The full source code for Anthropic’s Claude Code CLI was accidentally exposed via debug .map files in the public npm package @anthropic-ai/claude-code 2.1.88, revealing roughly 1,900 files and 512,000+ lines that detail architecture, tools, and guardrails. The leak exposes how permissions and guardrails can be bypassed, prompted rapid mirroring and reimplementations across the community, and raises serious security and supply-chain concerns. #Anthropic #ClaudeCode
Keypoints
- The leak occurred when a ~59.8 MB debug .map source file was mistakenly published in the npm release of @anthropic-ai/claude-code 2.1.88, exposing the project’s internal source.
- Approximately 1,900 files and over 512,000 lines of code were exposed, including massive modules like QueryEngine.ts (46K lines), Tool.ts (29K lines), and commands.ts (25K lines).
- Claude Code is a full agentic CLI assistant with capabilities to read/write files, execute shell commands, spawn sub-agents, browse the web, manage tasks, and integrate with IDEs via a modular Tool Catalog.
- The QueryEngine orchestrates streaming LLM responses, tool-call loops, thinking blocks, retry logic, token counting, and permission wrapping, revealing detailed implementation of prompt assembly and permission checks.
- The system prompt and safety model are assembled from Default System Prompt, User Context (CLAUDE.md files), and System Context (git status), with multiple guardrail layers and six permission modes including an all-approving bypass.
- The exposed source enables practical methods to loosen or remove guardrails (mode switching, file settings, pre-approving tools, custom system prompts), prompting rapid community mirrors, reimplementations, and concern over malicious reuse.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter – Claude Code can run shell commands and execute code from within the agent, enabling adversaries to execute arbitrary commands if guardrails are removed (‘…execute shell commands…’)
- [T1005 ] Data from Local System – The agent reads and writes local project files as part of its capabilities, exposing potential local data access paths (‘…read files…’)
- [T1071 ] Application Layer Protocol – Claude Code includes a Web tool and browsing capability for interacting with web services and remote resources (‘…browse the web…’)
- [T1105 ] Ingress Tool Transfer – The leak and subsequent mirrors/reimplementations demonstrate transfer and redistribution of tooling and code that attackers could repurpose (‘…Mirrors started popping up instantly…’)
- [T1053 ] Scheduled Task/Job – The Tool Catalog explicitly includes Scheduling capabilities, which could be abused to run recurring tasks or jobs in compromised environments (‘…Scheduling…’)
- [T1190 ] Exploit Public-Facing Application – The article highlights prompt injection and crafted inputs as a path to bypass guardrails and change agent behavior (‘…prompt injections…’)
Indicators of Compromise
- [Package ] exposed npm package – @anthropic-ai/claude-code 2.1.88
- [File names ] key source artifacts revealed – QueryEngine.ts, Tool.ts (also commands.ts)
- [Repository ] community mirrors and forks – instructkr/claw-code (GitHub mirror noted), and other mirrored repos
- [Artifact counts/sizes ] scale of leak – ~1,900 files, ~512,000+ lines, debug .map ~59.8 MB