Anthropic's Claude Code leaked its entire source code because someone left a .map file in their NPM package. A hilarious look into big tech CI/CD failures.
Anthropic just dropped their shiny new CLI tool, Claude Code, ready to revolutionize our terminals. But before they could even finish popping the champagne, the entire source code got leaked. Was it a zero-day exploit? A master hacker? Nope. It was a damn .map file sitting comfortably on their NPM registry. How does a multi-billion-dollar tech giant make a rookie mistake that would get a junior dev publicly roasted? Grab your popcorn, let's dive in.
Here is the TL;DR: Anthropic shipped Claude Code as an NPM package. Everything looked normal until someone realized the dev responsible for the release completely slept through the CI/CD pipeline setup.
They compiled the code but totally forgot to disable sourcemaps or add them to the .npmignore file. The result? The .map files got shipped straight to production. For the uninitiated, source maps translate minified, unreadable production code back into its original, beautiful TypeScript glory for debugging. Publishing it to NPM is basically handing over the keys to the kingdom and leaving the vault door wide open.
Internet sleuths immediately downloaded the package, fed it through a reverse engineer script, and got the full, unredacted source. And boy, is it a goldmine. Digging through the code revealed "fake tools", a sneaky "undercover mode", and the absolute star of the show: a "frustration regex". Yes, they literally wrote a regular expression to detect when users are pissed off and swearing at the CLI, presumably so the AI can apologize faster. You can't make this shit up.
The dev community is, predictably, showing absolutely zero mercy. The reactions generally fall into three camps:
.npmignore file does." It's the ultimate validation for every dev who has ever been yelled at for a bad PR.As funny as this is, it's a sobering reminder that we are all just one bad git push away from disaster.
No matter how advanced AI tools get, humans are still the ones configuring the pipelines. Big tech isn't immune to stupidity. The ultimate takeaway here? Please, for the love of God, double-check your tsconfig.json, your Vite/Webpack configs, and your .npmignore. Make sure sourceMap: false is strictly enforced on production builds. One stupid boolean value is all it takes to undress your entire app in front of the whole internet.
Now, excuse me while I go desperately check all my public repos to make sure I didn't push any .env files last night. Stay safe out there!
Source: Hacker News Related thread: The Claude Code Source Leak