An Anthropic employee accidentally exposed the entire proprietary source code for its AI programming tool, Claude Code, by including a source map file in a version of the tool posted on Anthropic’s open npm registry account, a risky mistake, says an AI expert.
“A compromised source map is a security risk,” said US-based cybersecurity and AI expert Joseph Steinberg. “A hacker can use a source map to reconstruct the original source code and [see] how it works. Any secrets within that code – if someone coded in an API key, for example – is at risk, as is all of the logic. And any vulnerabilities found in the logic could become clear to the hacker who can then exploit the vulnerabilities.”
However, Anthropic spokesperson told CSO, “no sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”
But it wasn’t the first time this had happened; according to Fortune and other news sources, the same thing happened last month.
Don’t expose .map files
Map files shouldn’t be left in the final version of code published on open source registries, where anyone can download a package; they can be sources of useful information for hackers.
According to developer Kuber Mehta, who published a blog on the latest incident, when someone publishes a JavaScript/TypeScript package to npm, the build toolchain often generates source map files (.map files). These files are a bridge between the minified/bundled production code and the original source; they exist so that when something crashes in production, the stack trace can point to the actual line of code in the original file, not to some unintelligible reference.
What’s available in these files? “Every file. Every comment. Every internal constant. Every system prompt. All of it, sitting right there in a JSON file that npm happily serves to anyone who runs npm pack or even just browses the package contents,” said Mehta.
“The mistake is almost always the same: someone forgets to add *.map to their .npmignore or doesn’t configure their bundler to skip source map generation for production builds,” Mehta said. “With Bun’s bundler (which Claude Code uses), source maps are generated by default unless you explicitly turn them off.”
Think of a source map as a file that shows what parts of minified computer code, which is not easily understandable to humans, are doing, shown in the human-readable source code, said Steinberg. For example, he said, it may indicate that the code in a specific portion of the executable code is performing the instructions that appear in some specific snippet of source code.
A source map can help with debugging, he added. Without it, he said, many errors would be identified as coming from a larger portion of code, rather than showing exactly where the errors occur.
The world learned of this incident when security researcher Chaofan Shou posted this message early Tuesday on X: “Claude code source code has been leaked via a map file in their npm registry!”, along with a link to the file.
A common error
Leaving source map files in a package “is an incredibly common mistake developers make quite often,” said secure coding trainer Tanya Janca. “In this specific situation, it is more serious than it would be somewhere else, mostly because of the incredibly high value of the intellectual property involved, and because now malicious actors can analyze the source code directly for vulnerabilities instead of having to reverse engineer it, which adds time, cost, and complexity.”
Ideally, Janca said, developers should harden their build environment, so they don’t ship debug information/features with production. She offered these tips to developers:
- disable source maps in the build/bundler tool;
- add the .maps file to the .npmignore / package.json files field to explicitly exclude it, even if it was generated during the build by accident;
- exclude the .maps files from the list of published artifacts in the continuous integration/continuous deployment environment;
- carefully separate debug builds from production builds if there are differences; even the comments could be incredibly sensitive.
A critical layer
Any exposure of source code or system-level logic is significant, because it shows how controls are implemented, commented Dan Schiappa, president of technology and services at Arctic Wolf. With this information exposed, the number of people who now understand how the model enforces behavior, manages access, and handles edge cases increases, he said.
“In AI systems, that layer is especially critical,” he added. “The orchestration, prompts, and workflows effectively define how the system operates. If those are exposed, it can make it easier to identify weaknesses or manipulate outcomes. Knowing that attackers are still discovering the most optimal ways to leverage AI means that in any instance where a tool could be compromised, there are likely cybercriminals waiting in the wings.”
Go to Source
Author: