How to Leak a $340B Secret: The Anthropic “Claude Code” Incident

infosecwriteups.com · Yuvarajan · 5 days ago · exploit
quality 9/10 · excellent
0 net
Tags
anthropic secret security
How to Leak a $340B Secret: The Anthropic "Claude Code" Incident | by Yuvarajan | in InfoSec Write-ups - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original How to Leak a $340B Secret: The Anthropic "Claude Code" Incident I genuinely thought this was an April Fool's prank. Every year, companies like Google pull some elaborate stunt, so when I saw the "Claude… Yuvarajan Follow InfoSec Write-ups · ~4 min read · April 1, 2026 (Updated: April 6, 2026) · Free: Yes I genuinely thought this was an April Fool's prank. Every year, companies like Google pull some elaborate stunt, so when I saw the "Claude Code leak" trending on April 1st, I kept scrolling. But out of curiosity, I checked the npm registry for @anthropic-ai/claude-code . The version everyone was talking about ( v2.1.88 )? Gone. Not deprecated. Not hidden. Just scrubbed from existence. That's when it stopped looking like a joke. where is v2.1.88? What Actually Happened This wasn't a sophisticated zero-day or a database breach. It is just a bad release. It was a perfect example of how modern software supply chains fail fast and fail publicly: The Trigger: Anthropic pushed an update to npm. The Cargo: Inside the package was a 59.8 MB debug artifact. The Payload: A .map file ( cli.js.map ) that didn't just map code—it contained the sourcesContent for the entire project. The Timeline of Chaos T+0 mins: Version 2.1.88 hits npm. +23 mins: Security researcher Chaofan Shou notices the unusual file size and downloads the package. +45 mins: The source is extracted. It's not just snippets; it's 1,900+ TypeScript files and 512,000+ lines of proprietary logic. +2 hours: The GitHub mirrors start to appear, before the first DMCA notice can even be drafted. +6 hours: The "clean-room" rewrites begin. A Python port and a Rust rewrite (likely AI-assisted) exploded. What is a Source Map actually? A source map is a JSON file that acts as a bridge between your " Production Code" and your "Development Code." Why this exists: Modern web development is a series of transformations: TypeScript → Compiled to JavaScript Modern JS → Transpiled for compatibility (Babel) Code → Bundled and Minified (Vite, Webpack, or in Anthropic's case, Bun ) The final code is a single-line mess. If an error happens in production, your stack trace looks like this: Error at a.js:1:98432 . You are effectively blind. The Fix: A source map tells the browser: "Line 1, column 98432 in bundle.js actually maps to line 42 in AuthService.ts ." How to Extract Code from .map Files If you're a dev and you see a .map file in the wild, here is how you "reverse" it. Method 1: The DevTools Way Open Chrome DevTools → Sources tab. If the site has maps enabled, look for a folder usually named webpack:// or file:// . You can browse the original source tree, set breakpoints, and read comments exactly as the author wrote them. The Billion-Dollar String: Why sourcesContent is a Security Nightmare If you open that .map file in a text editor instead of a browser, you'll see why DevTools is able to show you the original code. Most people don't realize there are two ways a source map handles your files: Reference Maps: They just point to paths (e.g., "sources": ["src/main.ts"] ). If a hacker downloads this, they get a list of your filenames, but the files are empty because they don't have access to your local machine's file system. Inline Maps (The "Anthropic" Way): These include the sourcesContent field. This is a massive array of strings containing the actual raw source code of every single file in your project. This is what Anthropic did. They didn't just point to the code; they bundled the entire repository inside the map file. When you have sourcesContent , DevTools doesn't need to look for your files on a server—it already has the full text sitting right there in the JSON. What We Learned (The "Undercover Mode" and more) The leak revealed more than just code; it revealed Anthropic's roadmap: "Kairos": An unreleased daemon mode that allows Claude to run as an always-on background agent. "Undercover Mode": A feature that strips AI attribution from commits so devs can contribute to public repos "silently." "Buddy": A full-blown pet/Tamagotchi system (likely the intended April Fool's release) with rarity tiers and "shiny" variants. The Security Takeaway Your build pipeline is a bigger risk than hackers. A single misconfigured .npmignore or a missing files field in package.json can bypass all your firewalls. Deletion is an illusion. Anthropic nuked the package within hours, but by then, it was already mirrored in 40,000 places. Check your Bundler. Anthropic uses Bun . Bun (and Vite/Webpack) make it very easy to generate maps; you must be explicit about where those maps go. Pro-tip: Use a tool like source-map-explorer As part of your CI/CD, visualize what you're actually shipping before it hits the registry. References: https://github.com/chatgptprojects/clear-code/tree/642c7f944bbe5f7e57c05d756ab7fa7c9c5035cc?tab=readme-ov-file Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories