Claude Code source leaks via npm map

This is more embarrassing than catastrophic: source maps can reconstruct minified JavaScript/TypeScript, but they do not expose Claude model weights or Anthropic’s backend by themselves.

• –Claude Code is a local CLI client, so the biggest exposure is implementation detail: prompts, permission logic, command flow, and integrations.
• –Security researchers now get a much easier audit surface for bugs and guardrail weaknesses, which is useful, but so do copycats and attackers.
• –For developers, this is a reminder that npm publishing hygiene matters; a stray sourcemap can undo most of the obscurity in a shipped bundle.
• –The incident may accelerate forks, reverse-engineering, and comparisons with other AI coding CLIs, especially among users already sensitive to trust and provenance.