cross-posted from: https://lemmy.world/post/45050923
The internet is on fire over Claude Code's (NPM CLI to be precise) "leaked" source. 512,000 lines! Feature flags! System prompts! Unreleased features! VentureBeat, Fortune, Gizmodo, The Register, Hacker News - everyone covered it. A clean-room Rust rewrite (to dodge the DMCA) hit 100K GitHub stars in nearly a day - a world record. 110K now and counting.
Here's what nobody's saying: all of that was already public! On npm. In plaintext. For years.
Open unpkg.com/@anthropic-ai/claude-code/cli.js right now - that's the entire Claude Code CLI, one click away, readable in your browser. No leak required.What "leaked" was a source map file that added internal developer comments on top of code that was never protected in the first place, plus a directory/source structure...
But the Code Was Already There Here's what most of the coverage missed: Claude Code ships as a single bundled JavaScript file - cli.js - distributed via npm. It's 13MB, 16,824 lines of JavaScript. And it's been sitting there, publicly accessible, since the product launched...
We Asked Claude to Deobfuscate Itself...
Source: https://www.afterpack.dev/blog/claude-code-source-leak [web-archive]
---
Partial de-obfuscation is sure possible today, yet still, it's inadequately time-consuming nowadays, and normally it's still impossible to recreate an original structure enough to consider complete, I believe.
Some tried to use the fairly advertized tool for Discord's app, and the result was the following (+screenshot):
- https://www.afterpack.dev/security-scanner/xml6xm2iyia0
