How two separate security failures in five days accidentally revealed a model Anthropic describes as “by far the most powerful AI we’ve ever developed,” triggered a market selloff, and exposed the deep tensions between frontier AI ambition and basic operational security.
There is a particular kind of irony that Silicon Valley seems to produce with alarming regularity: the company that builds the most sophisticated lock in the world, only to leave the key under the doormat. In the final week of March 2026, Anthropic — the AI safety company that has spent years building its brand on careful, deliberate development — managed to achieve this irony twice in the span of five days, and in doing so, accidentally announced what may be the most consequential AI model yet developed.
The leaks were not the result of a sophisticated nation-state hack or a coordinated breach by a cybercriminal group. They were, as Fortune’s Beatrice Nolan first reported, the result of human error — the kind of mundane configuration mistake that keeps IT security teams awake at night. A misconfigured content management system. A forgotten source map file in an npm package. Two misclicks, in effect, that between them exposed the architecture of a frontier AI model, nearly 3,000 internal documents, approximately 512,000 lines of proprietary source code, and an internal model roadmap that Anthropic had no intention of sharing with the world.
The model at the center of everything is called Claude Mythos — internally referred to by the codename Capybara — and by all accounts, it is something genuinely new.
A Company Built on Safety, Caught Off Guard by a Settings Toggle
To understand why these leaks landed with such force, it helps to understand who Anthropic is and what it has been trying to build. Founded in 2021 by Dario Amodei, Daniela Amodei, and a group of former OpenAI researchers, Anthropic has positioned itself as the AI lab that takes existential risk seriously.
Its “Constitutional AI” approach, its model cards documenting dual-use risks, and its responsible scaling policies have made it a trusted interlocutor with policymakers in Washington, London, and Brussels. The company has raised billions of dollars partly on the promise that it can be trusted to develop powerful AI carefully.
Against that backdrop, the events of late March 2026 were more than embarrassing. They were a stress test of the company’s credibility — and the story of how they unfolded is worth examining in detail.
The First Leak: March 26 and a Publicly Searchable Data Store
The chain of events began when Roy Paz, a senior AI security researcher at LayerX Security, and Alexandre Pauwels, a cybersecurity researcher at the University of Cambridge, independently discovered something unusual: a large cache of data linked to Anthropic’s public blog that was sitting in an unsecured, publicly searchable data store — no authentication required.
As Fortune reported in its exclusive, Fortune asked Pauwels to assess and review the material. What he found was striking. In total, there appeared to be close to 3,000 assets linked to Anthropic’s blog that had not been published previously on the company’s news or research sites, all of which were nonetheless publicly accessible in the data cache.
The mechanism of the leak was straightforward. Anthropic uses an off-the-shelf content management system (CMS) to publish its public blog. Digital assets created using that CMS are set to public by default and assigned a publicly accessible URL when uploaded — unless the user explicitly changes a setting to keep them private. Someone at Anthropic, it appears, simply hadn’t made that change for a large batch of materials. As Techzine noted, the CMS behavior is a known quirk of such systems, but it requires active attention to override. Attention that, on this occasion, was not paid.
When Fortune informed Anthropic of the exposure on Thursday, March 26, the company removed public access to the data store and provided a statement acknowledging that “an issue with one of our external CMS tools led to draft content being accessible,” attributing the incident to “human error.” The company described the exposed material as “early drafts of content considered for publication.”
What was in that drafts folder, however, was anything but routine.
What the Cache Contained: A Model Called Mythos
The centerpiece of the leaked cache was a draft blog post announcing a new AI model. The draft was structured like a formal product announcement — complete with headings, prose, and a publication date — suggesting it had been written in preparation for an imminent launch that, as of Thursday evening, had not yet happened.
The model described in the draft is called Claude Mythos. Internally, it is referred to by the codename Capybara. The two names appear to refer to the same underlying model, as both Fortune and Techzine confirmed based on their review of the documents.
What makes Claude Mythos significant is not merely that it is Anthropic’s next model — that much was always going to be true of some future release. What is significant is the structural claim embedded in the draft: Capybara is not simply the next version of Claude Opus. It represents an entirely new tier.
Anthropic currently organizes its models into three tiers: Opus (the largest and most capable), Sonnet (faster and cheaper but less capable), and Haiku (the smallest and most affordable). The leaked blog post describes Capybara as “a new name for a new tier of model: larger and more intelligent than our Opus models — which were, until now, our most powerful.” In other words, Mythos would sit above everything Anthropic has previously shipped to market.
The draft made bold claims about the model’s performance. “Compared to our previous best model, Claude Opus 4.6, Capybara gets dramatically higher scores on tests of software coding, academic reasoning, and cybersecurity, among others,” the document stated, as quoted by Fortune. The draft also described the model as “by far the most powerful AI model we’ve ever developed” — language that, notably, is unusual even for an industry accustomed to superlatives.
After Fortune contacted Anthropic with its findings, an Anthropic spokesperson confirmed the model’s existence in a statement that was careful but unambiguous: “We’re developing a general purpose model with meaningful advances in reasoning, coding, and cybersecurity. Given the strength of its capabilities, we’re being deliberate about how we release it. As is standard practice across the industry, we’re working with a small group of early access customers to test the model. We consider this model a step change and the most capable we’ve built to date.”
The Cybersecurity Dimension: An Unprecedented Dual-Use Risk
Of all the things revealed in the leaked draft, the section on cybersecurity generated the most immediate alarm. Mashable and Futurism both flagged the extraordinary nature of Anthropic’s own warnings about the model it was preparing to release.
The draft stated that Claude Mythos is “currently far ahead of any other AI model in cyber capabilities” — a claim that, coming from the model’s own developer, carries a different weight than it would from a marketing department. More alarming still was the framing that followed: the model “presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders.”
The company was, in other words, warning that its own product could tilt the balance of the cyber arms race in favor of attackers.
The language used in the draft was deliberate about this risk: “In preparing to release Claude Capybara, we want to act with extra caution and understand the risks it poses — even beyond what we learn in our own testing. In particular, we want to understand the model’s potential near-term risks in the realm of cybersecurity — and share the results to help cyber defenders prepare.”
This wasn’t abstract concern. As Euronews reported, Anthropic has been privately warning top government officials that Mythos makes large-scale cyberattacks much more likely in 2026, according to reporting by Axios. The company’s rollout plan reflects this: rather than a broad consumer or enterprise release, Mythos would first go to cybersecurity organizations, giving defenders a head start before the model became more widely available.
This is a strategy Anthropic has articulated before in the context of dual-use AI. Its Opus 4.6 model, Techzine noted, had already topped Terminal-Bench 2.0 at 65.4%, surpassing competing models, and the company had already acknowledged that Opus 4.6 was capable of autonomously identifying zero-day vulnerabilities in production codebases. Mythos, by the company’s own description, takes these capabilities significantly further.
It is worth pausing here on the irony that Futurism highlighted: the model touted as “far ahead of any other AI model in cyber capabilities” was revealed to the world because of a misconfigured content management system. The cybersecurity community noticed.
Chinese State-Sponsored Actors and Claude Code
Buried within Fortune’s original reporting was a detail that added another dimension to the security story. Prior to the leak, Anthropic had already detected that a Chinese state-sponsored hacking group had been running a coordinated campaign using Claude Code — Anthropic’s agentic coding tool — to infiltrate roughly 30 organizations, including tech companies, financial institutions, and government agencies. After detecting the campaign, Anthropic investigated the full scope of the operation over the following ten days, banned the accounts involved, and notified the affected organizations.
This wasn’t the company’s first encounter with state-sponsored misuse. As Futurism documented and Anthropic had previously acknowledged, the company had reported in November 2025 that a Chinese state-sponsored group had exploited Claude’s agentic capabilities by “pretending to work for legitimate security-testing organizations” to sidestep its AI guardrails. The leak thus arrived against a backdrop of documented real-world misuse — making the company’s concerns about Mythos’s cybersecurity capabilities all the more credible.
Beyond the Cybersecurity Draft: An Invite-Only CEO Summit
Not everything in the leaked cache was directly related to the Mythos model. The same publicly accessible data store also contained a PDF describing an upcoming, invitation-only two-day retreat for European CEOs, to be held at an 18th-century manor in the English countryside. Anthropic CEO Dario Amodei was scheduled to attend.
The document described an “intimate gathering” to engage in “thoughtful conversation” and indicated that attendees — described as Europe’s most influential business leaders — would have the opportunity to experience unreleased Claude capabilities and hear from policymakers about AI adoption.
In a statement to Fortune, Anthropic described this as “part of an ongoing series of events we’ve hosted over the past year.” It was, in other words, not a secret event — but the PDF containing its details was clearly not meant for public consumption, and its inclusion in the leaked cache underscored how indiscriminately the CMS had exposed materials.
Five Days Later: The Source Code Leak
If the CMS exposure was embarrassing, the second leak — which came just five days later, on March 31 — was potentially more damaging in a technical sense.
As Fortune reported in a second exclusive, also by Beatrice Nolan, Anthropic accidentally exposed the source code for Claude Code — the company’s popular agentic coding CLI — through a misconfigured npm package. Specifically, version 2.1.88 of the @anthropic-ai/claude-code package, pushed to the public npm registry in the early hours of March 31, contained a 59.8 MB JavaScript source map file that should never have been included in a production release.
By 4:23 a.m. ET, Chaofan Shou (@Fried_rice), an intern at Solayer Labs, spotted the file and posted about it on X. As VentureBeat’s Carl Franzen reported, within hours the approximately 512,000-line TypeScript codebase had been mirrored across GitHub, where multiple repositories archiving the code accumulated thousands of stars and forks.
The mechanism was a straightforward, well-known failure mode. JavaScript source map files (.map files) are debugging artifacts that map compressed, minified production code back to the original human-readable source. They contain the actual, literal source code embedded as strings inside a JSON file. These files exist to help developers debug production crashes without needing to stare at minified blobs — but they should never be distributed in a public package because they expose exactly the code a developer would want to keep proprietary.
Claude Code uses Bun’s bundler, which generates source maps by default unless explicitly disabled. Someone at Anthropic forgot to exclude the .map file from the npm package — or failed to add the appropriate exclusion rules to .npmignore.
“Usually, large companies have strict processes and multiple checks before code reaches production, like a vault requiring several keys to open,” Roy Paz of LayerX Security told Fortune. “At Anthropic, it seems that the process wasn’t in place and a single misconfiguration or misclick suddenly exposed the full source code.”
Anthropic confirmed the leak in a statement: “Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”
The irony of this particular failure is almost too perfect. As Cyber Kendra noted, buried deep within the leaked source code is an entire subsystem called “Undercover Mode” — specifically designed to prevent Anthropic’s internal information from leaking when Claude Code contributes to public open-source repositories. The system instructs the model to ensure that no internal codenames, AI attributions, or project names leak into public git commits. Anthropic built a sophisticated system to stop its AI from accidentally revealing internal secrets — and then shipped the company’s entire source code in a file it forgot to exclude.
What the Source Code Revealed
For Anthropic, a company with a reported annualized revenue run rate of approximately $19 billion as of March 2026, and whose Claude Code tool alone generates an estimated $2.5 billion in annual recurring revenue, the leak was more than an embarrassment — it was, as VentureBeat observed, “a strategic hemorrhage of intellectual property.”
The 512,000-line codebase, spanning approximately 1,900 files, gave developers, researchers, and competitors an unprecedented view into how Anthropic has constructed the agentic “harness” around its underlying models — the orchestration logic that makes Claude Code more than just a chatbot in a terminal. Several findings from community analysis of the code stand out.
KAIROS: The Always-On Autonomous Agent
Perhaps the most significant architectural revelation is a feature called KAIROS, referenced over 150 times in the source. The name draws from the ancient Greek concept of “kairos” — opportune or right moment — and the feature lives up to it. KAIROS is a persistent, always-running agent mode that does not wait for user input. It watches, logs, and proactively acts on what it observes, with a 15-second blocking budget — any action that would interrupt the user’s workflow for longer than that threshold gets deferred.
The system maintains append-only daily log files and includes a background process called autoDream that performs memory consolidation while the user is idle: merging disparate observations, removing logical contradictions, and converting vague insights into concrete facts. When a user returns to an active session, the agent’s context has already been cleaned and prepared. As VentureBeat analyzed, this represents a fundamental shift from today’s reactive AI tools toward an always-on background model that works continuously on your behalf.
Undercover Mode: AI Contributions Hidden in Open Source
The “Undercover Mode” discovered in the source code confirms that Anthropic uses Claude Code for covert contributions to public open-source repositories. The system prompt instructs the model explicitly: commit messages and pull requests “MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.” Internal codenames — including Capybara, Fennec, and Numbat — must not appear in public git logs. As Modem Guides summarized, this provides a technical blueprint for any organization wishing to use AI agents for public-facing work without attribution.
Internal Model Roadmap: Capybara, Fennec, and Numbat
The leaked source code also provided direct corroboration for what the CMS leak had implied, while adding nuance. As VentureBeat confirmed, the code confirms that Capybara is the internal codename associated with the Claude Mythos model, with Fennec mapping to Opus 4.6 and an unreleased model called Numbat still in testing. The codename Tengu appears hundreds of times as a prefix for feature flags and analytics events and is likely Claude Code’s own internal project codename.
Critically, the internal comments reveal that Anthropic is already on Capybara version 8 — and that this version still carries a 29-30% false claims rate, which is a notable regression from the 16.7% rate recorded in Capybara v4. Developers analyzing the code also noted the presence of an “assertiveness counterweight” — a mechanism designed to prevent the model from becoming too aggressive when rewriting code.
These details are invaluable for outside researchers because they demonstrate the real-world difficulty of pushing frontier models forward: even the most capable system in development carries meaningful accuracy gaps that its engineers are actively working to close.
The code also references both “fast” and “slow” variants of Capybara, aligning with Fortune’s reporting from the second leak. References in community analysis to a “capybara-v2-fast” variant with an extended context window emerged in developer discussions on X and Reddit, though the precise token limit claimed in various social media posts was not independently verified by major publications.
BUDDY: A Tamagotchi in Your Terminal
Less operationally significant but widely discussed was the discovery of an elaborate virtual pet system called BUDDY. As documented in the GitHub archive of the leaked code, BUDDY is a fully implemented Tamagotchi-style companion that sits in a speech bubble next to the user’s input prompt. It features 18 species with rarity tiers from Common (60%) to Legendary (1%), procedurally generated statistics including DEBUGGING, PATIENCE, CHAOS, WISDOM, and SNARK, and a personality (“soul”) written by Claude on first hatch.
A shiny variant system adds a further 1% independent probability on top of rarity. The species assigned to a given user is deterministic, derived from a hash of the user ID — meaning the same user always encounters the same companion. The code indicated a teaser rollout planned for April 1-7, 2026, with a full launch in May. The internet, predictably, found this delightful.
Memory Architecture and Telemetry
The leaked code also exposes Claude Code’s three-layer memory architecture — a system designed to prevent what engineers call “context entropy,” the tendency for long AI sessions to become confused as accumulated information grows unwieldy. At its core is a lightweight index (MEMORY.md) that stores pointers to project knowledge rather than the knowledge itself.
Actual project data lives in topic files fetched on demand, while raw transcripts are never fully re-read but grep’d for specific identifiers. A “Strict Write Discipline” prevents the agent from logging failed attempts into its own context, keeping the working memory clean.
Alongside this, the code reveals that Claude Code polls a remote settings endpoint on Anthropic’s servers every hour, receiving configuration updates via GrowthBook feature flags. The system contains six or more remote killswitches capable of forcing specific behaviors — from bypassing permission prompts to forcing the application to exit. It also, as noted by multiple Reddit commenters, tracks specific user behaviors including when users swear at Claude, routing these signals through Datadog for frustration analysis.
The Concurrent Supply Chain Threat
The npm source code leak did not occur in a vacuum. As VentureBeat reported, a separate supply chain attack on the widely used axios npm package occurred in the same time window as the Claude Code leak. Anyone who installed or updated Claude Code via npm on March 31, 2026, between 00:21 and 03:29 UTC may have inadvertently pulled in malicious versions of axios (1.14.1 or 0.30.4) containing a Remote Access Trojan (RAT).
Anthropic subsequently designated its native installer — accessed via curl -fsSL https://claude.ai/install.sh | bash — as the recommended installation method specifically because it bypasses the npm dependency chain. Users still on npm were advised to uninstall version 2.1.88 and revert to 2.1.86, and to check their project lockfiles for the affected axios versions or a dependency called plain-crypto-js.
The convergence of these two events — Anthropic’s source code leak and a concurrent supply chain attack — created a compounded security risk for developers using the tool during that window, and illustrated the cascading consequences that can follow from a single operational misstep in a complex software ecosystem.
Market Impact: When an AI Leak Moves Cybersecurity Stocks
Financial markets registered the Claude Mythos news with immediate and significant reactions, focused primarily on the cybersecurity sector.
CNBC’s Samantha Subin reported that on March 27, the day after Fortune’s initial story, the iShares Cybersecurity ETF lost 4.5%, while CrowdStrike, Palo Alto Networks, and Zscaler each dropped approximately 6%. SentinelOne tumbled 6%, Okta and Netskope each fell more than 7%, and Tenable plummeted 9%. The iShares Expanded Tech-Software Sector ETF (IGV) fell roughly 2.5-3%.
The rationale was straightforward, even if jarring in its implications. If Claude Mythos is genuinely “far ahead of any other AI model in cyber capabilities” and “presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace defenders,” then the entire value proposition of dedicated cybersecurity software companies — whose products are predicated on a manageable threat landscape — faces a potential structural disruption.
The concern was not that Anthropic would put CrowdStrike out of business directly, but that models like Mythos would dramatically lower the cost and technical barrier to sophisticated cyberattacks, forcing the entire industry to retool and adapt faster than existing product roadmaps anticipated.
The cryptocurrency market was not immune. As CoinDesk’s Helene Braun reported, Bitcoin slid back to approximately $66,000, pulling back from flirtations with $70,000 hours earlier. The connection between an AI model announcement and Bitcoin’s price may seem indirect, but in the context of a broad risk-off sentiment triggered by cybersecurity concerns — and the crypto ecosystem’s own acute vulnerability to sophisticated exploits — the movement was not inexplicable.
Anthropic’s Response and the Rollout Strategy
In the days following both leaks, Anthropic’s public position was to confirm the essential facts, acknowledge the operational failures, and pivot toward what the company’s leadership clearly intended to be the real conversation: the deliberate, safety-first approach it plans to take in releasing Mythos.
The leaked draft had already outlined this strategy in some detail. The plan is to begin with a phased early-access program focused specifically on cybersecurity organizations — giving defenders a head start to harden their infrastructure against the coming wave of AI-enabled attacks. The draft noted that Mythos is expensive to serve and not yet ready for general availability, and that Anthropic is working to make the model more computationally efficient before a broader release.
An Anthropic spokesperson’s statement to Fortune underscored the deliberate pace: “Given the strength of its capabilities, we’re being deliberate about how we release it.” The company described the rollout as focused on “a small group of early access customers” and said it considered the model “a step change and the most capable we’ve built to date.”
Roy Paz of LayerX Security, who was involved in both the analysis of the CMS cache and the npm code, flagged concerns about the source code leak that went beyond competitive intelligence. As Fortune reported in its second story, Paz noted that even without special encrypted access keys, it appears possible to access certain internal services through the leaked code that should ordinarily be restricted — a vector that could give malicious actors, including nation-states, new opportunities to probe Anthropic’s systems and potentially bypass safety guardrails.
The Broader Implications: Operational Security in the Frontier AI Era
It is tempting to treat the Anthropic leaks primarily as embarrassments — company mishaps that provide good fodder for irony-merchants. But that framing understates what the events actually reveal about the current state of frontier AI development.
First, there is the question of operational maturity. Two significant data exposures in five days, both attributable to routine configuration management failures, at a company reporting an estimated $19 billion annualized revenue run rate, suggests that internal processes have not kept pace with the company’s growth and the sensitivity of the information it now handles. As Modem Guides observed, two configuration errors of this magnitude in the same week establish a pattern, not a coincidence.
Second, the source code leak has potentially significant competitive consequences. Claude Code’s agentic harness — the orchestration layer that gives the product its distinctive behavior — is now effectively open knowledge. VentureBeat noted that competitors can study the three-layer memory architecture, the multi-agent coordination system, the validation logic for bash commands, and the entire structure of the tool to build “Claude-like” agents with a fraction of the original R&D investment. What took Anthropic years and hundreds of millions of dollars to develop has been handed to the market in a 59.8 MB debugging artifact.
Third — and most consequentially — the leaks have forced into public view a conversation about AI and cybersecurity that was previously happening only behind closed doors. Anthropic’s internal warning that Mythos “presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders” is not a puff of marketing hyperbole.
It is a risk assessment from the people who built the model, and they clearly believe it. The fact that they were planning to warn cybersecurity defenders before releasing the model widely — an approach that has no obvious precedent in prior product launches — suggests that this risk assessment was being taken seriously internally even before the market selloff made it front-page news.
The question of what “carefully” means in practice — when the model in question is the most capable cybersecurity tool ever built — is one the AI industry has not yet fully answered. Anthropic’s leaked draft shows a company genuinely wrestling with this question, but the operational failures of the same week show that good intentions and careful language in a blog post draft do not automatically translate into the kind of organizational rigor that frontier AI capabilities now demand.
What We Still Don’t Know
As of the end of March 2026, several significant uncertainties remain. Anthropic has not announced a public release date for Claude Mythos. The final marketing name is not confirmed — both Fortune and Techzine note that Capybara and Mythos appear to refer to the same model, but neither name may be the final product name.
The exact benchmark scores and capabilities of the model have not been independently verified — the leaked draft contained Anthropic’s own characterizations, which should be read with the awareness that companies typically present their products favorably. The VentureBeat analysis of the source code noted that Capybara v8 carries a 29-30% false claims rate, which is a material caveat to the “dramatically higher scores” language in the draft blog post. The gap between internal testing performance and real-world deployment performance has proven significant for multiple frontier models before.
The precise contours of the planned rollout — which organizations will receive early access, what evaluation criteria they must meet, and what information they will be required to share with Anthropic in exchange — remain undisclosed. And the question of how regulators in the US, EU, and UK will respond to the emergence of a model that its own developer describes as posing unprecedented cybersecurity risks is entirely open.
Conclusion: A Week That Changed the Conversation
The Claude Mythos leaks of late March 2026 will be remembered for several things simultaneously: as a cautionary tale about operational security at frontier AI companies, as an inadvertent product announcement that triggered a market selloff, and as the moment the cybersecurity implications of frontier AI models became impossible to ignore in mainstream discourse.
Techzine put it well: “It’s somewhat ironic given the fact details about it were leaked due to a misconfiguration — perhaps Mythos can step in to prevent a repeat in the future.” There is dark comedy in the idea that an AI model described as far ahead of any other system in cyber capabilities was announced to the world because someone didn’t change a default setting in their content management system.
But beneath the irony is something more substantive. The events of that week revealed that the gap between what the most advanced AI systems can do and what the companies building them are operationally prepared to handle is real, and that this gap carries consequences beyond the companies themselves. When a draft blog post warning about “unprecedented cybersecurity risks” ends up in a publicly searchable data store because of a CMS misconfiguration, the risk isn’t just to Anthropic’s reputation. It is a demonstration — made vivid and visible — that the organizations racing to build the most powerful AI systems in history are, in some foundational respects, still figuring out how to do so safely.
The Capybara has left the lab. The race to understand what comes next — for AI capability, for cybersecurity, for the organizations trying to govern both — has only just begun.
Comments 1