Claude Code's Source Didn't Leak. It Was Already Public for Years.

I build a JavaScript obfuscation tool (AfterPack), so when the Claude Code "leak" hit VentureBeat, Fortune, and The Register this week, I did what felt obvious — I analyzed the supposedly leaked code to see what was actually protected. I wrote a detailed breakdown on the AfterPack blog. Here's the core of it. What Happened A source map file — a standard debugging artifact defined in ECMA-426 — was accidentally included in version 2.1.88 of the @anthropic-ai/claude-code package on npm. Security researcher Chaofan Shou spotted it, and within 24 hours a clean-room Rust rewrite hit 110K GitHub stars and a breakdown site (ccleaks.com) cataloged every hidden feature. This is the second time — a nearly identical source map leak happened in February 2025. The Code Was Already There Claude Code ships as a single bundled cli.js on npm — 13MB, 16,824 lines of JavaScript. It's been publicly accessible since launch. You can view it right now at unpkg.com. I analyzed it. It's minified, not obfuscate