Is the Claude Code leak caused by a bug in Bun? The Bun founder denied it and immediately locked the post.

According to 1M AI News monitoring, the Claude Code source code leak incident has triggered a chain of attribution. Developer jakeg asked a question in Bun’s GitHub issue #28001: Claude Code is built with Bun, and Bun has a known bug (Bun.serve() still provides source map files in production mode). Could this be the root cause of the leak? The comments quickly received nearly a hundred emoji reactions, and a large number of developers rushed to join the follow-up.

In December 2025, Anthropic acquired Bun. The acquisition announcement said, “Bun is a key part of the expansion process for Claude Code infrastructure.” Jarred Sumner and his team joined Anthropic following the acquisition. Jarred Sumner then personally responded: “This has nothing to do with Claude Code. This bug is for Bun’s frontend development server. Claude Code is not a frontend application; it’s a TUI (terminal user interface) program, and it doesn’t use Bun.serve() to compile single-file executable packages.” He then locked the issue to prevent non-collaborators from continuing to comment and changed the title to emphasize “Bun’s frontend development server” to avoid misleading people.

The two issues are technically completely different. Bun #28001 is a configuration bug where Bun.serve(), after setting development: false, still exposes .map files to the browser—an issue with the frontend server configuration. The Claude Code leak, on the other hand, involved the v2.1.88 npm package accidentally including about 60MB of source map files. Anthropic’s own explanation was “a release packaging problem caused by human error,” which points to a CI/CD build configuration mistake. This Bun bug has existed for three weeks since the submission on March 11, and as of now it has not been merged and fixed.