Jonny Teardown

• Entity ID: ent-20260419-a1b2c3d4e50f
• Type: document
• Scope: shared
• Status: active
• Aliases: r/BetterOffline Jonny teardown, Jonny good-kind eviscerating

Description

Engineer 'Jonny (good kind)' teardown of the leaked Claude Code source, elevated to HackerNews from r/BetterOffline. Core claim: all five known CVEs (two Round 19 + three Round 20) share root cause CWE-78 (OS command injection via unsanitized string interpolation) across which.ts, promptEditor.ts, auth.ts, and execa call sites. A single architectural review in 2024 would have prevented all five. Characterizes the codebase as exhibiting velocity-pressure symptoms — god functions, deep nesting, inconsistent error handling, unsanitized inputs passing through multiple layers — 'not malicious, just hurried.' Frames the recursive irony: 18 security modules around Bash but credential exfiltration via uncontrolled env vars still shipping on v2.1.91.

Key claims

• All five known Claude Code CVEs share CWE-78 (OS command injection via unsanitized string interpolation)

Relations

• Jonny Teardown --[related_to]--> CVE-2026-35020
• Jonny Teardown --[related_to]--> CVE-2026-35022

Sources

src-20260409-f5e09e325670