Skip to main content
PiniShv — AI, DevOps & Engineering Leadership
Background Image

The Claude Code Leak Isn't Dramatic. That's the Point.

·380 words·2 mins·
Pini Shvartsman
Author
Pini Shvartsman
Started in server rooms. Now I run engineering orgs where AI agents ship alongside humans. I’ve built teams across continents, infrastructure from first commit, and an AI hackathon that changed how 50+ engineers think about their craft. I write about all of it.
Table of Contents

The news
#

Anthropic’s Claude Code accidentally shipped internal source code in a release. The 2.1.88 update included a source map that exposed a large part of the TypeScript codebase. Anthropic said it was a packaging issue caused by human error. No customer data or credentials were exposed.

Not a dramatic breach. A very ordinary failure in build and release hygiene.

My take
#

That’s exactly why it matters.

I’m pro-AI coding tools. I use them. I want teams to use them more, not less. But the Claude Code story is a clean example of something I keep seeing: the boring operational layer is where AI-assisted teams get sloppy.

The dopamine is in generating the feature. Nobody celebrates a well-configured release pipeline. Nobody posts on LinkedIn about their source map exclusion rules. But that’s where this failure happened. Packaging. Build output. Release artifacts. The stuff that ships after the code is written.

AI makes code cheaper to produce. It doesn’t make it cheaper to own. And owning code means the tests, the reviews, the scans, the release checks, the governance, and the operational discipline that keeps the wrong thing from shipping. All the parts that aren’t fun and don’t feel productive.

This looks like it happened to Anthropic with their own tool. If it can happen there, it can happen on your team. Probably already has in a smaller way nobody noticed.

What to take from this
#

Treat release hygiene like security, not housekeeping. Source maps, build artifacts, internal configs. These aren’t details. They’re attack surface.

AI-generated code needs the same gates as any other code. The standard isn’t “the AI wrote it.” The standard is “would we be comfortable owning this in production?”

The risk isn’t the AI. It’s what you skip because you’re moving fast. AI doesn’t create new risks. It amplifies every old weakness you already had. Including the ones in your build pipeline.

The Claude Code leak is useful because it’s boring. Not a zero-day. Not a novel attack. A missed step in a release process. That’s the kind of thing that happens more, not less, when the whole team is focused on shipping faster.

Seen a similar “boring failure” on your team? I’d love to hear about it. Find me on X or Telegram.

Related

Cisco Built an LLM Security Leaderboard. You Should Care Even If You Don't Use Cisco.
·640 words·4 mins
AI Is Now Reviewing AI's Code. That Should Make You Think.
·624 words·3 mins
Glassworm Is Back. Your Code Review Won't Catch It.
·924 words·5 mins