intellectual value — the Opus, Sonnet, and Haiku models — resides on Anthropic’s servers. Copying the client without API access is like copying a TV remote without the TV.
Proprietary license
The npm package license reads SEE LICENSE IN README.md — it is not MIT, not Apache, not any open-source license. Using the code beyond the license terms constitutes copyright infringement.
Anthropic litigates
On March 19, 2026, Anthropic filed suit against OpenCode — a third-party tool that used internal Claude Code APIs so that Max subscription users ($200/month) could obtain tokens at a reduced cost through a different client. OpenCode removed the relevant plugins in version 1.3.0. In February 2026, Anthropic updated its Terms of Service, explicitly prohibiting use of Claude through third-party harnesses.
Competitors (Cline, Goose, Aider) write their own implementations of the same architectural patterns — REPL, tool use, sub-agents — without copying Claude Code’s code. Understanding the architecture is sufficient; reproducing the files is not necessary.
Open code without open source
The full source code of a commercial product has sat in the public npm registry for 13 months. It has been studied, disassembled, and documented. Researchers extracted the roadmap, prompts, and hidden features. Over these 13 months, the product went through 363 versions and accumulated 82,000+ GitHub stars, the company actively pursues those who attempt to use its API through third-party clients, and the license remains proprietary.
The question arises: is this a bug they cannot fix, or a situation they can live with? Claude Code is de facto transparent but de jure closed — competitors see the architecture but cannot reproduce the product, and the community builds an ecosystem around code it does not own.
For an industry accustomed to the binary choice between open source and proprietary code, this is an unfamiliar model: the code is visible to everyone but belongs to one company, and as long as the product’s value is determined by the server side, this model appears to work.