The Great Claude Code Leak of 2026: Accident, Incompetence, or the Best PR Stunt in AI History?

TL;DR: On March 31, 2026, Anthropic accidentally shipped the entire source code of Claude Code to the public npm registry via a single misconfigured debug file. 512,000 lines. 1,906 TypeScript files. 44 hidden feature flags. A Tamagotchi pet. And one very uncomfortable question: was it really an accident? 1. What Actually Happened The Root Cause: One Missing Line in .npmignore This is both the most embarrassing and most instructive part of the story. Let me walk through the technical chain of events. When you publish a JavaScript/TypeScript package to npm, your build toolchain (Webpack, esbuild, Bun, etc.) optionally generates source map files , which have a .map extension. Their entire purpose is debugging: they bridge the gap between the minified, bundled production code and your original readable source. When a crash happens, a source map lets the stack trace point to your actual TypeScript file at line 47 rather than main.js:1:284729 . Source maps are strictly for internal debuggin