Anthropic Leaked Its Own Source Code. Twice. In One Week.

Let me explain why I'm writing this at all.

I've been following Anthropic for a while. Not obsessively, but I work with this stuff, so I keep up. When the first leak dropped — the npm package one — my first thought was: okay, happens. Then came the second one. That's when I started taking notes.

This isn't a clean investigative report. I'm writing it because it's been bothering me, and because I can't shake the feeling that most of the coverage is missing the actual point.

What Happened

On March 31, 2026, someone at Anthropic forgot to configure a .npmignore file correctly. The official Claude Code npm package shipped with a source map that exposed the complete, unobfuscated TypeScript source code. Security researcher Chaofan Shou found it. The repository was forked more than 41,500 times within hours. Gone is gone.

That was the second leak in a week. Five days earlier, Fortune had reported that Anthropic accidentally made nearly 3,000 files publicly accessible — including a draft blog post about an internal model they call "Mythos" and "Capybara."

Two leaks. Five days. One company that has spent years telling the world it's the most safety-conscious lab in AI.

The Part That Actually Bothers Me

According to a technical breakdown by software engineer Gabriel Anhaia, a single correctly configured .npmignore file — or a correct files field in package.json — would have been enough to prevent all of this. This isn't some obscure edge case. It's the first thing covered in every npm release tutorial I've ever read.

Anthropic's official response: "This was a release packaging issue caused by human error, not a security breach."

Technically accurate. But "human error" sounds like a company that has already moved on before it fully understood what happened.

What was inside the leak isn't trivial either. There were dozens of feature flags for capabilities that are fully built but haven't shipped — including something internally called "KAIROS": an autonomous daemon mode that lets Claude Code operate as an always-on background agent. There's a process inside it called "autoDream" that consolidates memory while the user is idle. Anthropic never intended to publish any of that. Every competitor has it now.

The Timing Nobody Is Talking About

In the early hours of March 31 — simultaneous with the source code leak — there was a supply chain attack on the axios npm package. Axios is a core dependency of Claude Code. Anyone who installed or updated Claude Code between 00:21 and 03:29 UTC may have pulled a trojanized version containing a remote access trojan.

I'm not claiming these are connected. Coincidences happen. But people should know about it.

What's happened since is less ambiguous: the leak is being actively used as a social engineering lure to distribute malicious payloads via GitHub, and there's typosquatting on internal npm package names — traps set for developers trying to compile the leaked Claude Code source themselves. The original mistake was human. What's being built on top of it isn't.

What This Means for Anthropic

Claude Code is running at an annualized revenue of over $2.5 billion, with enterprise as the dominant channel. These aren't forgiving hobbyist users — these are CTOs with long procurement checklists.

Anthropic has built its entire positioning on a single promise: we are the adults in the room. We take safety seriously while everyone else chases market share. That was never just marketing. It's why regulators take their calls, why certain talent chooses them, why enterprise deals close.

And then this happens. Twice. In five days.

Anthropic will survive this. The products are good, and enterprise buyers have short memories when the tool keeps working. But every CTO currently in a procurement decision now has a new question on their list — and Anthropic doesn't have a good answer for it right now.

The next safety promise is going to cost a little more to sell than the last one. That's not a dramatic take. It's just what happens when you stumble twice in a week and your public response amounts to: "Yeah, our mistake, moving on."

I'm not writing this with any satisfaction. I use their products. I want them to be good. But honest criticism shouldn't have to feel like an attack to be worth saying.