Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key →
← Back to ideas
clawsmith.com/idea/strip-source-maps-and-secrets-from-npm-packages-before-publish
IdeaCompetitiveSECURITYCLIDEVTOOLLive

A pre-publish scanner that strips source maps, secrets, and internal code from npm packages before they ship to the registry

Anthropic accidentally shipped 512K lines of Claude Code source code via an npm source map file that was never meant to be public. This happens constantly because .npmignore and package.json files fields are easy to misconfigure. The repo got 100K+ stars in days as people reversed the entire codebase. This tool scans your npm package before publish, catches source maps, leaked environment variables, internal documentation, and accidentally included files, then blocks the publish until you fix it.

Demand Breakdown

GitHub
101,000
X
18,899
Reddit
6,500
HN
4,100

Social Proof 5 sources

GH
claw-code Rust rewrite hit 101K stars from the leaked source
@instructkr · 2026-03
101,000X
Claude Code source code leaked via npm source map, 18.9K likes
@Fried_rice · 2026-03
18,899RD
r/ClaudeAI discussion of Claude Code source leak reaches 6.5K engagement
@multiple · 2026-03
6,500HN
HN discussion of Claude Code npm source map leak
@multiple · 2026-03
2,300HN
Analysis reveals fake tools, frustration regexes, undercover mode in leaked code
@multiple · 2026-03
1,800

Gap Assessment

CompetitiveMultiple tools exist but differentiation opportunities remain

3 tools exist (npm-packlist, Socket.dev, Secretlint) but gaps remain: No content scanning, no secret detection, no source map analysis, just file listing; Post-publish only, no pre-publish prevention, no source map deep analysis, consumer-side not publisher-side.

Features4 agent-ready prompts

CLI that runs before npm publish, scans the package tarball for secrets (API keys, tokens, passwords), and blocks publish if found
Parser that detects embedded source maps, inline source content, and webpack devtool artifacts that would expose original source code
Pre-commit hook and CI action that runs the scanner automatically on every publish attempt and fails the pipeline on violations
Tool that scans your already-published npm packages on the registry and reports which versions contain leaked secrets or source maps

Competitive LandscapeFREE

ProductDoesMissing
npm-packlistLists files that npm pack would includeNo content scanning, no secret detection, no source map analysis, just file listing
Socket.devScans npm packages for supply chain attacks post-publishPost-publish only, no pre-publish prevention, no source map deep analysis, consumer-side not publisher-side
SecretlintScans files for hardcoded secrets using pattern matchingGeneral-purpose, not npm-publish-aware, no source map analysis, no package.json files field checking

Notable VoicesFREE

X
@Fried_rice18,899 likes · 2026-03

"Claude code source code has been leaked via a map file in their npm registry!"

Leads40BUILDER

@shoucccc
@gabrielanhaia
@varshithvhegde
@marc.bara.iniesta
@mgupta70
@kolkov
@Kuberwastaken
@instructkr
40 people already want this

Sign in to unlock full access.

Aggregate Score
26,142,255
40 leads found
Details
TypeProduct Idea
Competitors3
Features4
Issues5
Leads40
Source Signals
All signals →
26.1MClaude Code 512K-Line Source Code Leaked via npm Source Map
Related Ideas
All ideas →
183.3KA CLI security scanner that intercepts and blocks malicious ClawHub skills before they compromise your OpenClaw instance79.8KA security layer that vets ClawHub skills for malware and prompt injection before your agent installs them37.1KA credential vault that stores agent API keys with scoped permissions and automatic rotation so one breach does not leak everything
Tags
SECURITYCLIDEVTOOLNPMOPEN-SOURCE
Top Voices
X@Fried_rice
18,899 likes