This tutorial analyzes the recent leak of Claude Code's source code due to an npm packaging error. On March 31, 2026, Anthropic's @anthropic-ai/claude-code package (version 2.1.88) was released to the public npm registry, inadvertently including a 59.8 MB JavaScript source map file (cli.js.map).

The tutorial explains how source maps, intended for debugging, map minified code back to readable TypeScript. A misconfiguration allowed the source map to be included in the public package, leading to the exposure of approximately 512,000 lines of code across ~1,900 files. The package was quickly removed, but the code had already been mirrored and analyzed.

Anthropic acknowledged the issue, stating no customer data was exposed and attributing the leak to human error in the release process. The leaked code included the client-side CLI/tooling for Claude Code, offering potential competitive intelligence to other AI labs. This incident underscores the risks of configuration errors in AI development and deployment, highlighting the need for robust build pipelines and security practices.

This guide is useful for developers, security analysts, and AI researchers aiming to understand the implications and lessons from this specific incident. You'll learn about the context, impacted components, and potential security concerns in the rapidly evolving landscape of AI tools and development.