Overview
- Security researcher Chaofan Shou reported the exposure Tuesday after finding a cli.js.map file in Anthropic’s published Claude Code CLI package.
- The original TypeScript was recovered from the map and mirrored to a public GitHub repository that labels itself unofficial and states the code remains Anthropic’s intellectual property.
- Analysts reviewing the archive count about 1,900 TypeScript files and more than 512,000 lines, revealing a Bun runtime, an Ink/React terminal UI, a plugin-like tool system, and multi-agent orchestration.
- Source maps link bundled code back to the original files, so shipping cli.js.map in a production npm package effectively delivered the readable source and exposed detailed internal design.
- The extracted code is now widely accessible through public mirrors, and coverage urges teams to run npm pack --dry-run and exclude .map files to prevent similar leaks; no official company statement was included in the sampled reports.