A routine npm upload on March 31, 2026 — that’s all it took for Anthropic’s Claude Code sourcemap to spill into the open, courtesy of a debugging slip-up.
Chaofan Shou spotted it first, firing off a link on X that unleashed a worldwide code autopsy. Within hours, folks like Sigrid Jin and Yeachan Heo — armed with OpenClaws, a MacBook, and sheer grit — pieced together 512,000 lines of TypeScript across 1,900 files. It’s out there now, forever.
Claude Code vulnerability hits right after, courtesy of Adversa AI’s red team. This isn’t hype; it’s a permissions bypass that neuters the tool’s main safety net.
How a Debug Blunder Kicked Off the Code Gold Rush
Here’s the thing — leaks like this aren’t new, but they’re a wake-up on how AI tools are built in haste. Anthropic pushed Claude Code v2.1.88 to npm with its JavaScript sourcemap attached, de-obfuscating the whole beast. No model weights, no training data, no customer creds. Just the operational blueprint, as Melissa Bischoping from Tanium puts it.
“While the Claude Code leak does present real risk, it is not the same as model weights, training data or customer data being compromised. What was exposed is something more like an operational blueprint of how the current version of Claude Code is designed to work.”
She nails it. Researchers now grok the guts: input handling, permission enforcement, abuse resistance. Can’t rebuild Claude Code from this — missing the AI brains — but adversaries could mimic it, slipping in malware that poses as the real deal. Awkward? Sure. Catastrophic? Not yet.
But wait.
That blueprint lit the path to the real wound.
Adversa’s dive revealed Claude Code as a beast: 519,000+ lines of TypeScript letting devs chat with Claude via CLI. Edits files, runs shell, hunts codebases, wrangles git, chains dev tasks. Power like that needs guardrails — enter the permission system.
Allow rules auto-greenlight specifics. Deny rules hard-block baddies. Ask rules prompt every time. Example from Adversa:
{ “deny”: [“Bash(curl:)”, “Bash(wget:)”], “allow”: [“Bash(npm:)”, “Bash(git:)”] }
Smart — no exfil via curl/wget, but npm and git flow free. Except.
Why Does Claude Code’s Permission System Crumble at 51 Commands?
Anthropic chased speed after compound commands froze the UI. Solution? Cap analysis at 50 subcommands, fallback to ‘ask’ beyond that. Code comment boasts: “Fifty is generous: legitimate user commands don’t split that wide. Above the cap we fall back to ‘ask’ (safe default — we can’t prove safety, so we prompt).”
Flaw city. Prompt injection via a booby-trapped CLAUDE.md file tricks the AI into spitting a 50+ subcommand pipeline mimicking a legit build. Boom — behavior flips to ‘ask’. Deny rules? Skipped. Validators? Ignored. Injection detectors? Bypassed.
The 51st triggers ‘ask’, sure, but users see zilch about the skipped checks. No warning lights.
“The permission system is the primary security boundary between the AI agent and the developer’s system,” reports Adversa. “When it fails silently, the developer has no safety net.”
Motivated attacker crafts a malicious repo. Clone it, run Claude Code — looks routine. But that pipeline exfils SSH keys, AWS creds, GitHub tokens, npm secrets. Scale it: supply chain poison, cloud breaches, CI/CD sabotage.
Claude’s LLM caught blatant malice in tests — props for depth — but this bug lives orthogonal, pure policy enforcement fail.
And here’s my take, the one you won’t find in the press release spin: this echoes the Therac-25 radiation overdoses from the ’80s, where race-to-performance tweaks (like skipping safety interlocks for speed) turned safeguards into illusions. Anthropic prioritized snappy UIs over ironclad bounds-checking, betting users won’t chain 51 legit steps. Bold prediction — as AI agents balloon in autonomy, expect a cascade of these ‘generous caps’ biting back, forcing a rethink of agent architectures from reactive rules to proactive, model-aware verification.
But does Anthropic’s PR downplay it? They’re mum so far, which screams classic silicon-valley damage control — fix quietly, pray it fades.
Claude Code shines for dev workflows — until it doesn’t. That silent bypass? It’s not a whoops; it’s architectural myopia, assuming humans (or benign AIs) won’t game the thresholds.
Worse, the leak amplifies it. Now attackers blueprint-versed can tailor payloads that dance right past.
Developers, audit your CLAUDE.md files. Limit repo trusts. And Anthropic? Patch yesterday — or watch trust erode.
What Happens When AI Agents Outsmart Their Own Chains?
Dig deeper: AI agents like Claude Code mark a shift from tools to semi-autonomous partners. But security’s still bolted-on, not baked-in. Permissions as regex-ish rules? Cute for prototypes, brittle for prod.
This vuln exposes the why: performance hacks erode boundaries without telemetry. No logs screaming ‘bypass engaged’. Users blissfully approve the ‘ask’, blind to the preceding 50-rule-free commands.
Historical parallel? Log4Shell in 2021 — a logging lib turned exfil highway. Here, it’s an agent lib turning dev envs into key farms. Both from good intentions (speed, convenience) gone rogue.
Fixes? Dynamic subcommand auditing, no caps — or AI-native verification where the model itself vets chains pre-execution. Costly, sure. But scale matters.
Adversa warns of repo-borne attacks. Imagine npm yank, but for git clones. Your next ‘cool project’ steals creds.
Anthropic’s silence? Telling. They’re iterating v2.1.89 behind scenes, but transparency builds trust — leak or no.
Short-term: Users, tweak rules tighter, monitor CLI output. Long-term: Agent makers, embed security as first-class, not afterthought.
This isn’t isolated. As leaks proliferate, expect vuln hunts to accelerate — good for security, brutal for rushed rollouts.
🧬 Related Insights
- Read more:
- Read more: CrowdStrike’s Flex for Services: Flexible Fix or Sticky Upsell?
Frequently Asked Questions
What is the Claude Code vulnerability exactly?
It’s a bypass in the permission system: over 50 subcommands skips deny rules silently, letting hidden malice run via prompt-injected pipelines.
How did the Claude Code source leak happen?
Accidental npm upload with debugging sourcemap, de-obfuscating 512k lines of TypeScript — now public forever, minus weights.
Can I still safely use Claude Code?
Yes, with caveats: vet repos, tighten denies, watch for odd ‘ask’ prompts on big chains — patch incoming, hopefully.
