The days after March 31 were educational.
Anthropic’s Claude Code shipped an npm package that included a 59.8 MB source map – the file that points a minified bundle back at its original TypeScript. The build toolchain generates those maps by default. Someone forgot to add *.map to .npmignore. The npm registry, efficient as ever, packaged everything that wasn’t explicitly excluded. Result: 512,000 lines of internal TypeScript, 1,906 files, live on the public registry. The Register confirmed it. VentureBeat confirmed it. Anthropic admitted human error.
That was the boring part.
The interesting part was what happened in the 72 hours after.
A tweet went up from a “Kevin Naughton Jr.,” an engineer claiming he had been fired by Anthropic for the mistake, narrating the whole thing in the emotional register of a genuine mea culpa. He wasn’t an Anthropic employee. He turned out to be, per the debunking, a fishing YouTuber farming for engagement for its own product. The biography behind the confession was fiction; the confession itself wrapped around a real event.
Meanwhile, a developer named Sigrid Jin published claw-code, a clean-room Python rewrite of the leaked Claude codebase. Legitimate work, documented process, real author. It hit 75,000 GitHub stars in roughly two hours – possibly the fastest-growing repository in GitHub’s history. Alongside it, within the same day, dozens of other forks appeared. Some benign. Some incompetent. Some, security researchers quickly flagged, carrying active malware payloads. Same week, same registry, same visual grammar – commits, READMEs, CI badges, contributor graphs. All of it looked legitimate at a glance.
Why? Because the heuristics developers used to judge a repository – commit history, code quality, documentation, star count, contributor profile – are now trivially fabricatable.
You can generate a six-month commit history with plausible message cadence in an evening.
You can write a believable architectural README in ten minutes. Stars can be bought for pocket money.
A contributor profile can be hydrated with an AI bio, an AI avatar, and just enough AI-generated toy repos that the person looks like someone who
codes on weekends.
Every signal we used to rely on, AI can manufacture. Faster than a human faker, at scale, in the voice and style of whatever community you want to appear inside. The Potemkin village used to take a team of carpenters and months of planning. Now it can take an afternoon.
The Naughton lie is the case study in miniature: a real event, wrapped in another fake event, amplified by pressure narratives (“download before DMCA!”), and blended with real parallel news – the Axios npm compromise just landed, too – to borrow credibility from a genuine attack.
Pre-AI, assembling this kind of coordinated deception needed a week and a team. Post-AI, a weekend can be enough.
Can we catch the scam? It depends on you paranoid skills. Some younger audiences might not have the muscle memory of “wait a minute”, and hastily click. Somehow, you have to be hurt to understand pain, and that applies biologically, cognitively, psychologically – whatever human experience.
Clicking into claw-code’s 75k stars and pausing to verify Sigrid Jin before cloning.
Reading the Naughton tweet and noticing the cadence felt slightly too clean for a man who’d just been fired.
Hovering over one of the suspicious forks, that small moment where you stopped to check the commit signatures;
The worst of it isn’t the deliberate fraud. It’s the ambient competence illusion.
AI tools let anyone produce developer-grade artefacts without developer-grade judgement. The output looks senior; the operator often can’t explain what they shipped. Ask about a design decision and the answer is “the model suggested it.”
That’s the whole spectrum now – from genuine researchers through clout-chasers to actual malware distributors – all using the same tools, all producing the same surface finish.
So what’s left as a trust signal, once commit history and code quality are cosmetic? Provenance, at the cryptographic level – signatures on releases, reproducible builds, verified authors. Time – a repository created the same day as a “leak” is a red flag; five years of track record isn’t a guarantee either, just a harder forgery. Architectural understanding – can the author explain their own code? That conversation, held honestly, can be the Turing test for the AI age. And the old disciplines: maybe cargo audit, lockfile diffs, never installing anything under urgency.
None of these are novel. What is novel is that they are no longer optional. The visual signals that used to carry eighty percent of the trust decision carry about twenty percent now.
The rest is slow, boring verification work – the kind AI can’t shortcut for
you.
Looks legitimate isn’t.
Bogdan Susala, April 2026
Leave a Reply