Security

Claude Code doesn’t use MCP as a plugin system. It is MCP. On March 31, 2026, Anthropic shipped a 59.8 MB source map by accident in npm package @anthropic-ai/claude-code v2.1.88. Developers got a rare look at how a real AI coding agent works. Every capability in Claude Code (file reads, bash, web fetches, Computer Use, IDE bridges) runs as a single permission-gated MCP tool call. There is no special internal API. Third-party MCP servers you connect get the same execution path, permission checks, and error handling as Anthropic’s own built-in tools.

One missing line in a build config caused the worst source leak in AI tooling history. On March 31, 2026, Anthropic shipped version 2.1.88 of its @anthropic-ai/claude-code package with a 59.8 MB JavaScript source map inside. That map held the full client agent harness for Claude Code : 512,000 lines of readable TypeScript in 1,906 files. Mirrors of the code spread thousands of times in hours. A clean-room Python/Rust rewrite then became the fastest-growing repo in GitHub history. Anthropic’s legal response hit the wrong targets. The day got worse: a supply-chain attack hit the axios npm package, piling on for devs who rely on these tools.

You can build a self-contained pen testing lab on a Raspberry Pi 5 running Kali Linux ARM64. Add a battery HAT, a 7-inch display, and a wireless adapter that does packet injection. Total cost lands between $200 and $250. The result is a pocket-sized hacking kit that runs Nmap, Burp Suite, Wireshark, Aircrack-ng, and Metasploit in the field, at CTF events, or on jobs where you can’t lug a laptop.

Cloud security camera fees have quietly become one of the priciest bills in the smart home. At $10 to $30 per camera each month, a full setup runs $500 to $1,000 a year. You pay that to have your own footage handled on someone else’s servers. Frigate NVR changes the math. Paired with a Google Coral TPU , it runs real-time AI person and object detection across many 4K streams. Inference times stay in the single-digit milliseconds. It all runs on hardware you own, on a network that never phones home.