/tags/anti-distillation/ Recent content in Anti-Distillation on Napat's Inverse Blog Hugo en-us Tue, 31 Mar 2026 20:30:00 +0700 /ai-analysis/inside-the-machine-what-agentic-code-tool-source-reveals-about-ai-security/ Tue, 31 Mar 2026 20:30:00 +0700 /ai-analysis/inside-the-machine-what-agentic-code-tool-source-reveals-about-ai-security/ <p>In March 2026, someone extracted the complete source code of Claude Code from an npm package and published it to GitHub. No modifications. No commentary. Excluding generated code, lock files, and test fixtures — roughly 512,000 lines of TypeScript, dumped into a repository with a single commit.</p> <p>How this happened is itself a security lesson. Anthropic published version 2.1.88 of their npm package with a production source map file — <code>cli.js.map</code>, weighing in at 59.8 MB — that contained the original TypeScript source, comments and all. A misconfigured <code>.npmignore</code> or a build pipeline that skipped artifact scanning, depending on who you ask. The file was there for anyone to extract. Security researcher Chaofan Shou was the first to notice.</p>