Anthropic\u2019s Claude Code is in the news again \u2013 and not for the best reasons.<\/p>\n\n\n\n
Within days of each other, Anthropic first leaked the source code to Claude Code, and then a critical vulnerability was found by Adversa AI.<\/p>\n\n\n\n
On March 31, 2026, Anthropic mistakenly included a debugging JavaScript sourcemap for Claude Code v2.1.88 to npm. Within hours, researcher Chaofan Shou discovered the sourcemap and posted a link on X \u2013 kicking off a global rush to examine de-obfuscated Claude Code\u2019s code.<\/p>\n\n\n\n
Sigrid Jin, a 25-year-old student at the University of British Columbia, worked with Yeachan Heo to reconstruct the Claude Code. \u201cIt took two humans, 10 OpenClaws, a MacBook Pro laptop, and a few hours to recreate the popular AI agent\u2019s source code and share it with the world,\u201d reports Yahoo, proving that what goes up (on the internet) does not come down (off the internet).<\/p>\n\n\n\n
The result now persists on the internet, comprising 512,000 lines of TypeScript in 1,900 files.<\/p>\n\n\n\n
It is awkward but not catastrophic for Anthropic. \u201cWhile the Claude Code leak does present real risk, it is not the same as model weights, training data or customer data being compromised. What was exposed is something more like an operational blueprint of how the current version of Claude Code is designed to work,\u201d explains Melissa Bischoping, senior director of security & product design research at Tanium.<\/p>\n\n\n\n
The key is that researchers can see how Claude Code is meant to work but cannot recreate it because the leak does not include the Claude model weights, the training data, customer data, APIs or credentials. \u201cIt is not a foolproof roadmap to exploitation, but it is meaningful insight into how the tool handles inputs, enforces permissions and resists abuse,\u201d continues Bischoping.<\/p>\n\n\n\n
\u201cAnother layer of risk from this leak is that adversaries may use the blueprint to build lookalikes that appear and behave like Claude Code on the surface, but install malware or harvest credentials and data,\u201d she adds.<\/p>\n\n\n\n
Awkward and embarrassing for Anthropic, but not directly harmful to Claude Code.<\/p>\n\n\n\n
But a genuine and critical vulnerability has now been discovered in Claude Code proper by Adversa AI Red Team. \u201cClaude Code is\u2026 a 519,000+ line TypeScript application that allows developers to interact with Claude directly from the command line. It can edit files, execute shell commands, search codebases, manage git workflows, and orchestrate complex multi-step development tasks,\u201d reports<\/a> Adversa.<\/p>\n\n\n\n Claude Code includes a permission system based on allow rules (auto-approve specific commands), deny rules (hard-block specific commands), and ask rules (always prompt). Adversa provides an example:<\/p>\n\n\n\n Never allow curl or wget (prevent data exfiltration), but auto-allow npm and git commands (common development tools).<\/p>\n\n\n\n That sounds correct and reasonable. The flaw, however, is that the deny rules can be bypassed. \u201cThe permission system is the primary security boundary between the AI agent and the developer\u2019s system,\u201d reports Adversa. \u201cWhen it fails silently, the developer has no safety net.\u201d<\/p>\n\n\n\n The problem stems from Anthropic\u2019s desire for improved performance following the discovery of a performance issue: complex compound commands caused the UI to freeze. Anthropic fixed this by capping analysis at 50 subcommands, with a fall back to a generic \u2018ask\u2019 prompt for anything else. The code comment states, \u201cFifty is generous: legitimate user commands don\u2019t split that wide. Above the cap we fall back to \u2018ask\u2019 (safe default \u2014 we can\u2019t prove safety, so we prompt).\u201d<\/p>\n\n\n\n The flaw discovered by Adversa is that this process can be manipulated. Anthropic\u2019s assumption doesn\u2019t account for AI-generated commands from prompt injection \u2014 where a malicious CLAUDE.md file instructs the AI to generate a 50+ subcommand pipeline that looks like a legitimate build process.<\/p>\n\n\n\n If this is done, \u201cbehavior: \u2018ask\u2019, \/\/ NOT \u2018deny\u2019\u201d occurs immediately. \u201cDeny rules, security validators, command injection detection \u2014 all skipped,\u201d writes Adversa. The 51st<\/sup> command reverts to ask as required, but the user gets no indication that all deny rules have been ignored.<\/p>\n\n\n\n Adversa warns that a motivated attacker could embed real-looking build steps in a malicious repository\u2019s CLAUDE.md. It would look routine, but no per-subcommand analysis runs at all when the count exceeds 50. This could allow the attacker to exfiltrate SSH private keys, AWS credentials, GitHub tokens, npm tokens or Env secrets. It could lead to credential theft at scale, supply chain compromise, cloud infrastructure breach and CI\/CD pipeline poisoning.<\/p>\n\n\n\n \u201cDuring testing, Claude\u2019s LLM safety layer independently caught some obviously malicious payloads and refused to execute them. This is good defense-in-depth,\u201d writes Adversa. \u201cHowever, the permission system vulnerability exists regardless of the LLM layer \u2014 it is a bug in the security policy enforcement code. A sufficiently crafted prompt injection that appears as legitimate build instructions could bypass the LLM layer too.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":" Anthropic\u2019s Claude Code is in the news again \u2013 and not for the best reasons. Within days of each other, Anthropic first leaked the source code to Claude Code, and then a critical vulnerability was found by Adversa AI. Claude Code Leak On March 31, 2026, Anthropic mistakenly included a debugging JavaScript sourcemap for Claude … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-17","post","type-post","status-publish","format-standard","hentry","category-tech"],"_links":{"self":[{"href":"https:\/\/ysochannel.com\/index.php?rest_route=\/wp\/v2\/posts\/17","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ysochannel.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ysochannel.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ysochannel.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ysochannel.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=17"}],"version-history":[{"count":1,"href":"https:\/\/ysochannel.com\/index.php?rest_route=\/wp\/v2\/posts\/17\/revisions"}],"predecessor-version":[{"id":18,"href":"https:\/\/ysochannel.com\/index.php?rest_route=\/wp\/v2\/posts\/17\/revisions\/18"}],"wp:attachment":[{"href":"https:\/\/ysochannel.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=17"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ysochannel.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=17"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ysochannel.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=17"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}{ \"deny\": [\"Bash(curl:*)\", \"Bash(wget:*)\"],
\"allow\": [\"Bash(npm:*)\", \"Bash(git:*)\"] }<\/code><\/pre>\n\n\n\n