Apple’s web App Store source code leak triggers massive GitHub DMCA purge

Apple has forced GitHub to delete over 8,270 repositories after the company’s revamped web App Store accidentally exposed its entire front-end source code just hours after launch. What started as a simple deployment oversight quickly spiraled into one of the year’s most significant code leaks, giving developers an unprecedented peek behind the curtain at how Apple builds its web interfaces.

The problem? Apple forgot to disable sourcemaps in production, which is basically Web Development 101. These debugging files are supposed to be stripped out before anything goes live, but someone at Apple clearly missed that step. A GitHub user named rxliuli noticed the mistake and used a Chrome extension to extract the complete front-end codebase straight from the production site. The repository went up quickly, labeled as being for “educational purposes.”

As expected, the repository was quickly taken down.

The leaked code included complete Svelte/TypeScript source code, state management logic, UI components, API integration code, and routing configuration. Basically everything needed to understand how Apple built their new web store interface. Within hours, the repository started getting forked left and right by curious developers who wanted to study Apple’s coding practices before the inevitable takedown.

GitHub processed the takedown notice against the entire network of 8,270 repositories, including the parent repository and all its forks. That’s a massive purge by any standard. The DMCA notice didn’t mess around, either. When a reported network contains more than 100 repositories and the submitter claims most forks are infringing, GitHub can nuke the entire network at once.

Some even shared the takedown notices they received.

The timing couldn’t have been more awkward for Apple. The company had just launched a revamped web interface for the App Store earlier this week, complete with dedicated pages for each platform, app categories, and search functionality. Instead of celebrating a successful launch, they were scrambling to contain a code leak.

Here’s the thing though: there isn’t any sensitive data in the leak, just coding logic. No user information, no backend secrets, no security vulnerabilities. This incident doesn’t pose a direct security risk, but it’s still embarrassing for a company that prides itself on secrecy and attention to detail. Getting to see how Apple structures its web apps, handles state management, and organizes its components is rare, but it won’t help anyone hack into iCloud or bypass iOS security.

Still, for a company as protective of its intellectual property as Apple, having thousands of copies of its code floating around GitHub was unacceptable. The swift DMCA action makes it clear that even non-sensitive code is considered proprietary, and Apple isn’t about to let developers study their work without permission.

But as the saying goes, once it’s on the internet, it’s there forever. Many people have already stored the code locally on their devices to study how Apple writes code. So it seems like Apple will have to take the big L this time around, while those who’ve managed to grab the code and store it locally might have something to reference.