April 1, 2026

Leaked or just… linked?

Article URL →HN comments →

Obfuscation is not security – AI can deobfuscate any minified JavaScript code

Not a leak: AI read the “secret” code that was public all along — cue chaos

TLDR: A debug file in Claude Code’s npm release sparked a “leak” frenzy, even though the code was already public and merely shrunken for shipping. Commenters battled over whether AI makes hiding code pointless, with some cheering AI’s x‑ray vision and others calling it an endless cat‑and‑mouse game.

April Fools? Not this time. The internet went nuclear over Claude Code’s “leaked” guts — dev notes, feature flags, even a cutesy AI pet called BUDDY — while veterans kept yelling, “It’s been on npm this whole time.” The real plot twist: a debugging file slipped into a release, again, and everyone treated it like a vault crack.

Commenters split into camps fast. One side flexed AI superpowers: users like ryandrake bragged that Claude sliced through the shrunk-down code “like it wasn’t even there,” proving minified (shrunken) code is not hidden code. Another crew called the panic performative. Obfuscation vs. minification became the meme of the day: minification is for smaller downloads, not secrecy. The loudest hot take? Obfuscation is just “DIY DRM” — not real security — and AI now speedruns de-minifying anyway.

Meanwhile, the spectacle got juicier. Anthropic DMCA’d a GitHub dump; forks multiplied — classic Streisand effect. A Rust “clean-room” clone rocketed to record stars. ccleaks.com popped up like an Easter egg hunt for hidden flags: ULTRAPLAN, BUDDY, and more. Skeptics pushed back on “AI deobfuscates anything,” calling it an arms race that never ends. And the peanut gallery tossed tomatoes at “LLM slop” blog posts. Internet verdict? Not a hack, just a packaging whoopsie — twice — with AI turning a minified curtain into a glass wall.

Key Points

  • A source map file was accidentally included in @anthropic-ai/claude-code v2.1.88 on npm, revealing internal comments and structure.
  • Anthropic stated the issue was a release packaging error, not a security breach; the package was pulled but mirrors persisted.
  • Claude Code’s CLI bundle (cli.js) has long been publicly accessible and is minified, not obfuscated, with 148k+ plaintext strings.
  • The incident triggered rapid community actions: GitHub dumps, DMCA takedowns, the “Claw Code” Rust rewrite (50k stars in 2 hours), and ccleaks.com.
  • An analysis using Anthropic’s own Claude and an AST-based approach effectively extracted internals from the minified code without source maps.

Hottest takes

"cut through all those obfuscated variables like they weren't even there" — ryandrake
"It's a cat and mouse game ... make-shift "DRM"" — notepad0x90
"write your blog yourself ... not this llm slop" — durzo22

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.