Claude Code Source Code Leak and Critical Post-Leak Vulnerability (Adversa AI Discovery)
Date: 2026-04-04
Tags: shadow-ai, malware
Executive Summary
On March 31, 2026, Anthropic mistakenly included a debugging JavaScript sourcemap for Claude Code v2.1.88 on npm; within hours, researcher Chaofan Shou discovered the sourcemap and posted it on X, kicking off a global rush to examine the de-obfuscated source code. Days later, Adversa AI discovered a critical vulnerability where malicious CLAUDE.md files can use prompt injection to generate 50+ subcommand pipelines that bypass Claude Code's safety permission system.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Claude Code Source Exposure and Permission Bypass |
| Attribution | Anthropic Operational Security Failure; Adversa AI (vulnerability discovery) (confidence: high) |
| Target | Claude Code users integrating untrusted repositories |
| Vector | Malicious CLAUDE.md prompt injection / sourcemap exposure |
| Status | active |
| First Observed | 2026-03-31 |
Detailed Findings
Within days of each other, Anthropic first leaked the source code to Claude Code, and then a critical vulnerability was found by Adversa AI. On March 31, 2026, Anthropic mistakenly included a debugging JavaScript sourcemap for Claude Code v2.1.88 to npm. Within hours, researcher Chaofan Shou discovered the sourcemap and posted a link on X – kicking off a global rush to examine de-obfuscated Claude Code's code. Sigrid Jin, a 25-year-old student at the University of British Columbia, worked with Yeachan Heo to reconstruct the Claude Code. The result now persists on the internet, comprising 512,000 lines of TypeScript in 1,900 files. The flaw discovered by Adversa is that this process can be manipulated. Anthropic's assumption doesn't account for AI-generated commands from prompt injection — where a malicious CLAUDE.md file instructs the AI to generate a 50+ subcommand pipeline that looks like a legitimate build process. If this is done, behavior: 'ask' immediately occurs. This represents a critical compound failure: public source code + a permission-bypass vulnerability that allows attackers to weaponize Claude Code via malicious repository configurations.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Prompt Injection | T1598 | Malicious CLAUDE.md file injects prompts to bypass safety rules |
| Abuse of Functionality | T1657 | Claude Code's legitimate multi-command feature exploited to exceed safety thresholds |
| Code Execution | T1059 | 50+ subcommand pipeline bypasses ask/deny/allow permission rules |
IOCs
Domains
_No IOCs published; vulnerability affects all Claude Code users integrating untrusted repositories_
Full URL Paths
GitHub repositories masquerading as leaked Claude Code sourceSplunk Format
"GitHub repositories masquerading as leaked Claude Code source"Package Indicators
Claude Code CLI v2.1.88 (npm package, sourcemap exposed)Detection Recommendations
Pin Claude Code to versions pre-2.1.88; audit all CLAUDE.md files in repositories for suspicious command pipelines; implement strict repository vetting before cloning; monitor for multi-stage command chains exceeding 20 subcommands; enable logging of all Claude Code executions; scan GitHub for trojanized Claude Code repos claiming to be 'leaked source' or 'unlocked versions'; rotate all API keys exposed in the source leak; implement MCP server authentication and signing; treat all untrusted repositories as high-risk.
References
- [SecurityWeek] Critical Vulnerability in Claude Code Emerges Days After Source Leak (2026-04-02) — https://www.securityweek.com/critical-vulnerability-in-claude-code-emerges-days-after-source-leak/
- [The Register] Fake Claude Code source downloads actually delivered malware (2026-04-02) — https://www.theregister.com/2026/04/02/trojanized_claude_code_leak_github/