Leaked 60MB map shows roadmap

Anthropic accidentally shipped a 59.8 megabyte source-map file with Claude Code on March 31, exposing roughly 512,000 lines of internal TypeScript. (infoq.com) A source map is a debugging file that points bundled app code back to the original files developers wrote. In this case, version 2.1.88 of the `@anthropic-ai/claude-code` package included that map in the public npm release. (xda-developers.com) InfoQ reported the map referenced a ZIP archive in Anthropic cloud storage, making the unobfuscated code directly downloadable. Security researcher Chaofan Shou spotted the issue on March 31, and mirrors appeared on GitHub within hours. (infoq.com) Anthropic told CNBC that “no sensitive customer data or credentials were involved or exposed” and called it “a release packaging issue caused by human error, not a security breach.” Boris Cherny, who leads Claude Code, said there had been a manual deploy step that should have been automated. (cnbc.com, itpro.com) Claude Code is Anthropic’s terminal-based coding agent, and Anthropic says it can read a codebase, edit files, run tests, and deliver committed code. Anthropic also says the product is already used at scale inside companies including Stripe and Ramp. (anthropic.com) That made the leak more than a packaging mistake: it exposed how one of the most watched coding agents is assembled. Ars Technica reported the published package pointed to almost 2,000 files, turning a routine update into a public look at Anthropic’s agent design. (arstechnica.com) The clearest lesson is what a source map actually reveals. Developers could already inspect minified JavaScript, but InfoQ noted that full TypeScript with original names, comments, and module structure gives a much clearer picture of prompts, orchestration, and internal tooling. (infoq.com) XDA said the leaked code appeared to show unreleased work on an always-on background agent called Kairos. The same report said the code also pointed to other in-development features that Anthropic had not announced publicly. (xda-developers.com) Some of the leaked ideas also line up with features Anthropic is already documenting in public. Claude Code’s docs describe hooks that can run shell commands, Hypertext Transfer Protocol endpoints, or language-model prompts at events such as `PreToolUse`, `PostToolUse`, `SubagentStart`, and `TaskCreated`. (code.claude.com) Anthropic’s public GitHub repository also shows the product already spans the terminal, integrated development environments, GitHub tagging, plugins, and custom commands, with npm installation now marked deprecated. The leak filled in details around a product Anthropic was already pushing into broader developer workflows. (github.com) The code is no longer news because it was secret; it is news because a single debug artifact exposed the roadmap of a fast-moving developer product in one upload. Anthropic says it is adding safeguards to prevent the same release mistake from happening again. (cnbc.com, infoq.com)