Claude Code's Source Didn't Leak. It Was Already Public for Years.

I build a JavaScript obfuscation tool (AfterPack), so when the Claude Code "leak" hit VentureBeat, Fortune, and The Register this week, I did what felt obvious — I analyzed the supposedly leaked code to see what was actually protected.

I wrote a detailed breakdown on the AfterPack blog. Here's the core of it.

What Happened

A source map file — a standard debugging artifact defined in ECMA-426 — was accidentally included in version 2.1.88 of the @anthropic-ai/claude-code package on npm. Security researcher Chaofan Shou spotted it, and within 24 hours a clean-room Rust rewrite hit 110K GitHub stars and a breakdown site (ccleaks.com) cataloged every hidden feature.

This is the second time — a nearly identical source map leak happened in February 2025.

The Code Was Already There

Claude Code ships as a single bundled cli.js on npm — 13MB, 16,824 lines of JavaScript. It's been publicly accessible since launch. You can view it right now at unpkg.com.

I analyzed it. It's minified, not obfuscated. Here's what that means in practice:

Technique Present?

Variable name mangling Yes (standard minification)

Whitespace removal Yes (standard minification)

String encryption/encoding No

Control flow flattening No

Dead code injection No

Self-defending / anti-tamper No

Property name mangling No

All 148,000+ string literals sit in plaintext — system prompts, tool descriptions, behavioral instructions.

I Asked Claude to Deobfuscate Itself

This is the part that got me. I pointed Claude — Anthropic's own model — at its own minified cli.js and it just... explained it.

Using AST-based extraction, we parsed the full 13MB file in 1.47 seconds and pulled out 147,992 strings. System prompts, tool descriptions, 837 telemetry events (all prefixed with tengu_ — Claude Code's internal codename), 504 environment variables, a DataDog API key._

Geoffrey Huntley published a full cleanroom transpilation of Claude Code months before this leak using a similar approach — LLMs converting minified JS to readable TypeScript. His deobfuscation repo on GitHub demonstrates the technique.

What Source Maps Actually Added

To be fair, source maps did surface some genuinely sensitive stuff:

• Internal code comments and TODOs

• The full 1,884-file project tree with original filenames

• Feature flags with codenames like tengu_amber_flint and tengu_cobalt_frost

• KAIROS — an unreleased autonomous daemon mode

• Anti-distillation mechanisms that inject decoy tools to poison training data

That's real exposure. But the actual code logic was already there in cli.js.

This Happens Everywhere

I ran our Security Scanner on GitHub.com and found email addresses and internal URLs in their production JavaScript and source maps. Same with claude.ai. Same class of exposure, zero headlines.

AI Makes This Urgent

The reality is simple: minification was never security. It's a size optimization that bundlers like esbuild, Webpack, and Rollup do by default. Variable renaming slows down human readers but LLMs read minified code like you read formatted code.

System prompts are the new trade secrets. Telemetry names reveal product roadmaps. Environment variables expose what you're not ready to ship. And every JavaScript application — React frontends, Electron apps, Node.js CLIs — ships code that AI can now analyze trivially.

You can check what your site exposes: npx afterpack audit https://your-site.com

Originally published on AfterPack.