[DigitalToday reporter Chi-gyu Hwang] A critical vulnerability has also been found just days after Claude Code source code was leaked.

SecurityWeek reported on April 2 that the issue began on March 31, when a debugging JavaScript source map was distributed to npm, a public repository where JavaScript developers upload and download code packages, during Anthropic's Claude Code v2.1.88 update process.

Researcher Chaofan Shou (차오판 쇼우) found it and shared it on X (Twitter), prompting developers worldwide to begin analysing Claude Code.

Melissa Bischoping (멜리사 비쇼핑), senior director at security firm Tanium, explained, "This leak is different from a leak of model weights, training data or customer data," adding that it is "closer to an operational blueprint that shows how the current version of Claude Code is designed."

The leaked information does not include Claude model weights, training data, APIs or credentials, making direct exploitation difficult. Still, concerns have been raised that it could be used to create lookalikes that appear identical to Claude Code but embed malware or steal credentials.

Separately from the source code leak, Adversa AI's red team found a critical vulnerability in Claude Code itself. Claude Code has a permission system that automatically allows or blocks certain commands. For example, it blocks curl and wget commands to prevent data leaks, while allowing npm and git commands.

But it is possible to bypass those blocking rules. Anthropic designed the system to limit analysis of subcommands to 50 when handling composite commands to prevent the UI from freezing, and to ask the user for confirmation if that limit is exceeded. Critics say a prompt-injection attack using a malicious CLAUDE.md file could induce the AI to generate a subcommand pipeline with more than 50 subcommands.

Adversa AI said, "During testing, Claude's LLM safety layer independently blocked some clearly malicious payloads," but added, "The permission-system vulnerability is a bug in security policy enforcement code that exists regardless of the LLM layer."