NewsPackage Ninja

Security Research / Claude Code Source Map Exposure

The Anthropic Claude Code Source Map Exposure

Anthropic shipped a source map with @anthropic-ai/claude-code, turning a normal npm publish into an AI product-intelligence exposure.

March 31, 20269 min readArtifact exposure
Anthropic logo intelligence briefing card for the Claude Code IP leak.

Package

claude-code

@anthropic-ai/claude-code v2.1.88

Exposure vector

59.8 MB

public source map bundled with the npm artifact

Reported scale

512k+ LOC

roughly 1,900 TypeScript files reconstructed

Abuse pattern

Malware lures

fake leaked-source repos later used to distribute Vidar and GhostSocks

Executive Summary

Anthropic published @anthropic-ai/claude-code v2.1.88 with a 59.8 MB JavaScript source map bundled in the public npm package. Public analysis reported about 1,900 TypeScript files and 512,000+ lines of source were reconstructable, and Zscaler later documented malicious repositories using the leak as a lure.

The leak was a packaging error, not evidence that Anthropic customer data or credentials were stolen. Reported internal feature names come from public code analysis rather than a formal Anthropic postmortem.

Threat profile

This was not a classic intrusion. It was a build artifact failure: production code shipped with a debug map that made internal source readable at scale.

The business risk is product intelligence. Source maps can reveal module boundaries, internal feature gates, orchestration logic, prompts, naming conventions, and defensive assumptions that attackers or competitors would otherwise need time to infer.

Technical root cause

The release artifact contained an unexcluded `.map` file. The final package, not the source repository, is the security boundary that matters because it is the object delivered to public registries, mirrors, CDNs, and downstream developers.

Public reporting describes unreleased or internal feature references including KAIROS and 'Undercover' mode. Those details are treated here as reported reverse-engineering findings, while the packaging error and source-map exposure are the core verified event.

Why this becomes a malware problem

The original leak was source exposure, but the attention around it created a lure. Zscaler reported fake Claude Code leak repositories that shipped executable archives instead of TypeScript source, deploying Vidar and GhostSocks malware.

That second-order risk matters for enterprises: developers searching for context around a leak become targets for malicious forks, archive downloads, and 'unlocked enterprise' bait.

Ninja Containment

Artifact Minimization

Package Ninja blocks oversized source maps and debug-source artifacts before publish or install, killing the build before an IP-heavy artifact reaches a registry or developer machine.

Inspect the final package tarball, not just the repository tree.

Block `.map` files when source-map size exceeds expected release policy.

Flag source-bearing artifacts such as `.ts`, archives, `.env`, and debug bundles.

Require an audited exception for teams that intentionally ship debug metadata.

Sources

CXO Monthly Roundup, March 2026: Surge in supply chain attacksZscalerAnthropic leaked 500,000 lines of its own source codeAxiosAnthropic Accidentally Exposes Claude Code Source via npm Source Map FileInfoQ