Claude Code leaked. The entire source. Over 500,000 lines of TypeScript shipped inside an npm package that was never supposed to contain them. And yes, within 48 hours, someone got Doom running on the CLI. But then things got recursive: someone got Codex running inside Doom.
On March 31, 2026, Anthropic accidentally shipped the complete source code for Claude Code inside their npm package. Version 2.1.88 of @anthropic-ai/claude-code included a 59.8 MB JavaScript source map file that exposed roughly 513,000 lines of unobfuscated TypeScript across 1,906 files. Within hours, the codebase was pulled from Anthropic’s Cloudflare R2 bucket, mirrored to GitHub, and forked tens of thousands of times.
Anthropic confirmed it quickly: “Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed.” The company said it is reviewing steps to prevent similar human errors going forward. No customer data was at risk and no credentials were exposed. It was a source map mistake, not a breach.
What Was Actually in the Leak
The exposed file was the client-side agent harness for Claude Code, not server infrastructure or model weights. Security researcher Chaofan Shou publicly disclosed the leak on X, and the post reached more than 27 million users. That kind of reach meant the codebase spread faster than Anthropic could have reasonably contained it.
The contents were not some proprietary AI secret. It was the tooling, the CLI scaffolding, the agent harness. Useful for understanding how Claude Code works under the hood, but not the kind of thing that hands someone a frontier model or compromises a customer account.
48 Hours of Experimentation
Developers moved fast once the source was out. Within 48 hours there were Python and Rust rewrites, people running OpenAI models through the Claude Code interface, and encoded images and videos of the source code itself. But the one that stood out was Ben Davis getting Doom running on the Claude Code CLI. That was the highlight of the post-leak experimentation window, at least according to @singh__chanmeet on X, who called it their favorite hack amid all the rewrites and integrations happening in real time.
The CLI Doom hack was a direct product of having full, editable, locally runnable source code. With the source in hand, the agent harness becomes a sandbox. You can wire it up to anything. Doom is the traditional stress test for any new runtime environment, and Claude Code passed.
doom-mcp: The Pre-Existing Integration
It is worth separating the post-leak CLI experiment from a tool called doom-mcp, which existed before the leak and does something more structured. doom-mcp embeds the real DOOM engine via Rust FFI and connects it to Claude Code and other MCP-compatible clients like Cursor through an MCP server. You can run it with a single command:
claude mcp add doom -- npx -y doom-mcpIt ships with Freedoom out of the box and optionally supports the original DOOM1.WAD shareware file. There are two play modes: user-directed, where you give commands, and autonomous, where the AI makes all the decisions. It works by calling doomgeneric_Tick() directly and reading the frame buffer in memory. That is a proper integration built intentionally. The post-leak CLI Doom run was a different thing, more of an improvised hack using the newly accessible source.
You can see it running here:
Doom Can Also Run Codex
Claude Code running Doom is one thing. Dominik Kundel at OpenAI went the other direction: he had Codex put itself inside Doom. Not as an overlay, not as an HTML terminal slapped on top of the game window, but as an actual rendered terminal inside the DOOM engine itself. You can walk up to it in the game, interact with it, and ask it to do tasks, including tasks in your actual codebase.
The setup used an Electron app wrapping a fork of Cloudflare’s doom-wasm implementation, with Freedoom Phase 2 as the game data. Codex connected through its own app server, a JSON-RPC server that already powers the Codex app, IDE extensions, the Xcode and JetBrains integrations, and a Claude Code plugin for Codex that OpenAI released the same week. The WAD file was patched to include a custom Codex terminal texture. A bespoke codex_terminal.c handles rendering inside the engine. Codex also added hooks into the game state so it could read player health and grant weapons.
Codex built the whole thing in a single thread: 205 million tokens, roughly six hours and forty minutes across multiple turns, with the longest single turn running about an hour. Kundel said he was not at his computer for most of it and only checked in occasionally to ask for more features. At one point he walked back over because he heard gunshots and grunting from his laptop. Codex had been playing the game to test its own work.
The texture verification sequence is worth dwelling on. Kundel gave Codex the logo as image input and asked it to render a Codex-branded terminal texture inside the game. Codex went away for 52 minutes, generated textures, patched the WAD file, launched the game, took screenshots of the wall from multiple angles, noticed the logo was distorted, and corrected it without being asked. Nobody asked it to verify from multiple angles. It decided that on its own.
You can find the full writeup and demo at Dominik Kundel’s post on X.
The Malware That Followed
Within the same window, malicious actors were already capitalizing on the attention. Security researchers found a fake “Claude Code leak” repository on GitHub distributing a ZIP archive named “Claude Code – Leaked Source Code” containing a file called ClaudeCode_x64.exe. That file was a Rust-based dropper that deployed Vidar v18.7, an information stealer, alongside GhostSocks, a network traffic proxy.
This is a standard playbook. High-profile software events generate search traffic, and attackers seed fake repositories to catch people searching for the leaked files. If you were looking for the leaked source at the time, this was a real risk. The fake repositories were circulating fast enough that anyone moving quickly could have easily grabbed the wrong thing.
What This Actually Says About Claude Code
The leak itself is a human error story. Someone forgot to exclude a source map from a production build. That happens. The more telling part is what developers did with it in under 48 hours. Rewrites in two different languages, cross-compatibility with OpenAI models, and Doom running in the CLI. That is a fast turnaround for a codebase nobody was supposed to have.
For anyone following the Claude Code tooling space, the doom-mcp integration was already a sign that the MCP ecosystem was getting genuinely interesting well before this incident. If you want context on the broader Claude release trajectory, the full Claude launch timeline since January 2026 covers how quickly the tooling has been moving. And if you want to look at a different kind of Anthropic exposure, the Claude Mythos leak post covers a separate incident with its own set of concerns.
The source map will get excluded from future builds. The Doom runs will be remembered longer.