On March 31, 2026, Anthropic accidentally made public 500,000 lines of Cloud Code entire internal source code. Learn what happened, how it happened, what was exposed, what competitors benefited from, and what you should do.
The day Anthropic turned his own world down March 31, 2026
March 1, 2026, was a day for Anthropic that every engineer, manager, and executive at the company probably never wanted to remember. No one came from outside. No hackers. No major attack. Just a small error in the build pipeline, and that one error exposed the entire internal source code of the world’s most popular AI coding tool.This was not some abridged version it wasn’t just a small glimpse.
The entire 512,000 lines of TypeScript code approximately 1,900 files and with it Cloud Code’s entire architecture, memory system unreleased features, hidden system prompts and the product roadmap he was now developing for the next few months all reveal to the world at once.
This was the same company that had built its identity as a safety-first AI lab that had a repeatedly stated that responsible AI development was at its core and that even preached AI safety before government bodies and regulators. And yet the same company entire source code was being downloaded via an npm package update without permission and without any hacking, directly from Anthropic’s own cloud storage.
What is cloud code and why is it so important?
Its very important to understand what Cloud Code actually is to fully understand the relevance of leaks.Cloud Code is an agentic coding assistant from Anthropic that comes in the form of a command line tool. This means it’s not just a chatbot answering questions it works directly on your computer. It can create files, find bugs make Git commits run tests, and manage entire software projects single handedly. Developers install it on their terminals and then use the AI power of the cloud directly in their coding workflow.
The popularity of this tool can be gauged from the fact that Cloud Code’s annualized recurring revenue had reached $2.5 billion by February 2026 and this figure was doubling every one or two months. Anthropic total company annualized revenue was around $19 billion by March 2026, in which enterprises share was 80 percent. Meaning Cloud Code was not just a product, it was Anthropic’s revenue engine its market position and its competitive edge. The source code of that engine is now in front of the whole world.
A source map ruined the whole thing what was the technical reason?
When developers write code it is human readable. Variable names are understandable and logic is easy to follow. However when this code is released into production it is bundled and minified meaning it is compressed into a very small obscure and practically unreadable format. This is done so that the code loads fast and is difficult to reverse engineer. In this process the entire structure of the original code is lost.
Source map files exist to address this very problem. They are a kind of bridge file that maintains a connection between the minified production code and the original readable TypeScript source code. Developers use this file for debugging on their local machines. If a bug occurs, the source map takes them directly to the original code line. However this file should never be included in a public production package as it can make it very easy for anyone to understand the original code.
Anthropic published version 2.1.88 of Cloud Code on npm.This update mistakenly included a 59.8 MB JavaScript source map file. But the issue wasn’t just the source map the issue was that the source map contained a direct URL pointing to Anthropic own Cloudflare R2 cloud storage bucket. And at that URL was a zip archive containing Cloud Code complete unobfuscated TypeScript source code. No one had to hack anything. No password had to be cracked. There was just a URL and the file was there openly accessible.
Another reason for this entire mistake came to light when people started diving deeper. Anthropic had acquired Bun last year, a modern JavaScript runtime, and Cloud Code was built on Bun. There was a known bug report on Bun’s GitHub numbered #28001 filed on March 11, 2026 just 20 days before the leak.This bug was causing source maps to be served even in production mode, even though Buns documentation stated that production builds should not have source maps. Anthropic ignored a known, reported bug in their own acquired toolchain and exposed their source code to the world, which is a huge mistake.
Chowfan Show : The Guy Who Saw It Ans Upload First
The first person to notice this wasn not an experienced senior security researcher it was Chaofan Shou an intern at the blockchain security firm Fuzzland. Chaofan scanned the npm package noticed the source map file extracted the direct URL and downloaded the zip archive directly from Anthropic’s cloud storage bucket. Then without hesitation he posted the direct link to Twitter and the post went viral along with this image.
Within minutes the thousands of developers reached the link. They extracted the zip download and started analyzing the code. Within a few hours developers uploaded copies of the entire codebase to GitHub. GitHub repositories were flooded with stars and forks. In a single night one repository was forked more than 41,500 times.This means that 41,500 different GitHub accounts saved their own copies of the leaked code. No matter what Anthropic did including sending DMCA notices the code could not be recovered from the internet. Whats on the Internet once stays there forever
What was inside the truth about the entire lock
When developers began to unravel the code what they encountered it wasnot just technical lines it was a complete engineering blueprint. The code contained tool execution logic that explained how Cloud Code safely runs different software tools.Permission schemas explained when and how permissions are obtained from users. Memory systems which we’ll discuss in detail later.Telemetry code revealed what data Anthropic was collecting about its users. And the most sensitive of all ystem prompts those hidden instructions that tell Claude how to behave as a coding agent, how to approach tasks when to stop when to move forward.
Those system prompts were compiled directly into the CLI meaning these instructions were embedded within the software you install. Security experts noted that this is a concerning design choice as it means that future prompt injection attacks where an attacker can give false instructions to the cloud could become more targeted and effective. Attackers no longer need to guess; they know exactly what instructions were given to the cloud and can design attacks accordingly.
The telemetry code revealed another interesting thing. Claude Codes system scanned user prompts for signals of abuse or frustration essentially passively observing how frustrated the user was but not logging full conversations or code. Matlab was a passive frustration detector that helped Anthropic improve the product but the user was unaware of it. The code also had another feature called undercover mode. In this mode the Claude Code was instructed to automatically remove Anthropic internal codenames and project details from git commits and pull requests. Matlab was hiding internal references to Cloud in the developers git history without their knowledge.
44 feature flags that should never have been made public
Perhaps the most strategically sensitive part of the leak was the 44 feature flags embedded in the code.Feature flags are a programming technique that allows features to be turned on or off at runtime. In Anthropics case more than 20 of these 44 flags were fully built into the code; the code was written and the logic was complete, but Anthropic had not yet released them publicly. This was the Anthropics private roadmap. The company was carefully planning when and how to release those features. And this roadmap was now in front of competitors.
Among these unreleased features was one where Claude could review his latest session, learn from the previous session, analyze his mistakes and perform better in the next session. Another feature was COORDINATOR MODE.In this master agent could spawn multiple worker agents in parallel and assign them to different tasks. A large task would arrive the master agent would break it into small pieces assign each piece to a different agent work on them all in parallel, and then merge the final results
This was a sophisticated system of multi-agent collaboration. Then there was another feature called BUDDY this was a terminal pet. Sounds funny, but it was actually an interesting engagement feature in which there were 18 different species available including a capybara and each pet had stats like DEBUGGING PATIENCE and CHAOS. While this feature was interesting on one hand it also had a different clue due to a leak because the name Capybara was connected to Anthropics next unreleased model.
The secret feature that surprised me the most
The most discussed topic in the leaked code was Kairos. Kairos is an ancient Greek word meaning right on time and Anthropic chose this word to describe a feature that would fundamentally change Cloud Code. Kairos was mentioned more than 150 times in the code, making it clear that this was not the some experimental side project it was a central architectural decision that Anthropic was investing heavily.
Kairos transforms Cloud Code into an always-on background daemon. Currently, Cloud Code is a reactive tool you give it a few commands it does what it says, and then its done.But with Kairos, it becomes an autonomous agent running continuously in the background. It watches files logs events monitors the system and continues active tasks even without user interaction. And it doesnot stop there.
There is a sub-feature in Kairos called AutoDream. It gets activated when the user is idle i.e. when you go on a break from work or close the laptop to sleep. During this idle time, Cloud Code runs the dreaming process. It merges memories from different sessions removes contradictions if there are any, converts vague and ambiguous observations into concrete and verified facts. This is exactly the same work that the human brain does while sleeping at night consolidating memories removing unnecessary things strengthening useful things. Anthropic had built a sleeping and dreaming mechanism into its AI agent and this mechanism was now available to everyone.
Anthropic 3Layer Memory System A Formula That Should Have Stayed Secret
Another very valuable part of the leaked code was Anthropic 3 layer memory architecture the formula that kept Cloud Code from becoming confused or hallucinatory even during long and complex sessions. AI agents suffer from a common and well known problem called context entropy. The more work there is the more context accumulate and a time comes when the model becomes so overwhelmed that it starts performing incorrect confusing or repetitive tasks. Anthropic developed an original and sophisticated solution to this problemand that solution is now widely known.
The first layer MEMORY.md is a lightweight index file that is always loaded into the context. However this file does not contain actual data only pointers small entries that simply indicate where the actual information is located. The second layer is topic files which store the actual project knowledge these files are loaded into the context only when needed. Once the work is complete those files are removed from the context. The third layer is raw transcripts they never appear in the entire context. They are simply grepped meaning specific identifiers are searched for and only the required part is extracted.
Another critical rule was a rule called Strict Write Discipline in the code. Cloud doesnot update its memory until the file is successfully written to disk. Matlab never pollutes memory with failed attempts. Its a simple rule but its result is that Clouds memory always reflects the real and verified state not an assumed or incomplete state. This architecture is very elegant very smart and this architecture was now in front of the entire AI community. Companies that were trying to solve this same problem now had a complete, production tested solution for free.
The secret of the next model of the capybara Anthropic has also revealed
This leak was not just about Cloud Code it also mentioned Anthropics unreleased AI model. The leaked code confirmed that Anthropic was developing a new model internally codenamed Capybara which was also referred to as Mythos in some places. This was the same model whose details had surfaced in a separate leak a few days earlier when more than 3000 internal Anthropic files including a draft blog post about Capybara were accidentally made public.
Roy Paz senior AI security researcher at LayerX Security told Fortune that leaked code suggests Capybara will come in both fast and slow versions due to the models apparently larger context window.Paz said that when launched it will be the most advanced model available on the market. Anthropic is no longer keeping this secret competitors know what’s coming in the next 6 to 12 months what the models structure will be and what capabilities are expected.
What the competitors got free engineering education
Cloud Code main competitors are Cursor GitHub Copilot from Microsoft and OpenAI Gemini Code Assist from Google Windsurf from Codeium and several open source alternatives. Engineers from all of these companies saw the leaked code.It would be naive to assume they didnot. And what they saw was a complete engineering blueprint.
Competitors learned how Anthropic solved context entropy the 3-layer memory architecture they developed over years of research and iteration. They looked at the permission system; exactly when how and why permissions are requested from the user so trust is built. They understood the tool execution logic how to run AI tools safely without putting the system at risk. The feature roadmap was revealed and more than 20 unreleased features that competitors can now build. A cybersecurity professional told Fortune that the leak was a free engineering education for competitors and also a complete blueprint. The thing that Anthropic had invested years of hard work and millions of dollars in was in front of everyone overnight.
The Asios supply chain attack a separate dangerous threat that same night
Along with the leaked source code a completely different and technically more dangerous incident also occurred that same night. A malicious version of Axios, a popular JavaScript library, was uploaded to npm versions 1.14.1 and 0.30.4. These versions appeared to be genuine updates but contained a Remote Access Trojan (RAT). Cloud Code uses the Axios library so any developer who installed or updated Cloud Code within that specific time window could have automatically received this malicious library.
This attack was active between 00:21 UTC and 03:29 UTC on March 31, 2026 a window of just three hours. Developers who installed or updated Cloud Code via npm during this window should check their package-lock.json yarn.lock or bun.lockb file. If the axios version is 1.14.1 or 0.30.4 or if there is a dependency named plain crypto-js the system could potentially be compromised and all credentials should be rotated immediately. Anthropic itself recommends that developers use Anthropic’s native installer instead of npm which is a much safer option.
Both incidents the source code leak and the Axios attack occurred on the same night. Some consider them related others coincidental. But one thing was certain the same night the cloud codes source code was exposed a supply chain attack on one of the cloud codes dependencies also occurred and this combination was a matter of serious concern for any active cloud code developer.
What Anthropic Said Official Response
Anthropic provided an official statement to multiple media outlets. A company spokesperson said Today some internal source code was included in a Cloud Code release. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error not a security breach. We are taking measures to prevent this from happening again.
The statement was very measured, and media critics immediately questioned it. The company carefully chose the words human error and packaging issue making it seem trivial. But what was not in the statement was more important. The statement didnot specify what measures would be taken to prevent this specific error. It did not specify what measures had been taken since February 2025 and why they had failed. It also completely ignored the fact that the bug issue had been known for 20 days and hadn’t been fixed.
That incident of 1 February 2025
Perhaps the most concerning aspect of the entire incident was that this was not new to Anthropic. In February 2025 just 13 months earlier an early version of Cloud Code was accidentally exposed in a similar manner. At that time, the source code was publicly accessible, and some connections to Anthropic internal systems were also exposed. Anthropic then removed the code apologized and stated that measures would be taken.
But 13 months later same mistake Same type of vulnerability. Same source map issue in the same npm package. This clearly states that after February 2025 Anthropic had not implemented any effective safeguards against this specific vulnerability type or if it had it had not implemented them properly.This caused considerable anger in the security community because this was not just a technical failure it was a process failure. A company that calls itself the world’s most safety conscious AI lab was making the same mistake twice in a year.
Human error or Something else?
Many theories have been circulating online since the leak. Some say it was deliberate performed by an insider.Two major leaks in the same week first Capybara model details and then source code do not seem coincidental to some. But technical evidence does not support any insider theory.What happened was quite mundane a misconfigured build pipeline a known bug that was ignored and a direct URL that pointed to cloud storage.No one had to deliberately expose anything negligence was enough.
The Bun bug angle is particularly concerning. That bug was officially reported on March 11, 2026 on Buns GitHub and 20 days laterand the same bug led to Cloud Code exposing its source code. If Anthropics engineers had noticed the bug report actively monitored it or properly tested Buns production behavior this incident would not have occurred. And theres an irony here Anthropic acquired Bun because they wanted more control over their toolchain. But that very acquired toolchain exposed their source code.
If you are a developer do this now
If you use or have used Cloud Code there are some specific steps you should take. First thing check whether you installed or updated Cloud Code via npm specifically between 00:21 UTC and 03:29 UTC on March 31, 2026. If yes then this is a priority matter. Open your package lock.json or yarn.lock and check the version of axios if it is 1.14.1 or 0.30.4 then this is a malicious version. Also check for any dependency named plain crypto-js this is an indicator of this malicious package.
If any of these match change all your API keys passwords and sensitive credentials immediately. This is a more precautionary step, but precaution is the best response in this situation. Going forward, Anthropic recommends using their native installer for Cloud Code instead of npm its a more secure option because it comes directly from Anthropics servers and is unaffected by vulnerabilities in the npm chain. Update to the latest version of Cloud Code the affected version was 2.1.88 which Anthropic has pulled and replaced.
One last thing a small mistake a big lesson
March 31, 2026 was the day when a small, seemingly innocuous, technical mistake proved that no matter how big how smart and how safety first a company is no one is immune to negligence and process failures. A misconfiguration of an npm ignore file a known bug that remained unfixed for 20 days, a direct URL pointing to cloud storage that was all it took to lay bare the entire blueprint of a $19 billion revenue run rate company’s most valuable product.
The lesson for Anthropic is that safety first should not be a companys product slogans it should be embedded in every developer every release, every build pipeline.Technical excellence and operational security go hand in hand prioritizing just one is not enough. The lesson for competitors is that a leaked blueprint is one thing actually building from it and creating a sustainable product is a completely different challenge. And the lesson for developers is that no matter how popular or trusted the tools are check dependencies protect credentials and do not blindly trust any updates.
This leak won not be reversed. Those 41,500 forks won not be erased. That code will always be available somewhere. But now is also an opportunity for Anthropic to prove that a company learns from mistakes and doesn’t make the same mistake twice. Time will tell whether they seize this opportunity or not.
