The Leak
On March 31, 2026, Anthropic accidentally shipped the entire source code of Claude Code to the public npm registry via a single misconfigured debug file. 512,000 lines. 1,906 TypeScript files. Anthropic PBC inadvertently released internal source code behind its popular artificial intelligence-powered Claude coding assistant, raising questions about the security of an AI model developer that has built its brand on prioritizing safety.
Beyond the embarrassment, the leak revealed something more troubling: references to Claude Mythos, Anthropic's next-generation frontier model.
The Mythos Warning
An Anthropic spokesperson said the new model represents "a step change" in AI performance and is "the most capable we've built to date." A draft blog post that was available in an unsecured and publicly searchable data store prior to Thursday evening said the new model is called Claude Mythos and that the company believes it poses unprecedented cybersecurity risks.
According to a Sunday (March 29) report from Axios, Anthropic has been privately warning senior government officials that Mythos makes large-scale cyberattacks significantly more likely in 2026, and that agents running on systems at this capability level can plan and carry out complex operations with minimal human involvement.
Contrasting Narratives
Anthropic frames this as prudent safety disclosure to government stakeholders. Critics see it as hype-building through manufactured fear. The company said it is testing the model, known as Claude Mythos, with a small group of early-access customers and has not set a general release date, partly because it remains expensive to run at scale.
My Take: The leak is a PR disaster, but the real story is Anthropic's gamble. By warning of Mythos's capabilities while restricting access, they're positioning themselves as responsible yet cutting-edge—a calculated narrative. Whether the cybersecurity risks are real or marketing-adjacent remains unclear.