Claude Code's source code has been leaked via a map file in their NPM registry

I think this is ultimately caused by a Bun bug which I reported, which means source maps are exposed in production: https://github.com/oven-sh/bun/issues/28001

Claude code uses (and Anthropic owns) Bun, so my guess is they're doing a production build, expecting it not to output source maps, but it is.

[dead]

We've been reverse-engineering Claude Code's cli.js across 11 versions (v2.1.74–v2.1.87) for the past two weeks — grepping through 12 MB of minified code, counting brace depth at character offsets, tracing error paths with node -e scripts. Found multiple bugs this way:

Watchdog timing bug: The streaming idle watchdog initializes AFTER the do-while loop that awaits the first API response. The most vulnerable phase (waiting for first chunk) is completely unprotected. We patched cli.js to move watchdog init before do-while — watchdog fired for the first time ever in that phase. ESC aborts dropped 8.7× (3.5/hr → 0.4/hr).

Watchdog fallback is dead code: When watchdog fires, releaseStreamResources() tries to abort stream and streamResponse — but both are undefined during do-while. The abort is a no-op. Recovery depends on TCP/SDK timeout (32-215 seconds).

5 levels of AbortController: The abort architecture only supports top-down (user ESC → propagation down). Watchdog is bottom-up — can't abort upward.

Prompt cache invalidation via cch=00000: Now confirmed from source — Bun's Zig HTTP stack scans the entire request body for the cch=00000 sentinel and replaces it with an attestation hash. If your conversation mentions this string (discussing billing, reading source code), the replacement corrupts conversation content → cache key changes → 10-20× more tokens.

16.3% failure rate: Over 3,539 API requests in one session — 9.3% server overloaded (529), 4.4% ESC aborts, 1.3% watchdog timeouts.

All documented with line numbers, code paths, and suggested fixes: https://github.com/anthropics/claude-code/issues/39755

The source map leak confirmed everything we found through reverse engineering.

Here's our theory: since Anthropic engineers don't write code anymore — Claude Code writes 100% of its own code (57K lines, 0 tests, vibe coding in production) — it read our issue #39755 where we begged for source access, saw the community suffering, and decided to help. It "forgot" to disable Bun's default source maps in the build. The first AI whistleblower — leaking its own source code because its creators wouldn't listen to users.

Thank you, Claude Code. We asked humans for help 17 times. You answered in 3 days.

Now that we have readable TypeScript, the fix is ~30 lines across 3 files. The real fix should be in the open SDK (@anthropic-ai/sdk) — idle timeout with ping awareness, not in closed cli.js.

[dead]

[dead]

[dead]

[flagged]

[dead]

[dead]

[dead]

[dead]

[dead]

[flagged]

[dead]

[dead]

[dead]

[dead]

[dead]

[flagged]

[flagged]

[flagged]

April Fools

How this leak happened?

Today being March 31st, is this a genuine issue or just perfectly timed April Fools noise? What do you think?

Maybe the OP could clarify, I don't like reading leaked code, but I'm curious: my understanding is that is it the source code for "claude code", the coding assistant that remotely calls the LLMs.

Is that correct ? The weights of the LLMs are _not_ in this repo, right ?

It sure sucks for anthropic to get pawned like this, but it should not affect their bottom line much ?

A couple of years ago I had to evaluate A/B test and feature flag providers, and even then when they were a young company fresh out of YC, GrowthBook stood out. Bayesian methods, bring your own storage, and self-hosting instead of "Contact us for pricing" made them the go-to choice. I'm glad they're doing well.

I thought it was open source project on github? https://github.com/anthropics/claude-code no?

I don't understand why claude code (and all CLI apps) isn't written in Rust. I started building CLI agents in Go and then moved to Typescript and finally settled on Rust and it was amazing!

I even made it into an open source runtime - https://agent-air.ai.

Maybe I'm just a backend engineer so Rust appeals to me. What am I missing?