Claude Code Source Leak: When AI Exposes Its Own Internals
A pathing oversight in an AI-generated deployment config exposed internal system prompts and source files to the public internet.
The Incident
In early 2026, a security researcher discovered that a popular AI-powered development tool was inadvertently serving internal files through a misconfigured static asset path. System prompts, internal documentation, and configuration files were accessible via direct URL requests.
The root cause? An AI-generated deployment configuration that mapped a parent directory instead of the intended subdirectory. A single ../ too many in a path resolution.
How It Happened
The deployment pipeline was scaffolded by an AI assistant. The relevant line looked something like this:
assets: { directory: "./dist" }But the build step placed compiled assets in a nested subdirectory, while the source tree — including internal prompts and configuration — lived one level up. The static file server happily served everything under the mapped path, including files that were never meant to be public.
The Pattern
This is a recurring pattern in AI-generated infrastructure code. The AI understands the syntax of configuration files perfectly. It generates valid YAML, valid JSON, valid TOML. But it doesn’t understand the security implications of directory traversal in the context of a specific deployment platform.
A human DevOps engineer would instinctively scope static asset paths as narrowly as possible. An AI assistant optimizes for “it works” — and a broader path mapping works just as well as a narrow one, functionally speaking.
What Was Exposed
- Internal system prompts that revealed proprietary reasoning strategies
- Configuration files containing service endpoints and internal API schemas
- Development documentation not intended for public consumption
No credentials or user data were exposed in this particular incident, but the reputational damage was significant.
Remediation
- Audit all static asset mappings to ensure they point to the narrowest possible directory.
- Add a
robots.txtand explicit deny rules for sensitive paths. - Implement automated scanning that checks for unintended file exposure on every deployment.
- Never trust AI-generated path configurations without verifying the directory tree they actually expose.
The Lesson
AI assistants generate code that is syntactically correct but contextually naive. They don’t model threat vectors. They don’t think about what else a directory contains. Automated post-deployment scanning is the safety net that catches what code review misses.