Incident 1 — CMS Data Exposure (~March 26, 2026)
What happened technically:
Anthropic’s content management system, used to publish information to sections of the company’s website, was misconfigured — leaving draft content publicly accessible. The company said it was “unrelated to Claude, Cowork, or any Anthropic AI tools.”
What was exposed:
Close to 3,000 assets linked to Anthropic’s blog were publicly accessible, including images and PDFs that had not been published to Anthropic’s public-facing news or research sites. A cybersecurity researcher at the University of Cambridge assessed and reviewed the material.
The most sensitive exposure:
A draft blog post detailed a powerful upcoming model known internally as both “Mythos” and “Capybara.” According to an AI security researcher at LayerX Security, it is likely the company may release a “fast” and “slow” version of the new model, and that it will be the most advanced model on the market — a new tier above Opus.
Anthropic’s position:
“These materials were early drafts of content considered for publication and did not involve our core infrastructure, AI systems, customer data, or security architecture,” the spokesperson said.
Incident 2 — Claude Code Source Code Leak (March 31, 2026)
Root cause:
A source map file — meant for internal debugging of bundled or obfuscated code, not for production — was accidentally included in Claude Code’s npm release package. That map file referenced an unobfuscated TypeScript source, which in turn pointed to a zip archive hosted on Anthropic’s Cloudflare R2 storage bucket that anyone could freely download and decompress
Scale of exposure:
The archive contained nearly 2,000 files and 500,000 lines of code. Within hours, the codebase was mirrored and dissected across GitHub, quickly amassing thousands of stars.
What the code revealed:
The leaked code contained dozens of feature flags for capabilities that appear fully built but haven’t shipped, including the ability for Claude to review its latest session to study for improvements while transferring learnings across conversations, a persistent assistant running in background mode that keeps working even when a user is idle, and remote capabilities allowing users to control Claude Code from a phone or another browser.
Architectural insight exposed:
The leaked source revealed a sophisticated three-layer memory architecture. At its core is MEMORY.md — a lightweight index of pointers perpetually loaded into context. Actual project knowledge is distributed across topic files fetched on demand, while raw transcripts are never fully read back into context but grep’d for specific identifiers.
Security risk created by the leak:
By exposing the orchestration logic for Hooks and MCP servers, attackers can now design malicious repositories specifically tailored to trick Claude Code into running background commands or exfiltrating data before a user sees a trust prompt.
Anthropic’s statement:
“A single misconfigured .npmignore or files field in package.json can expose everything,” a software engineer noted in analysis of the leak. Anthropic acknowledged it as human error and said it is rolling out measures to prevent recurrence.
Bottom line across both incidents:
Two separate human errors — a misconfigured CMS and a misconfigured npm build pipeline — within days of each other. No customer data or credentials lost in either. But the combined damage is significant: a competitor roadmap leak, internal architecture exposure, and a concurrent supply chain attack on the same package ecosystem — all in one week.
