Obfuscation is not security – AI can deobfuscate any minified JavaScript code (afterpack.dev) AI

The AfterPack blog argues the “Claude Code source leak” didn’t expose hidden code: Claude Code’s CLI JavaScript was already publicly accessible on npm, with only a source map accidentally revealing additional internal comments and file structure. It also contends the bundled code is minified rather than truly obfuscated, and that AI/AST parsing can extract large amounts of prompts, tool descriptions, and configuration strings directly from the minified bundle. Anthropic says the issue was a packaging mistake and not a security breach, noting similar source map exposure occurred before.