Varonis reposted this
OH. MY. GOSH. 😱 The Claude Code team accidentally leaked their .map file, giving us a look inside their code base. 1,900 unobfuscated TypeScript files totaling over 512,000 lines from their R2 storage bucket, discovered by security researcher Chaofan Shou. The accidental .map file leak is a great reminder about build pipelines: source maps are incredibly useful for debugging, but they should never end up in production npm packages. A single config flag can have serious consequences. The leaked codebase includes the complete tool system, multi-agent coordinator, React/Ink terminal UI, IDE bridge, permission engine, etc. It also gives us a glimpse at some roadmap features: 🐰 Virtual pets / Tamagotchi-style system — a "Buddy System" feature described as a Tamagotchi-like pet setup that was apparently slated to start rolling out soon (some posts noted "starting tomorrow"). 🤖 Autonomous agents & multi-agent coordination — a "Coordinator" that manages sub-agents, along with advanced agentic workflows for the CLI tool. 🎛️ Auto Mode — Automatically approves tool permissions (reducing manual intervention). 🥷 Undercover mode — Hides AI tracks/footprints when working on public repositories. 🕹️ Kairos — Runs 24/7 doing background tasks. ⑊ 50+ slash commands — An extensive command system for the CLI. ✨ Full tool system — Complete implementation of tools, IDE bridge/integration, permission engine, and React/Ink-based terminal UI. You can also see the 187 spinner verbs they use when you're waiting for a response. This wasn't a sophisticated breach—just a build config mistake where Bun (or the bundler) generated and included a large cli.js.map file (~57-60MB) in the published npm package. Anyone could unpack it to reconstruct the original ~1,900 files of readable TypeScript.