Question of the Day
One question per day to look beyond the headlines.
How can a harmless “source map” in a public npm release enable reconstruction of 500,000 lines of code?
Take-away Source maps embed a full “inverse” mapping from bundled/minified JS back to original per-file TypeScript, so shipping them makes the release a reconstruction blueprint.
A "source map" is designed to map between the minified and the original source code, mainly for debugging purposes. However, when a source map file is accidentally included in a public npm package, as in the case of Anthropic's Claude Code, it exposes the unobfuscated TypeScript source code associated with it. This inclusion allows anyone with access to the map file to reconstruct the original code, which was approximately 512,000 lines across about 1,900 files in this incident [1], [2]. The source map essentially serves as a blueprint for reassembling the entire original codebase from the minified version included in the package.