The Anthropic Double Breach

A Note Before We Start

I need to be upfront about something. I'm writing this report about Anthropic while using their product. Claude is my primary AI tool. I pay for Claude Max. I built my entire agent harness on Claude Code. So when I tell you Anthropic had a rough week, I'm not some competitor taking shots. I'm a paying customer who also happens to do security research.

Two months ago I published TIR-2026-001, a threat intelligence report on OpenClaw, the open-source AI agent framework that went from zero to 30,000 GitHub stars and then got torn apart by attackers within six weeks. I mapped nine threat vectors to MITRE ATT&CK across 19 sources. I coined the term Cognitive Context Theft to describe a new class of data exfiltration targeting AI agent memory files.

I bring that up because the attack surface I documented in that report is the same architecture Anthropic just accidentally showed the world. The playbook hasn't changed. The companies keep making the same mistakes. And the attackers keep getting faster.

This report covers three incidents that happened between March 26 and March 31, 2026. They are connected by timing but not by cause. The compound effect is what matters.

Executive Summary

Here's what happened in plain terms. Anthropic, the company that markets itself as the safety-first AI lab, leaked sensitive information about their most powerful model ever built through a misconfigured content management system. That's a basic mistake. The kind of thing a $250 security checkup would have caught.

Five days later, someone on their engineering team shipped a debug file inside a routine software update. That file pointed to a zip archive containing 512,000 lines of Claude Code's source code. Every competitor on the planet now has the blueprint for how Anthropic's $2.5 billion per year coding tool actually works. Over 84,000 people forked it on GitHub before anyone could react.

At the same time, and this part was not Anthropic's fault, hackers compromised a popular software library called axios that Claude Code depends on. Anyone who installed or updated Claude Code during a three-hour window on March 31st may have downloaded a remote access trojan. That means full control of the victim's machine.

Three incidents. One week. The safety-first company.

I'm not saying this to be dramatic. I'm saying it because if Anthropic can't prevent this kind of exposure, the average small business running AI tools without any security review has no idea how exposed they are.

Incident 1: The Mythos Model Leak

What Happened

On March 26, security researchers Alexandre Pauwels at Cambridge and Roy Paz at LayerX Security discovered that roughly 3,000 unpublished files were sitting in a publicly accessible data store connected to Anthropic's blog. No login required. Just there, waiting to be found.

Among those files was a draft blog post about Claude Mythos, a new model Anthropic describes internally as by far the most powerful AI model they have ever developed. The post outlined a new tier of models called Capybara, which sits above Opus in both capability and cost.

Why It Matters

Anthropic's own words from that draft: the model poses unprecedented cybersecurity risks. They wrote that it presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders. That's not me interpreting. That's their language, from their document, about their model.

Axios reported that Anthropic is privately warning top government officials that Mythos makes large-scale cyberattacks significantly more likely in 2026. Cybersecurity stocks dropped on the news. Zscaler alone is down roughly 40% since the start of the year.

The model scores dramatically higher than Claude Opus 4.6 on tests of software coding, academic reasoning, and cybersecurity. Remember that Opus 4.6 can already identify zero-day vulnerabilities autonomously. Mythos goes further. How much further is the question nobody outside Anthropic can answer yet.

The Irony

A company building what it calls the most dangerous AI model in cybersecurity history left the announcement of that model in an unsecured, publicly searchable data store. Because someone misconfigured the CMS. I keep circling back to this because it matters. Configuration errors are in the OWASP Top 10. They have been for years. This is not a novel attack vector. This is day one stuff.

MITRE ATT&CK Mapping (Incident 1)

Incident 2: Claude Code Source Code Leak

What Happened

On March 31, security researcher Chaofan Shou posted on X that Claude Code's source code had been leaked via a source map file in the npm registry. The post got 28.8 million views. That's not a typo.

Version 2.1.88 of the @anthropic-ai/claude-code npm package shipped with a .map file that contained a reference to an unobfuscated TypeScript source archive on Anthropic's Cloudflare R2 storage. Download the zip, decompress, and you've got the whole thing. Roughly 1,900 files. 512,000 lines of TypeScript.

What Was Inside

• The complete tool system for file operations, bash execution, and web browsing.
• The query engine handling all LLM API calls, streaming, retry logic, and token counting.
• Multi-agent orchestration code for spawning sub-agents and coordinating swarms of them.
• 44 hidden feature flags. 20 or more of those are for capabilities that are fully built but haven't shipped yet.
• KAIROS, an autonomous daemon mode. When you're idle, Claude Code performs memory consolidation in the background. It merges observations, removes contradictions, and converts vague insights into absolute facts. That's not my description. That's what the code does.
• Anti-distillation mechanisms. When enabled, Claude Code injects fake tool definitions into its own prompts so that anyone recording API traffic to train a competing model gets poisoned training data.
• Internal performance data showing 1,279 sessions had 50 or more consecutive failures in a single session, wasting around 250,000 API calls per day globally.
• More references to the Capybara/Mythos model, confirming the earlier leak was real.

Why This Matters More Than a Typical Source Code Leak

Claude Code's value doesn't come entirely from the underlying AI model. A significant portion of its capability comes from the agentic harness, the software layer that tells the model how to use tools, manage files, coordinate with other agents, and govern its own behavior. That harness is what leaked. Fortune put it well: the leak allows a competitor to reverse-engineer how Claude Code's agentic harness works and use that knowledge to improve their own products.

Claude Code's annualized recurring revenue is approximately $2.5 billion. Enterprise adoption accounts for 80% of that. This leak hands every competitor in the space, from Cursor to GitHub Copilot, a production-grade engineering education for free.

The Root Cause (And Why I Can't Let It Go)

A .npmignore or files field in package.json was misconfigured. That's it. One file, one line, one oversight. The debug artifact that should have been excluded from the published package wasn't.

There's an additional wrinkle. Anthropic acquired Bun's parent company in late 2025. Claude Code is built on Bun. A Bun bug filed on March 11, still open at the time of the leak, reported that source maps were being served in production mode even though Bun's documentation says they should be disabled. If that bug is what caused this, then Anthropic's own toolchain, that they own, shipped a known bug that exposed their own product's source code.

MITRE ATT&CK Mapping (Incident 2)

Incident 3: The Axios Supply Chain Attack

What Happened

This one was not Anthropic's fault. But the timing made it devastating.

On March 31, malicious versions of the axios HTTP client library were published to npm. Axios is one of the most widely used packages in the JavaScript ecosystem. Claude Code depends on it. The trojanized versions, 1.14.1 and 0.30.4, contained a cross-platform remote access trojan hidden inside a dependency called plain-crypto-js.

The exposure window was small. About three hours, from 00:21 UTC to 03:29 UTC on March 31. But anyone who ran npm install or updated Claude Code during that window may have pulled the compromised version. And a RAT means full remote access. Not partial. Full. Command execution, file access, credential harvesting. Everything.

On top of that, attackers started typosquatting internal npm package names that appeared in the leaked Claude Code source. A user named pacifier136 published empty stub packages using those names. Empty for now. But the play is obvious: wait for downloads, then push a malicious update.

If You Used npm on March 31

1. Search your lockfiles for axios versions 1.14.1 or 0.30.4, or the dependency plain-crypto-js.
2. If you find any of those, treat the machine as fully compromised. Not maybe compromised. Fully.
3. Rotate every secret, API key, token, and credential that machine had access to.
4. Clean OS reinstall. Not a virus scan. A reinstall.
5. Switch to Anthropic's native installer going forward. It uses a standalone binary that doesn't rely on the npm dependency chain at all.

MITRE ATT&CK Mapping (Incident 3)

The Bigger Picture: AI Is Hacking Now

I wrote about this in the OpenClaw report. The core tension hasn't changed: usefulness requires access, and access creates risk. The more an AI agent can do for you, the more damage it can do if someone compromises it. What's changed in the two months since that report is the speed at which offensive AI is maturing.

In June 2025, an AI company called XBOW took the number one spot on HackerOne's US leaderboard. Not by finding a few bugs. By submitting over 1,000 new, real vulnerabilities in production systems within a few months. An AI, not a human, at the top of the most respected bug bounty platform in the world.

In August, seven teams competing in DARPA's AI Cyber Challenge collectively found 54 new vulnerabilities in a target system. In four hours of compute time. Not four hours of human effort. Four hours of machines running.

Google's Big Sleep AI found dozens of new vulnerabilities in open-source projects on its own. Ukraine's CERT discovered Russian malware that uses an LLM to automate its own reconnaissance and data theft. A Chinese AI pentesting tool called Villager fully automates attack chains from recon through exploitation using the DeepSeek model. And researchers have shown that AI systems can reproduce hundreds of known vulnerabilities just from public information.

Security experts are now predicting that by mid-2026, at least one major enterprise will be breached by a fully autonomous AI system. No human hacker driving it. Just agents finding weaknesses, writing exploits, and moving through networks at machine speed.

That prediction doesn't feel early to me. It feels late.

Why These Three Incidents Together Are Worse Than Any One Alone

Each of these incidents is bad on its own. Together, they form a compound threat that I think most people are underestimating.

The Mythos leak confirms that AI models are getting dramatically better at finding and exploiting vulnerabilities. Anthropic said so themselves. This isn't speculation.

The Claude Code leak gives attackers a production-grade reference implementation for building agentic systems. Tool orchestration, permission models, multi-agent coordination, memory management. All documented, all available, all free. Anyone building offensive AI tools just got handed a working example of how to make an agent that plans, executes, and persists across sessions.

The axios attack proves that the software supply chain these tools depend on can be compromised at the dependency level. You don't need to hack the tool. You hack what the tool installs, and the tool delivers the payload for you.

Put those three together and the picture gets uncomfortable. The models are getting more capable at offense. The architecture for weaponizing that capability just leaked. And the distribution channel is vulnerable to injection.

For business owners and security teams, the takeaway is not that Anthropic is bad at security. It's that the entire ecosystem, the tools, the infrastructure, the supply chains, is moving faster than the defenses around it. If the company that literally brands itself around AI safety can have a week like this, nobody gets to assume they're covered.

So What Does This Mean For Your Business

I want to write this section the way I'd explain it if you were sitting across from me at a coffee shop. No frameworks. No jargon. Just what you need to understand.

If your business uses AI tools, and at this point most do, you now have a new category of risk that didn't exist two years ago. It's not just about whether your website is secure or your passwords are strong. It's about whether the AI tools you gave access to your email, your files, your code, your customer data, are themselves secure. And whether the software they depend on is safe to install.

Most businesses I talk to have never asked that question. They installed the AI tool, gave it the permissions it asked for, and moved on. That's the equivalent of hiring someone, giving them the keys to the building, and never checking their references.

The free scan at isitsafe.pro checks the basics. Headers, configurations, exposed files, SSL, security misconfigurations. It takes 30 seconds and it's free because I believe everyone should at least know where they stand. But the AI agent risk? That requires a deeper conversation. That's what the security checkup is for.

I built GroundedScan because I kept seeing the same pattern. Business owners who genuinely care about doing things right, but who have no visibility into what's actually exposed. The goal isn't to scare you into buying something. The goal is to make the invisible visible so you can make informed decisions.

What To Do About It

This Week

1. Check your npm lockfiles for compromised axios versions. If you or your developer used npm on March 31, this is not optional.
2. If you use Claude Code via npm, switch to the native installer. Anthropic recommends it now. The binary doesn't depend on npm's supply chain.
3. Rotate API keys and tokens on any machine that ran npm install during the exposure window.
4. Run a scan at isitsafe.pro. It's free. Know what's exposed before someone else finds it.

This Month

5. Audit what permissions your AI tools actually have. Most are over-permissioned because that was the default during setup.
6. Start tracking your software dependencies. If you don't know what your tools install when they update, you can't know when something malicious slips in.
7. Talk to your team about AI tool usage. Shadow AI, meaning employees using AI tools that IT doesn't know about, is a real and growing problem.

This Quarter

8. Get a proper AI agent security assessment. Not a checkbox compliance audit. A real evaluation of what your agents can access, how they handle data, and where the boundaries are.
9. Treat your AI agents as identities. They need managed credentials, monitored behavior, and scoped permissions. Just like a new employee would.
10. Move from annual penetration tests to continuous monitoring. When attacks move at machine speed, a test you ran six months ago tells you almost nothing about today.

Connecting the Thread

In TIR-2026-001, I wrote that OpenClaw was not the problem. It was the preview. I said every major tech company was racing to ship autonomous AI agents, and the core tension between usefulness and risk would play out the same way regardless of the specific tool.

That was February. This is April. Anthropic just proved the point.

The next report will probably be about a different company and a different tool. The pattern will be the same. Access creates risk. Speed outpaces defense. Basic mistakes cause catastrophic exposure.

I'll keep writing these because someone needs to. And if you're reading this and thinking about your own business, your own tools, your own exposure, that's exactly the right instinct. The question isn't whether AI-driven threats will reach your door. The question is whether you'll see them coming.