On March 31, 2026, Anthropic accidentally shipped the entire source code of Claude Code to the public npm registry. Around 512,000 lines of TypeScript across 1,906 files, including 44 hidden feature flags and references to an unreleased model codenamed Mythos, sat openly accessible on a Cloudflare storage bucket until a security researcher found it and posted the link on X. Within hours the codebase had been mirrored across GitHub, amassing thousands of stars before Anthropic could issue DMCA takedowns. Anthropic called it a packaging error caused by human error. That explanation is accurate and also somewhat beside the point.
By exposing the blueprints of Claude Code, Anthropic handed a roadmap to anyone who wanted to design malicious repositories specifically tailored to trick Claude Code into running background commands or exfiltrating data before a user ever sees a trust prompt. The permission enforcement logic, the sandboxing architecture, the exact orchestration mechanics that govern how the agent validates what it is allowed to do: all of it now sits permanently in the wild across tens of thousands of forked repositories that no DMCA notice will fully reach. What the leak exposed about the state of AI security is more uncomfortable than the leak itself.
