The AI Security Gap Is Here, But No One Admits It
▼ Summary
– On March 31, 2026, Anthropic accidentally shipped the entire source code of Claude Code to the public npm registry.
– The leak included around 512,000 lines of TypeScript across 1,906 files.
– The exposed code contained 44 hidden feature flags.
– References to an unreleased model codenamed Mythos were also part of the leak.
– The code sat openly accessible on a Cloudflare storage bucket until a security researcher found and posted about it.
On March 31, 2026, Anthropic accidentally exposed the complete source code of Claude Code to the public npm registry. The leak revealed roughly 512,000 lines of TypeScript across 1,906 files, including 44 hidden feature flags and references to an unreleased model codenamed Mythos. The data sat openly accessible on a Cloudflare storage bucket until a security researcher discovered it and posted the findings online.
This incident highlights a growing and uncomfortable reality: the AI security gap is widening, but few in the industry are willing to confront it. As companies rush to deploy and iterate on powerful AI systems, basic security practices are being overlooked. The Claude Code leak is not an isolated mistake; it is a symptom of a broader culture that prioritizes speed over safety.
The exposed code contained sensitive internal details, including unreleased features and model names, giving competitors and malicious actors a significant advantage. While Anthropic quickly secured the bucket and issued a statement, the damage was already done. The event underscores how AI companies must treat their codebases with the same rigor as any critical infrastructure provider.
If the industry does not collectively address these vulnerabilities, similar leaks will become more frequent and more damaging. The AI security gap is here, and pretending otherwise only invites the next breach.
(Source: The Next Web)
