Claude Code's source code has been leaked via a map file in their NPM registry

Claude Code's source code was inadvertently exposed through a source map file (.map) published in their NPM registry. Source maps, which map minified code back to original source, were left accessible in the public package, allowing anyone to view the original unminified code. This is a common security oversight where build artifacts intended for debugging are accidentally published to public registries. The incident highlights the importance of excluding sensitive build artifacts from NPM package distributions.

Key Points

• •Source map files (.map) were included in the public NPM package, exposing original unminified source code
• •Source maps are debugging tools that reverse-engineer minified code back to readable original source
• •This is a common security misconfiguration where build artifacts are accidentally published to registries
• •Anyone with access to the NPM package could download and analyze the complete source code
• •Prevention requires explicitly excluding .map files from NPM distributions via .npmignore or package.json files configuration
• •Build tools should be configured to generate source maps only for development, not production builds
• •Regular audits of published packages should verify that no sensitive artifacts or credentials are exposed
• •Consider using private registries or scoped packages for sensitive code when public distribution isn't necessary

Workflow Diagram

Concepts