Anthropic's Claude Code CLI Source Code Leaked via npm Blunder
A misconfigured npm package accidentally exposed the full TypeScript source code of Anthropic's proprietary Claude Code CLI tool.
Anthropic has an embarrassing security slip on its hands. A researcher discovered that the company's Claude Code CLI tool — its command-line interface for interacting with Claude — had its entire TypeScript source code exposed to the public.
The culprit? A misconfigured npm package. The proprietary codebase was essentially sitting in the open for anyone curious enough to look.
For a company building frontier AI systems and positioning itself as a safety-focused leader, leaking your own source code through a packaging mistake is not a great look. npm misconfigurations are a known footgun in the JavaScript ecosystem, but you'd expect tighter controls from a company of Anthropic's caliber.
The exposure raises questions about what internal implementation details, API patterns, or architectural decisions may now be in the wild. No word yet from Anthropic on remediation steps.