On this page
The 65 Open Source Packages Behind the Claude Code Leak
On March 31, 2026, the Claude Code source code was exposed via a stray .map file in the npm registry (tweet by @Fried_rice). The codebase is 1,884 TypeScript files totaling 512,664 lines of code. While Claude Code is Anthropic's proprietary product, it relies on 65 third-party npm packages (excluding Anthropic's internal @ant/* packages).
Almost April Fools'
Three things happened on March 31, 2026:
- The Claude Code source code leaked.
- The axios npm package was compromised by a North Korea-nexus threat actor, planting a remote access trojan in one of the most popular npm packages — one that Claude Code depends on with 57+ imports. Claude Code is distributed as a bundled Bun executable, not raw npm dependencies, so end users are likely safe. The risk falls on Anthropic's build pipeline if a
npm installhappened during the ~3 hour attack window. - Anthropic's April Fools' surprise was spoiled. The hidden
/buddyTamagotchi companion, with its hardcoded saltfriend-2026-401, was meant to debut the next day. The leak revealed it one day early.
Life of a Query
For engineers building similar AI-powered CLI tools, here are the design choices that shape Claude Code. The life of a query traces through all of them:
User types "fix the bug in auth.ts"
│
▼
① Messages [] ← append UserMessage
│
▼
② System Prompt assembled (tools, context, memory)
│
▼
③ Claude API (streaming response)
│
▼
④ AssistantMessage with tool_use blocks
e.g. [Read("auth.ts"), Edit("auth.ts", ...)]
│
▼
⑤ Permission Layer (per tool call)
Read("auth.ts") → read-only → auto-approve
Edit("auth.ts") → write → ask user
│
▼
⑥ Tool Execution
Zod validates input → execute → Zod validates output
Read-only tools run in parallel, writes run serial
│
▼
⑦ Messages [] ← append ToolResultMessages
│
▼
Loop back to ② with updated messages
... until no more tool calls
│
▼
⑧ React + Ink renders to terminal
Components → React Reconciler → Yoga Layout → Terminal
①⑦ Messages as the Single Source of Truth. The conversation log (Message[]) is the universal data model. File change history, permission decisions, tool results, compaction boundaries — all live as immutable, append-only messages. Resuming a session is replaying messages. Forking a sub-agent is cloning messages. The entire system is debuggable — every action leaves a trace.
③⑥ Schema-First Design. Three schema systems, each guarding a different boundary: Zod for runtime validation (tools, config, API responses), Protocol Buffers for the analytics pipeline (source of truth for BigQuery), and Ajv for JSON Schema in structured output. The schema is the contract — a new tool gets input validation, type inference, and API serialization for free just by declaring a schema.
⑤ Permissions as Middleware. The permission system intercepts between input validation and tool execution. Three stages: (1) a classifier auto-approves low-risk operations, (2) hooks can approve/block programmatically, (3) the user sees a dialog. Every tool declares whether an operation is read-only or destructive — the Bash tool classifies individual commands (git status is read-only, git push is not). This read/write separation is enforced by the permission layer, not advisory. Every decision is logged as an immutable message.
④⑥ Declarative Tool Pipeline. Each tool is a ToolDef object that buildTool() transforms into a full Tool with a unified pipeline: schema validation → permission check → execution → result rendering. Tools also declare isReadOnly() and isConcurrencySafe() — the orchestrator uses these to run safe tools in parallel and to let read-only tools bypass permission prompts. Adding a new tool means implementing one interface.
⑧ React for Composable Terminal UI. Using React for a CLI is about composition. Permission dialogs, file diffs, tool progress, and markdown rendering all compose as React components with shared state via context. The UI is a pure function of state. Ink and Yoga are vendored as pure TypeScript — zero native dependencies, enabling single-binary deployment across platforms.
Build-Time Feature Gating. One design choice that doesn't appear in the query flow but shapes the entire codebase: Bun's feature() from bun:bundle (196+ usages) strips code paths at bundle time. Internal features are physically absent from public builds, not hidden behind runtime flags. Ironically, it's the pre-bundled source code that leaked, not the bundled output — so all the internal feature gates that were meant to be stripped are laid bare in the leak.
Build your own. To build a similar AI-powered CLI tool, here's the minimal stack mirroring Claude Code's architecture:
| Module | Open Source Project |
|---|---|
| JavaScript runtime + bundler | Bun |
| CLI argument parsing | Commander.js |
| AI API client | @anthropic-ai/sdk |
| Schema validation (tool I/O, config) | Zod |
| Terminal rendering + permission prompts | React + Ink + chalk |
| Child process execution (Bash tool) | execa |
| File diffing (Edit tool) | diff |
The Sindre Sorhus Ecosystem
Sindre Sorhus is arguably the most prolific open source individual on GitHub, maintaining 1,100+ npm packages with 2 billion downloads per month. 12 of Claude Code's 65 npm dependencies trace back to him.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| chalk | Terminal string styling | 23.1K | MIT | 2013-08-03 |
| strip-ansi | Remove ANSI escape codes | 505 | MIT | 2013-12-07 |
| wrap-ansi | Word-wrap ANSI text | 136 | MIT | 2015-08-19 |
| figures | Unicode symbols | 623 | MIT | 2014-07-10 |
| cli-boxes | Box drawing characters | 108 | MIT | 2016-03-01 |
| indent-string | String indentation | 116 | MIT | 2014-06-06 |
| execa | Child process execution | 7.5K | MIT | 2015-12-05 |
| env-paths | Cross-platform paths | 439 | MIT | 2016-06-21 |
| p-map | Concurrent promises | 1.5K | MIT | 2016-10-21 |
| auto-bind | Method binding | 463 | MIT | 2016-08-09 |
| type-fest | TypeScript utility types | 17.0K | CC0-1.0 | 2019-03-13 |
| get-east-asian-width | CJK character width | 46 | MIT | 2023-10-28 |
The Hidden Tamagotchi /buddy
The src/buddy/ directory contains an Easter egg: a Tamagotchi-style companion that lives in the terminal. Type /buddy and an ASCII creature hatches beside your input box.
Each companion is deterministically generated using a seeded PRNG (Mulberry32). The seed is hash(userId + "friend-2026-401") — your OAuth account UUID (or local user ID, or 'anon') concatenated with a hardcoded salt. The 401 is April 1st — April Fools' Day. This determines everything: species, eyes, hat, rarity, and stats. You can't reroll — what you get is yours. Anthropic could reroll everyone by changing the salt.
18 species: duck, goose, blob, cat, dragon, octopus, owl, penguin, turtle, snail, ghost, axolotl, capybara, cactus, robot, rabbit, mushroom, chonk.
Rarity system with gacha-style weights:
| Rarity | Weight | Stars |
|---|---|---|
| Common | 60% | ★ |
| Uncommon | 25% | ★★ |
| Rare | 10% | ★★★ |
| Epic | 4% | ★★★★ |
| Legendary | 1% | ★★★★★ |
Non-common companions get hats (crown, tophat, propeller, halo, wizard, beanie, tinyduck). There's a 1% chance of being shiny. Each companion has RPG stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK — with one peak stat and one dump stat, floors scaled by rarity.
The companion has a "soul" (name + personality) generated by the model on first hatch. Bones (species, rarity, stats) are regenerated from hash(userId) on every read — they never persist — so users can't edit their config to fake a legendary.
The sprite is a React component rendered through the vendored Ink terminal renderer, with speech bubbles built with cli-boxes and floating hearts using figures.
Here's mine — though I wish the stats were a radar chart:
❯ /buddy
╭──────────────────────────────────────╮
│ │
│ ★ COMMON AXOLOTL │
│ │
│ }~(______)~{ │
│ }~(× .. ×)~{ │
│ ( .--. ) │
│ (_/ \_) │
│ │
│ Spindle │
│ │
│ "A perpetually unimpressed axolotl │
│ who spots your bugs immediately │
│ but won't tell you where they are, │
│ just sighs and mutters cutting │
│ remarks until you cry." │
│ │
│ DEBUGGING ██░░░░░░░░ 22 │
│ PATIENCE ░░░░░░░░░░ 3 │
│ CHAOS ████░░░░░░ 39 │
│ WISDOM ████░░░░░░ 42 │
│ SNARK ██████░░░░ 55 │
│ │
╰──────────────────────────────────────╯
187 Ways to Say "Working on It"
* Gitifying…
I kept a note of the different verbs Claude Code shows while thinking. Turns out there are exactly 187 — from Accomplishing to Zigzagging, with stops at Clauding, Flibbertigibbeting, Moonwalking, and Prestidigitating along the way. All defined in src/constants/spinnerVerbs.ts. One reason I like Claude Code: it always keeps you in the loop, telling you it's busy — in creative ways. Reading the source, I noticed the code supports adding your own via settings.spinnerVerbs.
Then there's src/constants/turnCompletionVerbs.ts. When a turn finishes, Claude Code picks from just 8 verbs: Baked, Brewed, Churned, Cogitated, Cooked, Crunched, Sautéed, Worked.
187 ways to describe the journey. 8 ways to describe the destination. Many paths, few outcomes.
When Your Dependency Gets Acquired
Statsig -> GrowthBook (Sep 2025) — OpenAI acquired Statsig in September 2025. Overnight, Anthropic's feature flagging service was owned by its biggest competitor. The codebase shows the response: an active migration to GrowthBook, which raised $23.1M and remains independent (at least for now).
Bun: Acquired by Anthropic (Dec 2025) — Three months later, Anthropic made its own move. It acquired Bun — the JavaScript runtime Claude Code runs on — shortly after hitting $1B in run-rate revenue. Having just been burned by a competitor acquiring a key dependency, Anthropic decided to own its runtime outright. Bun remains open-source and MIT-licensed, but the supply chain risk is now Anthropic's to control.
Leak or Gift?
There's a conspiracy theory circulating that Anthropic leaked the source on purpose. We doubt it — exposing 512K lines of proprietary code via a stray .map file doesn't feel like a PR play. Unless the whole script was written by Claude itself. Unconventionally brilliant.
Anthropic loses nothing. A codebase snapshot is a photograph, not the photographer. The moat was never the code — it's the team and culture shipping it, and the pace at which they continuously deliver.
What the rest of us got is more valuable: a thoughtful, real-world reference architecture for AI-powered CLI tools, built on 65 open source packages.
Appendix: All 65 Open Source Dependencies by Directory
The src/ directory has 36 top-level folders. Here are the 65 third-party npm packages we identified, organized by directory.
src/
├── ink/ # Terminal UI (vendored Ink + React)
├── native-ts/ # Vendored pure-TS ports (Yoga, color-diff)
├── cli/ # CLI entry & argument parsing
├── services/
│ ├── api/ # Anthropic API client
│ ├── mcp/ # Model Context Protocol
│ ├── lsp/ # Language Server Protocol
│ ├── analytics/ # Telemetry & BigQuery export
│ ├── oauth/ # OAuth flows
│ └── ...
├── tools/ # 40+ tool implementations (Bash, Read, Edit, Grep, ...)
├── components/ # React UI components
├── hooks/ # React hooks
├── voice/ # Voice input (speech-to-text)
├── utils/ # Shared utilities
├── schemas/ # Zod validation schemas
├── buddy/ # Hidden Tamagotchi companion
└── ...
ink/ — The src/ink/ directory (60+ files) is a vendored reimplementation of Ink, built on react-reconciler — not the ink npm package. TUI components use React hooks, rendered to the terminal instead of the DOM.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| react | UI framework (753+ imports) | 244.4K | MIT | 2013-05-24 |
| react-reconciler | Custom React renderer | ¹ | MIT | ¹ |
| chalk | Terminal string styling (47+ imports) | 23.1K | MIT | 2013-08-03 |
| figures | Unicode symbols (89+ imports) | 623 | MIT | 2014-07-10 |
| strip-ansi | Remove ANSI escape codes | 505 | MIT | 2013-12-07 |
| @alcalzone/ansi-tokenize | Tokenize ANSI sequences | 5 | MIT | 2023-03-17 |
| wrap-ansi | Word-wrap ANSI text | 136 | MIT | 2015-08-19 |
| cli-boxes | Box drawing characters | 108 | MIT | 2016-03-01 |
| supports-hyperlinks | Detect terminal hyperlink support | 55 | MIT | 2017-11-28 |
| indent-string | String indentation | 116 | MIT | 2014-06-06 |
¹ Part of the facebook/react monorepo — stars and created date are shared with React above.
native-ts/ — Two libraries rewritten in pure TypeScript to avoid native dependencies.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| Yoga (vendored) | Meta's flexbox layout engine for terminal layouts | 18.8K | MIT | 2014-04-07 |
| color-diff (vendored) | ANSI color matching | 372 | — | 2012-03-23 |
cli/ — CLI argument parsing with TypeScript type safety. Runs on Bun instead of Node.js, using bun:bundle feature flags for dead code elimination (196+ usages).
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| Commander.js | CLI argument parsing | 28.1K | MIT | 2011-08-14 |
| Bun | JavaScript runtime + bundler | 88.7K | — | 2021-04-14 |
services/api/ — Communication with AI model providers.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| @anthropic-ai/sdk | Anthropic API client (113+ imports) | 1.8K | MIT | 2023-01-30 |
| @anthropic-ai/claude-agent-sdk | Agent capabilities | ² | MIT | ² |
| @aws-sdk/client-bedrock-runtime | AWS Bedrock | 3.6K | Apache-2.0 | 2017-04-04 |
| axios | HTTP client (57+ imports) | 109.0K | MIT | 2014-08-18 |
| https-proxy-agent | Enterprise proxy support | 1.1K | — | 2013-07-09 |
² TypeScript SDK repo (anthropics/claude-agent-sdk) is not publicly available. The Python SDK has 6.1K stars (created 2025-06-11).
services/mcp/ — Connecting to external tools and data sources.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| @modelcontextprotocol/sdk | MCP client/server, stdio transport, OAuth | 12.1K | — | 2024-09-24 |
services/lsp/ — Code intelligence: diagnostics, completions, and symbol information.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| vscode-languageserver-protocol | Language Server Protocol client | 1.7K | MIT | 2015-09-03 |
| vscode-languageserver-types | LSP type definitions | ³ | MIT | ³ |
| vscode-jsonrpc | JSON-RPC for LSP | ³ | MIT | ³ |
³ Part of the microsoft/vscode-languageserver-node monorepo.
services/analytics/ — Telemetry and experimentation. 8 OpenTelemetry packages export metrics to BigQuery every 5 minutes. GrowthBook handles feature flags, actively migrating from Statsig.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| @opentelemetry/* | 8 packages: api, api-logs, core, resources, sdk-logs, sdk-metrics, sdk-trace-base, semantic-conventions | 3.3K ⁴ | Apache-2.0 | 2019-05-10 ⁴ |
| GrowthBook | Feature flags and A/B testing | 7.6K | — | 2021-05-07 |
⁴ From the opentelemetry-js monorepo.
services/oauth/ — Authentication flows.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| google-auth-library | Vertex AI and Google Cloud | 1.9K | Apache-2.0 | 2015-02-11 |
| qrcode | QR code generation | 8.1K | MIT | 2010-12-21 |
schemas/ — Runtime validation.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| Zod v4 | Schema validation (125+ imports) | 42.3K | MIT | 2020-03-07 |
| Ajv | JSON Schema validation for structured output | 14.7K | MIT | 2015-05-19 |
tools/ — 40+ tool implementations (Bash, Read, Write, Edit, Grep, Glob, etc.).
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| diff | File edit diffing (20+ imports) | 9.1K | BSD-3-Clause | 2011-03-29 |
| highlight.js | Syntax highlighting | 24.9K | BSD-3-Clause | 2011-01-01 |
| marked | Markdown parsing | 36.8K | — | 2011-07-24 |
| fuse.js | Fuzzy search | 20.1K | Apache-2.0 | 2012-05-28 |
| code-excerpt | Snippet extraction | 9 | MIT | 2016-11-13 |
| execa | Child process execution (24+ imports) | 7.5K | MIT | 2015-12-05 |
| tree-kill | Kill process trees | 0 | MIT | 2015-05-05 |
| chokidar | File watching | 12.1K | MIT | 2012-04-20 |
| proper-lockfile | File locking | 273 | MIT | 2014-07-12 |
| ignore | .gitignore pattern matching |
494 | — | 2013-09-01 |
| picomatch | Glob matching | 1.2K | MIT | 2018-11-05 |
components/ & hooks/ — React UI components.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| usehooks-ts | useInterval, useDebounceCallback, useEventCallback |
7.8K | MIT | 2020-04-15 |
| asciichart | ASCII charts | 2.1K | MIT | 2017-02-10 |
| stack-utils | Stack trace formatting | 197 | MIT | 2016-01-04 |
voice/ — Voice input via speech-to-text.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| ws | WebSocket streaming | 22.7K | MIT | 2011-11-09 |
utils/ — Shared utilities.
| Package | Purpose | Stars | License | Created |
|---|---|---|---|---|
| lodash-es | Utility functions (65+ imports) | 61.5K | — | 2012-04-07 |
| semver | Version checks | 5.4K | ISC | 2011-02-12 |
| shell-quote | Safe shell quoting | 54 | MIT | 2022-10-10 |
| lru-cache | Caching | 5.9K | BlueOak-1.0.0 | 2010-05-21 |
| env-paths | Cross-platform paths (~/.claude/) |
439 | MIT | 2016-06-21 |
| p-map | Concurrent promises | 1.5K | MIT | 2016-10-21 |
| auto-bind | Method binding | 463 | MIT | 2016-08-09 |
| signal-exit | Graceful shutdown | 201 | BlueOak-1.0.0 | 2015-05-16 |
| type-fest | TypeScript utility types | 17.0K | CC0-1.0 | 2019-03-13 |
| emoji-regex | Emoji detection | 1.9K | MIT | 2014-09-28 |
| get-east-asian-width | CJK character width | 46 | MIT | 2023-10-28 |
| bidi-js | Bidirectional text | 48 | MIT | 2021-04-13 |
| xss | Sanitization | 5.3K | — | 2012-09-18 |
| jsonc-parser | JSON with comments parser | 739 | MIT | 2016-04-18 |
