New comment by ankaz in "Claude Code's source code has been leaked via a map file in their NPM registry"

ankaz — Wed, 01 Apr 2026 00:05:13 +0000

The source repo doesn't have a package.json, so I extracted the version directly from the binary (~/.local/share/claude/versions/2.1.87)

Axios sets a VERSION constant that it uses in user-agent headers, boundaries and errors. I scanned the binary for all references like axios, isAxiosError and AxiosError - the code references the same variable namespace (X1H, Tj, eq), suggesting a single bundled copy. In the minified bundle, that VERSION constant was stored in a variable called X1H. Searching the binary for all references to X1H confirms it's only used in axios contexts:

  var X1H="1.13.6"
  E.set("User-Agent","axios/"+X1H, ...)
  {tag:`axios-${X1H}-boundary`, ...}
  "[Axios v"+X1H+"] Transitional option ..."
  Tj.VERSION=X1H; Tj.AxiosError=eq; Tj.CancelToken=...

The bundled version is 1.13.6 - well before the compromised 1.14.1. I also checked that "1.14.1", "plain-crypto", and "sfrclak.com" are all absent from the binary.

New comment by ankaz in "Claude Code's source code has been leaked via a map file in their NPM registry"

ankaz — Tue, 31 Mar 2026 12:43:36 +0000

I've checked, current Claude Code 2.1.87 uses Axios version is 1.14.0, just one before the compromised 1.14.1

To stop Claude Code from auto-updating, add `export DISABLE_AUTOUPDATER=1` to your global environment variables (~/.bashrc, ~/.zshrc, or such), restart all sessions and check that it works with `claude doctor`, it should show `Auto-updates: disabled (DISABLE_AUTOUPDATER set)`

Hacker News: ankaz

New comment by ankaz in "Claude Code's source code has been leaked via a map file in their NPM registry"

New comment by ankaz in "Claude Code's source code has been leaked via a map file in their NPM registry"