Obfuscation is not security – AI can deobfuscate any minified JavaScript code
5 hours ago
- #JavaScript Security
- #AI Reverse Engineering
- #Claude Code Leak
- The internet reacted intensely to a 'leaked' source map file for Claude Code's CLI, but the actual bundled JavaScript code was already publicly accessible on npm.
- The incident involved a source map file with internal developer comments being included by mistake in an npm package, which Anthropic confirmed as a packaging error, not a security breach.
- Within a day, the leak sparked widespread activity including code dumps, a Rust rewrite (Claw Code) gaining rapid GitHub stars, and analysis sites cataloging unreleased features.
- Analysis revealed that Claude Code's minified JavaScript file contains plaintext system prompts, tool descriptions, and other sensitive data, with no real obfuscation, making it easily readable.
- This exposure is not unique to Anthropic; many companies inadvertently ship sensitive information in production JavaScript and source maps, a practice now more critical due to AI's ability to analyze code.
- Traditional minification and obfuscation are insufficient against AI-powered reverse engineering, highlighting the need for new protection methods like irreversible transforms.
- AfterPack is being developed as a solution using non-linear, irreversible transformations to protect code, aiming to make reversal impossible even for advanced AI models.