7 min Reading Time<\/p>\n
A missing exclusion rule in the build pipeline exposed Anthropic\u2019s full production code on March 31, 2026. 512,000 lines of TypeScript, packaged into a 59.8 MB source map file within a public NPM package. On the same day, an independent supply-chain attack compromised the NPM package axios – one of the most widely used JavaScript packages globally. Two separate incidents, one ecosystem, one day. Together, they illustrate why NPM supply-chain security is no longer a niche concern for IT teams in 2026.<\/strong><\/p>\n On March 31, 2026, at 08:23 UTC, Chaofan Shou disclosed his discovery on X. Shou is a PhD candidate at UC Berkeley, co-founder of blockchain security startup Fuzzland, and a bug bounty researcher with $1.9 million in documented vulnerability reports. His finding: version 2.1.88 of the official NPM package @anthropic-ai\/claude-code included the file cli.js.map. This 59.8 MB source map contained the complete TypeScript source code in its sourcesContent field – approximately 1,900 files totaling 512,000 lines of production code.<\/p>\n The source map also referenced a ZIP archive stored in a publicly accessible Cloudflare R2 bucket owned by Anthropic. Within hours, the community mirrored the code on GitHub. The most prominent repository reached over 41,500 forks. Anthropic responded with DMCA takedown notices; GitHub disabled over 8,100 repositories in the fork network. The code remains available on decentralized platforms.<\/p>\n The likely cause: Anthropic uses Bun as its JavaScript runtime. An open Bun bug (reported March 11, 2026) documents that Bun\u2019s bundler generates source maps by default – even in production mode, contrary to documentation. Neither .npmignore nor the files field in package.json excluded .map files.<\/p>\n This wasn\u2019t the first incident of its kind: back in 2025, Claude Code versions v0.2.8 and v0.2.28 also contained source map files. Just days before this leak, around 3,000 internal Anthropic files appeared in a publicly accessible cache.<\/p>\n Anthropic\u2019s official statement: “A release packaging error due to human failure, not a security incident.” Version 2.1.88 was withdrawn, and version 2.1.89 released.<\/p>\n Source maps are JSON files that map compiled or minified JavaScript back to the original source code. Their sourcesContent field contains the full, readable source text. They are a legitimate debugging tool – but only in development environments. In production packages, they become a security risk.<\/p>\n Tools like reverse-sourcemap, Shuji, or unwebpack-sourcemap can reconstruct the entire directory structure and readable source code from a single .map file. No reverse engineering required, no decompiler, no specialized expertise – just unpacking the file.<\/p>\n In the case of Claude Code, the following were exposed: the complete four-tier permission model, Bash validation logic, OAuth 2.0 authentication flows, the MCP server architecture (Model Context Protocol), and 44 feature flags for unreleased features. Among them: an anti-distillation mechanism that injects fake tool definitions into API requests to poison training data collected by competitor models. And an “Undercover Mode” that removes all Anthropic references when the tool operates in public repositories.<\/p>\n No customer data. No API keys. But the full intellectual property of the agent architecture – the result of thousands of development hours at a company valued at an estimated $380 billion.<\/p>\n The problem isn\u2019t limited to Anthropic. Source maps in production packages are an industry-wide risk. A study by Ostorlab found that about five percent of examined web assets were vulnerable to source-map-based attacks. The difference: most affected organizations don\u2019t even know their .map files are publicly accessible.<\/p>\n \n “The irony is unreal – Anthropic markets Claude’s code-writing capabilities, yet their own code leaked due to a basic packaging mistake.” The source map leak primarily falls under two CWE categories:<\/p>\n CWE-215<\/strong> (Information Exposure Through Debug Information): Debug artifacts in production releases expose internal implementation details.<\/p>\n CWE-538<\/strong> (Insertion of Sensitive Information into Externally-Accessible File or Directory): Sensitive information placed in a file accessible to external actors.<\/p>\n Additional applicable categories include CWE-540 (Inclusion of Sensitive Information in Source Code), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), and OWASP A01:2021 (Broken Access Control).<\/p>\n Prior to the source map leak, six CVEs had already been documented in Claude Code:<\/p>\n Also included are CVE-2025-59828 (Yarn configuration execution before trust dialog), CVE-2025-64755 (Sed parsing bypassed read-only validation), and attack vectors documented by Check Point Research via manipulated project configurations.<\/p>\n The pattern is clear: AI-powered development tools that read files, execute commands, and access networks are full-fledged attack surfaces – regardless of vendor. The leaked source code at least shows Anthropic recognizes the issue: a CLAUDE_CODE_SUBPROCESS_ENV_SCRUB flag was introduced to prevent environment variables (and potentially API keys) from being inherited by subprocesses. However, the fact this flag was added retroactively confirms that the security architecture evolved reactively rather than proactively.<\/p>\n Independent of the Claude Code leak, on March 31, 2026, a supply-chain attack hit the NPM package axios – with 83 million weekly downloads, one of the most widely used JavaScript packages globally. Versions 1.14.1 and 0.30.4 contained a Remote Access Trojan via a fake dependency named plain-crypto-js. The attack was active between 00:21 and 03:29 UTC before npm removed the package.<\/p>\n The timing is significant: anyone who installed or updated Claude Code via npm during this window may have pulled the compromised axios version as a transitive dependency. Two independent supply-chain issues, one ecosystem, one day. The axios attack was independently confirmed by SANS, Sophos, and BleepingComputer and attributed to the UNC1069 group (linked to North Korea).<\/p>\n This incident fits into a timeline familiar to IT security teams: event-stream (2018), ua-parser-js (2021), colors.js (2022), the Astro attack via Shai-Hulud (2024), and now axios (2026). The NPM ecosystem – with its deeply nested dependency chains – remains one of the most critical attack surfaces in software development. Every transitive dependency is a potential attack vector – and most teams don\u2019t even know their full dependency tree.<\/p>\n Five concrete actions derived from this incident:<\/p>\n 1. Package audit for source maps.<\/strong> Run npm pack –dry-run on all internally published packages. Check whether .map files, .env files, or other debug artifacts are included in the package. This takes 30 seconds per package and would have prevented the Claude Code leak.<\/p>\n 2. Use a whitelist approach instead of a blacklist.<\/strong> Define a files field in package.json as a whitelist, rather than relying on .npmignore (blacklist). Blacklists often miss new file types. Whitelists only include explicitly approved content.<\/p>\n 3. Review bundler configuration.<\/strong> Build tools like Bun, esbuild, and webpack often generate source maps by default. Explicitly disable them for production builds: –sourcemap=none (Bun), –sourcemap=false (esbuild), or devtool: false (webpack).<\/p>\n 4. Implement a CI\/CD gate.<\/strong> Add an automated check in the pipeline that fails the build if .map files, .env files, or other excluded patterns are found in the release artifact. Simple check: find dist\/ -name “*.map” -exec false {} +.<\/p>\n 5. Use provenance attestations.<\/strong> npm publish –provenance creates a cryptographically signed attestation linking the build reproducibly to a specific commit and CI environment. This wouldn\u2019t have prevented the incident, but it makes tampering traceable.<\/p>\n 6. Treat AI development tools as attack surfaces.<\/strong> Tools like Claude Code, GitHub Copilot, and Cursor have filesystem access, execute commands, and communicate with external APIs. They deserve the same security audits as any other software with privileged access. The six documented CVEs in Claude Code show: these tools are not immune to vulnerabilities that are already standard audit points in any other application class.<\/p>\n No. Anthropic and independent security analyses (Penligent) confirm: no customer data, no API keys, no credentials. What was exposed was the application code of the Claude Code CLI – its architecture, logic, and feature flags, not operational secrets.<\/p>\n The Claude Code leak was an unintended configuration error (CWE-215), not a targeted attack. The axios incident on the same day, however, was a deliberate supply-chain attack involving injected malware. Both highlight different facets of the same problem: NPM packages as attack vectors.<\/p>\n The direct risk from the source map leak is low – the exposed code contained no secrets. More critical: users who installed Claude Code between 00:21 and 03:29 UTC on March 31 may have received the compromised axios version as a transitive dependency. Running npm audit and checking the axios version is recommended.<\/p>\n No. In 2025, Claude Code versions v0.2.8 and v0.2.28 also contained source map files. Just days before this leak, around 3,000 internal files appeared in a publicly accessible cache – including details about an unreleased AI model. Three incidents with the same root cause (.npmignore errors) suggest a systemic issue in the release pipeline.<\/p>\n Four steps: 1) npm pack –dry-run shows all files that would be included in the package. 2) Configure the package.json files field as a whitelist. 3) Disable bundler source maps for production. 4) Implement a CI gate that fails the build if .map files are present in the artifact.<\/p>\n Header Image Source: Pexels \/ Towfiqu barbhuiya (px:11391947)<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"7 min Reading Time A missing exclusion rule in the build pipeline exposed Anthropic\u2019s full production code on March 31, 2026. 512,000 lines of TypeScript, packaged into a 59.8 MB source map file within a public NPM package. On the same day, an independent supply-chain attack compromised the NPM package axios – one of the […]","protected":false},"author":50,"featured_media":6449,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"source map","_yoast_wpseo_title":"","_yoast_wpseo_metadesc":"Source map in NPM package: See how 512,000 lines of code leaked\u2014learn to protect your builds and audit packages now.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":"","_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":"","footnotes":""},"categories":[251],"tags":[],"class_list":["post-7778","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"wpml_language":"en","wpml_translation_of":6451,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7778","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=7778"}],"version-history":[{"count":2,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7778\/revisions"}],"predecessor-version":[{"id":9032,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7778\/revisions\/9032"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/6449"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=7778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=7778"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=7778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}TL;DR<\/h2>\n
\n
The Incident<\/h2>\n
Source Maps as an Underestimated Attack Vector<\/h2>\n
\n – Community reaction on Hacker News, March 31, 2026<\/cite>\n<\/p><\/blockquote>\nCWE Classification and Known Vulnerabilities<\/h2>\n
On the Same Day: The axios Supply-Chain Attack<\/h2>\n
What IT Teams Should Check Now<\/h2>\n
Frequently Asked Questions<\/h2>\n
Were customer data or API keys exposed?<\/h3>\n
How is this incident different from a supply-chain attack?<\/h3>\n
What risk exists for Claude Code users?<\/h3>\n
Was this Anthropic\u2019s first incident of this kind?<\/h3>\n
How do I audit my own NPM packages?<\/h3>\n
Editor\u2019s Reading Recommendations<\/h2>\n
\n
More from the MBF Media Network<\/h2>\n
\n