[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-claude-code-source-map-leak-51w-lines-en":3,"article-related-claude-code-source-map-leak-51w-lines-en":25,"series-tools-de197745-7ee4-4b70-b33a-797c7c5f9a76":77},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":11,"views":22,"created_at":23,"published_at":24,"topic_cluster_id":11},"de197745-7ee4-4b70-b33a-797c7c5f9a76","claude-code-source-map-leak-51w-lines-en","Claude Code源码泄露：51万行代码曝光","\u003Cp>2026年3月31日凌晨，\u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\" target=\"_blank\" rel=\"noopener\">Anthropic\u003C\u002Fa> 的官方 npm 包被安全研究员 \u003Ca href=\"https:\u002F\u002Fx.com\u002FFried_rice\" target=\"_blank\" rel=\"noopener\">Chaofan Shou\u003C\u002Fa> 发现带有可用的 Source Map。短短几个小时里，\u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa> v2.1.88 的完整 TypeScript 源码就被还原出来，规模大约 51 万行，分散在 1900 多个文件里。\u003C\u002Fp>\u003Cp>这件事之所以引发广泛讨论，不只是因为“源码被看见了”，而是因为它发生在一个主打开发者工作流的 AI 产品上。\u003Ca href=\"\u002Fnews\u002Fclaude-code-leak-vidar-malware-github-en\">Claude Code\u003C\u002Fa> 本来就贴着“帮你写代码、改代码、读代码”的标签，结果它自己的代码也被人用同样的方式拆开了。\u003C\u002Fp>\u003Cp>如果你平时只把 Source Map 当成前端调试文件，这次事件会提醒你：一旦打包流程、发布流程、权限控制里有一个环节松了，源码、注释、目录结构、内部模块名都可能一起外流。\u003C\u002Fp>\u003Ch2>这次到底泄露了什么\u003C\u002Fh2>\u003Cp>从公开信息看，泄露的核心不是模型权重，也不是用户数据，而是 \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa> 客户端的 TypeScript 源码。对外界来说，这种泄露的价值很高，因为它能直接展示产品是怎么组织能力边界、怎么调用本地工具、怎么做权限判断的。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775185440258-f9n2.png\" alt=\"Claude Code源码泄露：51万行代码曝光\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>对安全研究者和竞品团队来说，这类代码比营销页有用得多。你能看到真实的错误处理、命令调用、上下文拼接、日志埋点、补丁逻辑，甚至能看出团队在什么地方做了取舍。\u003C\u002Fp>\u003Cul>\u003Cli>泄露版本：Claude Code v2.1.88\u003C\u002Fli>\u003Cli>代码规模：约 51 万行\u003C\u002Fli>\u003Cli>文件数量：1900+ 个\u003C\u002Fli>\u003Cli>泄露入口：npm 包中的 Source Map\u003C\u002Fli>\u003C\u002Ful>\u003Cp>Source Map 的存在本来是为了调试压缩后的前端代码，但很多团队在发布时会把它一起带到线上。只要配置没收紧，浏览器、抓包工具或公开包内容都可能把原始源码拼回来。\u003C\u002Fp>\u003Cp>这也是为什么这类事故总让人后背发凉：它通常不是一次“黑进服务器”的高难操作，而是一次发布细节失控。\u003C\u002Fp>\u003Ch2>为什么 Source Map 会变成入口\u003C\u002Fh2>\u003Cp>Source Map 的机制并不复杂。前端或打包后的代码会保留一个映射文件，把压缩后的代码位置对应回原始源码。开发时它很方便，排查问题时尤其省事，但上线后如果没有严格限制访问，它就会把很多原本不该公开的信息一并暴露。\u003C\u002Fp>\u003Cp>在 AI 工具里，这种风险会被放大。因为这类产品往往同时包含本地命令执行、文件读写、上下文管理、权限提示、远程 API 调用，代码一旦被完整还原，外界就能更容易判断它的安全边界画在哪里。\u003C\u002Fp>\u003Cp>这次事件也说明一个老问题：不少团队对“源码公开”和“产品可用”之间的差别估计不足。功能能跑，不代表发布物里就该带调试资产；测试能过，不代表线上包里能留下足够还原内部实现的线索。\u003C\u002Fp>\u003Cblockquote>“Security is a process, not a product.” — Bruce Schneier\u003C\u002Fblockquote>\u003Cp>这句话虽然老，但放在今天依然准确。泄露并不自动等于灾难，真正可怕的是团队把发布链路里的小疏忽当成了低风险事项，最后让它在公开环境里连成了一条完整的攻击面。\u003C\u002Fp>\u003Ch2>和其他源码泄露相比，这次有什么不同\u003C\u002Fh2>\u003Cp>源码泄露并不新鲜，浏览器扩展、移动应用、Electron 客户端都发生过类似问题。但 \u003Ca href=\"\u002Fnews\u002Fclaude-code-leak-reveals-hidden-features-en\">Claude Code\u003C\u002Fa> 的特殊之处在于，它不是一个边缘工具，而是直接面向开发者日常工作的 AI 编程产品。它一旦暴露实现细节，影响的不只是品牌形象，还有外界对其安全设计的判断。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775185436050-ugm9.png\" alt=\"Claude Code源码泄露：51万行代码曝光\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>再看规模，51 万行、1900+ 文件已经不是“看个大概”了，而是足以让人做系统级分析。对比一些只泄露少量 bundle 或单个页面的事故，这次更像把整套工程结构摊在桌面上。\u003C\u002Fp>\u003Cul>\u003Cli>普通网页泄露：通常是少量 JS bundle + 映射文件\u003C\u002Fli>\u003Cli>桌面客户端泄露：常见于 Electron 包，能看到更多本地逻辑\u003C\u002Fli>\u003Cli>AI 编程工具泄露：会暴露命令执行、权限提示、上下文处理等核心实现\u003C\u002Fli>\u003Cli>这次规模：51 万行源码，1900+ 文件，信息密度更高\u003C\u002Fli>\u003C\u002Ful>\u003Cp>这也会影响外界对 Anthropic 工程流程的评价。Claude Code 这种产品本来就强调“帮助开发者更快写代码”，结果它自己的发布链路却暴露出典型的打包与分发风险，反差非常明显。\u003C\u002Fp>\u003Cp>对竞争对手来说，这次泄露更像一次低成本的产品拆解。对安全从业者来说，它更像一份活教材：如果你的发行包里还留着可逆向的调试信息，迟早会有人把它翻出来。\u003C\u002Fp>\u003Ch2>开发团队应该从这件事学到什么\u003C\u002Fh2>\u003Cp>最直接的教训是：发布前检查清单不能只看功能项，还要看调试资产、映射文件、符号表、内部日志是否被一起打包。很多事故不是因为代码写错，而是因为交付流程默认“这些文件没人会看”。\u003C\u002Fp>\u003Cp>第二个教训是权限最小化。即便 Source Map 被公开，也不该让它直接指向可下载的完整源码仓库，或者把内部目录结构暴露得过于清楚。越是面向开发者的产品，越容易被假设“用户懂技术”，但这不等于可以放松发布约束。\u003C\u002Fp>\u003Cp>第三个教训更现实：AI 工具正在变成新的高价值目标。它们接触代码、凭据、终端、云端接口，任何实现细节外泄都可能被用来做逆向、审计，甚至构造更精确的攻击链。\u003C\u002Fp>\u003Cul>\u003Cli>上线前关闭生产环境 Source Map 公开访问\u003C\u002Fli>\u003Cli>把调试文件从正式制品中剥离\u003C\u002Fli>\u003Cli>检查 npm、PyPI、容器镜像等分发渠道\u003C\u002Fli>\u003Cli>对 AI 工具的本地执行权限做单独审计\u003C\u002Fli>\u003C\u002Ful>\u003Cp>如果你在做类似产品，这次事件值得你立刻重看一遍 CI\u002FCD 配置。很多公司会花大量时间防模型越狱，却忘了先把自己的发布包看干净。\u003C\u002Fp>\u003Cp>如果你只是普通开发者，这件事也有直接参考价值：当你在项目里开启 Source Map、上传 sourcemap 到第三方服务、或者把调试包发到测试环境时，最好默认它们有一天会出现在公开视野里。\u003C\u002Fp>\u003Ch2>结论：这不是八卦，是发布工程的警报\u003C\u002Fh2>\u003Cp>Claude Code 这次源码泄露，表面上是一次信息外流，实质上是一次发布工程失误被公开放大。对 Anthropic 来说，最需要回答的问题不是“源码被看见了怎么办”，而是“为什么这种可逆向程度的制品会出现在公开分发链路里”。\u003C\u002Fp>\u003Cp>接下来最值得关注的不是围观代码本身，而是 Anthropic 会不会调整发布策略、收紧 Source Map、重新审视 AI 客户端的打包规范。对于所有做前端、桌面端、AI 工具的人，这次事故都可以直接变成一次检查清单：你的线上包里，还有多少东西不该被下载到？\u003C\u002Fp>\u003Cp>如果答案你自己都不确定，那就该马上查。\u003C\u002Fp>","Anthropic 的 Claude Code v2.1.88 源码被 Source Map 公开，约51万行、1900+文件被下载，安全细节随之曝光。","www.zhihu.com","https:\u002F\u002Fwww.zhihu.com\u002Fquestion\u002F2022394365436248248",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775185440258-f9n2.png","tools","en","507dbb52-7633-4a01-a73b-14abab4a2201",[17,18,19,20,21],"Anthropic","Claude Code","Source Map","源码泄露","AI工具",8,"2026-04-03T03:03:37.831788+00:00","2026-04-03T03:03:37.799+00:00",{"tags":26,"relatedLang":36,"relatedPosts":40},[27,29,31,34],{"name":18,"slug":28},"claude-code",{"name":17,"slug":30},"anthropic",{"name":32,"slug":33},"source map","source-map",{"name":21,"slug":35},"ai工具",{"id":15,"slug":37,"title":38,"language":39},"claude-code-source-map-leak-51w-lines-zh","Claude Code 源碼外流：51萬行曝光","zh",[41,47,53,59,65,71],{"id":42,"slug":43,"title":44,"cover_image":45,"image_url":45,"created_at":46,"category":13},"469d5667-8af3-4612-91e0-98a113f8deb0","sora-ai-2026-realistic-video-generation-guide-en","Sora AI in 2026: realistic video generation guide","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782774173362-kpwd.png","2026-06-29T23:02:21.735423+00:00",{"id":48,"slug":49,"title":50,"cover_image":51,"image_url":51,"created_at":52,"category":13},"b4c562fc-e04e-448c-83b4-d498c1306c62","pixelrag-screenshots-retrievable-context-en","PixelRAG turns screenshots into retrievable context","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782759806056-apni.png","2026-06-29T19:02:59.90502+00:00",{"id":54,"slug":55,"title":56,"cover_image":57,"image_url":57,"created_at":58,"category":13},"426e735b-aedc-45a9-bf1c-7e84ece9493e","codex-deepseek-v4-pro-moark-setup-en","Codex 接入 DeepSeek-V4-Pro，三步可用","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782738173484-wn38.png","2026-06-29T13:02:25.248526+00:00",{"id":60,"slug":61,"title":62,"cover_image":63,"image_url":63,"created_at":64,"category":13},"3fb3a982-e726-4b72-af23-5fa3294d18bc","devin-ai-alternatives-real-workflows-en","Devin AI Alternatives That Fit Real Workflows","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782732808399-w5eg.png","2026-06-29T11:32:58.823843+00:00",{"id":66,"slug":67,"title":68,"cover_image":69,"image_url":69,"created_at":70,"category":13},"2d074071-d7aa-454e-bdee-da0a52c0ea66","claude-code-turns-agent-setup-into-terminal-work-en","Claude Code turns agent setup into terminal work","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782731910708-9ol7.png","2026-06-29T11:18:02.20016+00:00",{"id":72,"slug":73,"title":74,"cover_image":75,"image_url":75,"created_at":76,"category":13},"8008013b-982a-4d2d-879f-7010a7fe4c14","best-ai-coding-agent-2026-ranked-benchmarks-en","Best AI Coding Agent 2026, Ranked by Benchmarks","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782730991658-n99x.png","2026-06-29T11:02:39.121798+00:00",[78,83,88,93,98,103,108,113,118,123],{"id":79,"slug":80,"title":81,"created_at":82},"8008f1a9-7a00-4bad-88c9-3eedc9c6b4b1","surepath-ai-mcp-policy-controls-en","SurePath AI's New MCP Policy Controls Enhance AI Security","2026-03-26T01:26:52.222015+00:00",{"id":84,"slug":85,"title":86,"created_at":87},"27e39a8f-b65d-4f7b-a875-859e2b210156","mcp-standard-ai-tools-2026-en","MCP Standard in 2026: Integrating AI Tools","2026-03-26T01:27:43.127519+00:00",{"id":89,"slug":90,"title":91,"created_at":92},"165f9a19-c92d-46ba-b3f0-7125f662921d","rag-2026-transforming-enterprise-ai-en","How RAG in 2026 is Transforming Enterprise AI","2026-03-26T01:28:11.485236+00:00",{"id":94,"slug":95,"title":96,"created_at":97},"6a2a8e6e-b956-49d8-be12-cc47bdc132b2","mastering-ai-prompts-2026-guide-en","Mastering AI Prompts: A 2026 Guide for Developers","2026-03-26T01:29:07.835148+00:00",{"id":99,"slug":100,"title":101,"created_at":102},"3ab2c67e-4664-4c67-a013-687a2f605814","garry-tan-open-sources-claude-code-toolkit-en","Garry Tan Open-Sources a Claude Code Toolkit","2026-03-26T08:26:20.245934+00:00",{"id":104,"slug":105,"title":106,"created_at":107},"66a7cbf8-7e76-41d4-9bbf-eaca9761bf69","github-ai-projects-to-watch-in-2026-en","20 GitHub AI Projects to Watch in 2026","2026-03-26T08:28:09.752027+00:00",{"id":109,"slug":110,"title":111,"created_at":112},"9f332fda-eace-448a-a292-2283951eee71","practical-github-guide-learning-ml-2026-en","A Practical GitHub Guide to Learning ML in 2026","2026-03-27T01:16:50.125678+00:00",{"id":114,"slug":115,"title":116,"created_at":117},"1b1f637d-0f4d-42bd-974b-07b53829144d","aiml-2026-student-ai-ml-lab-repo-review-en","AIML-2026 Is a Bare-Bones Student Lab Repo","2026-03-27T01:21:51.661231+00:00",{"id":119,"slug":120,"title":121,"created_at":122},"6d1bf3f6-e191-4d30-b55b-8a0722fa6afe","ai-trending-github-repos-and-research-feeds-en","AI Trending Tracks Repos and Research Feeds","2026-03-27T01:31:35.709532+00:00",{"id":124,"slug":125,"title":126,"created_at":127},"010539a1-4c3a-4bd3-937a-26616422ee0d","awesome-ai-for-science-research-tools-map-en","Awesome AI for Science Is Becoming a Real Research Map","2026-03-27T01:46:50.89513+00:00"]