I build a JavaScript obfuscation tool (AfterPack), so when the Claude Code "leak" hit VentureBeat, Fortune, and The Register this week, I did what felt obvious — I analyzed the supposedly leaked code to see what was actually protected.
I wrote a detailed breakdown on the AfterPack blog. Here's the core of it.
What Happened
A source map file — a standard debugging artifact defined in ECMA-426 — was accidentally included in version 2.1.88 of the @anthropic-ai/claude-code package on npm. Security researcher Chaofan Shou spotted it, and within 24 hours a clean-room Rust rewrite hit 110K GitHub stars and a breakdown site (ccleaks.com) cataloged every hidden feature.
This is the second time — a nearly identical source map leak happened in February 2025.
The Code Was Already There
Claude Code ships as a single bundled cli.js on npm — 13MB, 16,824 lines of JavaScript. It's been publicly accessible since launch. You can view it right now at unpkg.com.
I analyzed it. It's minified, not obfuscated. Here's what that means in practice:
| Technique | Present? |
|---|---|
| Variable name mangling | Yes (standard minification) |
| Whitespace removal | Yes (standard minification) |
| String encryption/encoding | No |
| Control flow flattening | No |
| Dead code injection | No |
| Self-defending / anti-tamper | No |
| Property name mangling | No |
All 148,000+ string literals sit in plaintext — system prompts, tool descriptions, behavioral instructions.
I Asked Claude to Deobfuscate Itself
This is the part that got me. I pointed Claude — Anthropic's own model — at its own minified cli.js and it just... explained it.
Using AST-based extraction, we parsed the full 13MB file in 1.47 seconds and pulled out 147,992 strings. System prompts, tool descriptions, 837 telemetry events (all prefixed with tengu_ — Claude Code's internal codename), 504 environment variables, a DataDog API key.
Geoffrey Huntley published a full cleanroom transpilation of Claude Code months before this leak using a similar approach — LLMs converting minified JS to readable TypeScript. His deobfuscation repo on GitHub demonstrates the technique.
What Source Maps Actually Added
To be fair, source maps did surface some genuinely sensitive stuff:
- Internal code comments and TODOs
- The full 1,884-file project tree with original filenames
- Feature flags with codenames like
tengu_amber_flintandtengu_cobalt_frost - KAIROS — an unreleased autonomous daemon mode
- Anti-distillation mechanisms that inject decoy tools to poison training data
That's real exposure. But the actual code logic was already there in cli.js.
This Happens Everywhere
I ran our Security Scanner on GitHub.com and found email addresses and internal URLs in their production JavaScript and source maps. Same with claude.ai. Same class of exposure, zero headlines.
AI Makes This Urgent
The reality is simple: minification was never security. It's a size optimization that bundlers like esbuild, Webpack, and Rollup do by default. Variable renaming slows down human readers but LLMs read minified code like you read formatted code.
System prompts are the new trade secrets. Telemetry names reveal product roadmaps. Environment variables expose what you're not ready to ship. And every JavaScript application — React frontends, Electron apps, Node.js CLIs — ships code that AI can now analyze trivially.
You can check what your site exposes: npx afterpack audit https://your-site.com
Originally published on AfterPack.
Top comments (0)