
But the reality of the past few days looks more like the script of a really dumb IT comedy.
In just 5 days they leaked 2 of their 3 absolutely most sensitive assets. First, information about a strictly secret supermodel, and right after that the complete source code.
The irony here is so thick you could cut it with a chainsaw. Let's take a look at exactly how this security disaster was cooked up.
The most important points in brief
- On 26 and 27 March 2026, information about the new supermodel Claude Mythos leaked from an unsecured storage bucket.
- Anthropic had to come clean: it's their most capable AI, with an extreme risk of being abused for cyberattacks.
- Just 5 days later, on 31 March, 513,000 lines of the Claude Code app's source escaped onto the internet.
- Developers managed to copy the code on GitHub more than 41,500 times before the company even blinked.
- After this fiasco, the Pentagon officially labelled Anthropic a security risk.
Claude Mythos – the model nobody was supposed to see
It all blew up on 26 March 2026. A group of security researchers stumbled on a total rookie mistake – an unsecured data store.
Inside lay a genuine treasure. A draft of an unpublished paper describing, in detail, a brand-new AI model codenamed Capybara.
The official name? Claude Mythos. Anthropic was backed into a corner and had to come out with the truth. They quickly confirmed what CNN and Fortune were already chewing over by then.
This model is an absolute “step change” in AI capabilities. It's, without question, the best and most hardcore thing ever to come out of Anthropic's labs.
Mythos utterly crushes the competition in programming, reasoning and cybersecurity. And this is exactly where things start to get serious.
The model is so incredibly smart and so brutally demanding on compute that the company itself is afraid to let it out.
According to Euronews sources, Anthropic representatives are already quietly making the rounds of government officials. In private, they're warning them that Claude Mythos dramatically raises the odds of massive cyberattacks.
513,000 lines of code out in the open
Think one giant mess a year is enough? Anthropic's management clearly disagrees.
On exactly 31 March 2026, just 5 days after the Mythos reveal, came another slap. This time straight to the heart of their developer ecosystem.
Because of a completely trivial mistake in an npm package, the complete source code of the popular Claude Code tool got out.
We're talking about 1,906 files and an incredible 513,000 lines of pure TypeScript. All free to download.
The internet doesn't forgive, and developers are damn fast. Before Anthropic could delete it, programmers had lightning-quick uploaded the code to GitHub.
Within a few hours the repository had racked up over 41,500 forks. Literally everyone who wanted that code now has it.
For The Hacker News and VentureBeat, the company drily called it “human error during release packaging”. Apparently it was definitely not a targeted cyberattack or a security incident. Sure.
Your customer data and passwords are supposedly safe, none of it leaked. But honestly, trust in their AI safety took a solid beating.
The “safety-first” company even the Pentagon is laughing at
Let's step back for a moment. Anthropic built a billion-dollar image on being the “responsible adults” in a room full of AI teenagers.
And the result? Two fatal leaks of the most sensitive data in under a week.
The reaction from on high didn't take long. The Pentagon has now quite officially labelled Anthropic a “supply-chain risk”.
US Defense Secretary Hegseth pulled no punches at the press conference. He confidently called their famous safety guardrails “corporate virtue signalling”. Ouch.
When even the Department of Defense is openly smirking at your approach to security, you know you've got a really big problem.
The comparison with the competition now feels pretty bitter for Anthropic. While they're patching leaks through ordinary npm packages, everyone else is calmly shipping new models.
What this means for you, the Claude user
Maybe you're sitting at your computer right now, wondering whether to keep using Claude at all. I've got some hard facts and news from 4 April for you.
Quietly, the company killed off the use of its top Claude Pro and Max subscriptions in third-party tools.
If you'd got used to various integrations, say for Google Ads automation, you'll have to overhaul your workflow fast.
In the API, on the other hand, they made an interesting move and raised the maximum number of generated tokens to a respectable 300,000.
But if you'd grown fond of testing their giant 1M-token context window, I've got bad news. This beta ends for good on 30 April.
So should you start panicking and deleting accounts? No, that's probably not necessary. Customer data really didn't leak.
But you should definitely think harder about who you entrust your sensitive company data to. And whether the marketing spiel matches reality.
Conclusion
Anthropic got a very hard lesson in humility over the past few days. Losing the Mythos model info and the complete source code within 5 days is just heavy amateurism.
It turns out that not even the best intentions and a billion-dollar valuation will protect you from a forgotten database password or a junior's mistake.
I'm curious what you think. Do you still trust Anthropic after this fiasco, or have they lost credit with you? Write in the comments whether you're staying with Claude or packing your bags for the competition.
FAQ
Is it safe to use Claude after these leaks?
Yeah, for the ordinary user it's still safe. Anthropic confirmed that no user data, passwords or credit cards were leaked. It was "only" a leak of their own source code and internal documents.
What is Claude Mythos and when will it be out?
Claude Mythos (codename Capybara) is Anthropic's most capable AI model to date. It brings a brutal leap in reasoning and coding. Because of the security risks and its insane performance demands, it doesn't have a release date yet.
Was my data leaked from Claude Code?
No. The leaked npm package contained only 513,000 lines of the application's own TypeScript code. There was no user database, no conversation history and none of your API keys.
Why is Anthropic warning governments about its own model?
The Mythos model is so far ahead in cybersecurity and programming that in the wrong hands it could be used to automate massive cyberattacks. That's why the company is talking to the authorities before releasing it.
How does Anthropic differ from others in its approach to safety?
From day one, Anthropic has presented itself as a "safety-first" company. They came up with the concept of Constitutional AI, which is meant to ensure the models behave ethically and safely. And that's exactly why this double data leak is seen as such an enormous failure.


