Anthropic's 500k lines of Claude Code Exposed via Missing Exclusion Rule

SonarQube is awesome for catching bugs and messy code early, but it was all manual. Devs push to feature branches? Scan gets forgotten. Main branch? Never scanned ’cause we only merge via MRs. Code quality issues? They snuck through until review time. Frustrating! So I hacked together this Git pre-push hook called PushScan. Now, every single push auto-runs SonarQube on your branch and main – no extra work. Here’s how it rolls: • Hooks fire in the background on push (npm install sets it up automatically). • Analyzes both branches back-to-back, tags them with branch name + timestamp so you can track on the dashboard. • Pushing straight to main? Just one scan, no duplicates. • Can’t connect (offline, no scanner)? Push goes through anyway, errors logged locally. • Bonus: `npm run scan` for manual runs anytime. Tried CI/CD first, but our runners couldn’t hit the internal Org SonarQube server (DNS fails on Linux, timeouts on Windows). Dev machines work fine since they’re on the same network – problem solved! Impact? Every push now keeps the dashboard fresh. We’ve already spotted issues way earlier. Super lightweight too – grab it for your Playwright or any Node project. QA peeps, what’s your trick for code scans? Hit reply if you want the code – let’s chat! #Playwright #SonarQube #QAAutomation #CodeQuality #GitHacks

Stop leaking your source code. 🛑 I recently analyzed Claude code issue where production .map files were left publicly accessible. It’s a common but critical blunder that allows anyone to reverse-engineer minified bundles back into your original TypeScript source code. How to stay secure (My approach): * Debug Locally: Generate source maps locally to map cryptic production errors (e.g., Line 1, Col 5000) back to the exact TS line without ever uploading the map file. * Server-Side Blocking: If maps must be on the server, use Nginx rules to explicitly deny all access to any file ending in .map. * CI/CD Discipline: Ensure build artifacts are stripped of maps during the production pipeline and verify they are strictly listed in your .gitignore. Security isn’t just about the code you write; it’s about how you protect the build. #SoftwareEngineering #WebSecurity #TypeScript #DevOps #SeniorDeveloper #CodingTips #claudecode

512,000 lines of Anthropic's proprietary code leaked through a single misconfigured file in their npm package. A $60B company. World-class engineers. And the root cause was a missing .npmignore entry. This wasn't a sophisticated attack. It was a build pipeline blind spot that exists in most engineering teams right now. Bun, Webpack, esbuild, and Vite all generate source maps by default. If nobody explicitly strips them before publish, your source ships with the bundle. What most people missed: this happened the same day as a separate supply chain attack on axios. Two malicious npm packages deploying a RAT on developer machines. While 84,000 developers were starring leaked repos, attackers were exploiting the chaos. I broke down the incident into a 15-point build pipeline security checklist covering three areas most teams neglect: 1. Build hardening: source map stripping, artifact size checks, pre-publish validation 2. Secrets & credentials: vault centralization, log sanitization, automated rotation 3. Release guardrails: 2-person approval, dependency auditing, incident response plans Every item maps directly to something the Claude Code leak exposed. No theory, just what actually went wrong and how to prevent it. Attached the full checklist as a carousel. Share it with your engineering team. #BuildSecurity #EngineeringLeadership #DevSecOps

Watching the Anthropic GitHub situation unfold recently was a sobering moment for anyone running an engineering team. A minor misconfiguration leaked some internal code. To contain it, an automated DMCA script was deployed. But the script couldn't distinguish between the leaked secret and legitimate developer forks. Thousands of innocent projects got caught in the crossfire before the manual "undo" button was hit. It highlights a tension we are all dealing with: the speed of automation versus the nuance of human judgment. We are building incredibly fast automated defenses to protect our perimeters. But when those scripts are given the authority to execute, like issuing a takedown, without a human circuit breaker, the blast radius is entirely unpredictable. If a critical alert goes off in your infrastructure today, how much autonomy does your containment script have? #CTO #Security #DevOps

Anthropic just exposed 512,000 lines of Claude Code's source. Not from a hack. From a misconfigured .npmignore. — Years ago, I did something similar. I hardcoded a secret key directly in the frontend. Pushed it to a public repo. Didn't notice until it was already there — indexed, visible, searchable. I had to rewrite the git history by force just to erase it. It worked. But I spent two hours sweating over a mistake that took two seconds to make. — The scale is different. The lesson is identical: Configuration files are security artifacts. Not cleanup. Not optional. Not "I'll fix it later." — Anthropic confirmed no customer data was exposed. But their internal architecture — 1,900 TypeScript files — is now on GitHub with 80,000+ forks. That doesn't go away. — Three things I do now because of that mistake: .env files in .gitignore before the first commit. Not after. Source maps never ship to production. Build config enforced, not trusted from memory. Pre-publish checklist automated. Human error is inevitable — the system around it doesn't have to be. — If it can happen to a $19B company, it already almost happened to you too. What's the one config mistake you caught before it became a real problem? — #SoftwareEngineering #DevOps #Cybersecurity #CleanCode

I have a stale-cache bug in docker/buildx with the GHA cache backend. I have the production log. I built a minimal repro repo. I ran eight experiments matching every condition I could identify. The bug is real, and I cannot make it happen twice. Here's why that's still useful. Two weeks ago, a build shipped an image to production without a Settings field that the source code had added. CI was green. The container crashed at runtime on the missing field. I cache-busted with a .build-bust file, blogged the incident, and moved on. Yesterday I went back with gh run view. The production buildkit output is unambiguous: #14 [builder 4/7] COPY . /app CACHED #17 [stage-1 5/5] COPY . /app CACHED Both COPY layers hit cache. The commit right before that build added the field. The cache key matched anyway. So I built a minimal repro repo and ran eight experiments, each matching more of production: — Single-stage Dockerfile — Multi-stage simple — Multi-stage with arm64 via QEMU — Pinned buildkit to the exact production version — Production-shaped Dockerfile (pyproject + uv sync + venv COPY) — Cross-workflow-run cache priming — Bulked context to ~production size — Three consecutive build-push-action calls with overlapping cache-from/cache-to, push:true to a real registry Every single experiment correctly invalidated the cache. The bug refused to fire. I also found the most likely contributor: the production workflow used three consecutive build-push-action calls with overlapping cache writes — a pattern that got removed in an unrelated performance refactor nine days after the bug hit. The bug hasn't come back since. Correlation is suggestive. Causation is not proven. I can't fix what I can't reproduce. But I can detect it. I built a post-build verification script that hashes files inside the image and compares against the source tree. If they don't match, the build fails before the stale layer ships. Full forensic chronicle, all eight experiments, the github issue links, and the verification tool are in the post linked in the first comment. #platformengineering #docker #cicd #githubactions

"Review this code for security issues." You've typed that 5 times today. Yesterday too. The day before that. Stop. Commands fix this permanently. A command is just a markdown file with your prompt saved inside. Write it once, save it as /review, and type /review instead of the full prompt. Forever. 10 commands every dev team should have: /review — Security-focused code review /test — Generate matching tests /docs — Auto-generate API docs /commit — Conventional Commit messages /refactor — Safe modernization /debug — Find & fix bugs /explain — Explain complex code /migrate — Framework upgrades /perf — Performance analysis /security — OWASP vulnerability scan The setup takes 30 seconds: Copilot: Create .github/prompts/review.prompt.md Claude Code: Create .claude/commands/review.md Both support variables (${selection}, $ARGUMENTS) so your prompts are dynamic. Best part? Git push = entire team gets the same commands instantly. Swipe through the carousel for: -> 10 commands available now -> How commands work (4 steps) -> Copilot vs Claude Code comparison -> Real /review command example -> Power features (variables, metadata, nesting) Which command would you create first? A) /review — code review B) /test — test generator C) /docs — doc generator D) /commit — commit messages Drop your answer in the comments! #Commands #PromptFiles #GitHubCopilot #ClaudeCode #AIDevTools #intellisavvy

The software ecosystem experienced a brief but significant breach on March 24, 2026 that went almost unnoticed, underscoring how fragile even well-established development pipelines have become. As a result of a threat actor operating under the name...

Most bugs in solo dev aren't bugs. They're stale assumptions you wrote down two weeks ago that nobody invalidated when the code moved underneath them. Just shipped a fix for that in Nella. When a file in the dependency graph changes, every assumption that referenced it gets auto-invalidated. You can't act on a contradiction without seeing it first. Three weeks ago I would have lost half a day to one of these. Today the system surfaces them at the moment of drift. Not a flashy feature. The kind that pays back every week for the rest of the project.