512,000 Lines of Claude Code Leaked Through a Single .npmignore Mistake

On March 31, 2026, Anthropic published version 2.1.88 of their @anthropic-ai/claude-code package to the npm registry. Within hours, developers noticed something unusual: the package had ballooned to 59.8MB, roughly six times its normal size. The reason was a source map file — a .map file that contained the complete, unminified TypeScript source code for the entire Claude Code CLI. All 1,900 files. All 512,000 lines. Every internal function name, every comment, every feature flag. I spent the past two days analyzing what those 512,000 lines reveal about how Anthropic builds its most important developer tool. This is what I found. How a Build Configuration Error Exposed Everything The mechanism is almost painfully simple. When you publish a package to npm, a file called .npmignore tells the registry which files to exclude. Source maps — the .map files that let debuggers trace minified code back to its original source — are routinely excluded from production packages because they contain