The Anthropic Double Breach

A Note Before We Start

Grounded Guardian writes this report about Anthropic as a paying Claude Max customer. Claude is our primary AI tool, and the Dyismo agent harness is built on Claude Code. When this report says Anthropic had a rough week, it is coming from a customer who also does security research, not a competitor.

Two months ago Grounded Guardian published TIR-2026-001, an internal threat intelligence report on OpenClaw, the open-source AI agent framework that went from zero to 30,000 GitHub stars and then got torn apart by attackers within six weeks. That report mapped nine threat vectors to MITRE ATT&CK across 19 sources and coined the term Cognitive Context Theft to describe a new class of data exfiltration targeting AI agent memory files.

That history matters because the attack surface documented in that report is the same architecture Anthropic just accidentally showed the world. The playbook hasn't changed. The companies keep making the same mistakes. The attackers keep getting faster.

This report covers three incidents that happened between March 26 and March 31, 2026. They are connected by timing but not by cause. The compound effect is what matters.

Executive Summary

Here is what happened in plain terms. Anthropic, the company that markets itself as the safety-first AI lab, leaked sensitive information about their most powerful model ever built through a misconfigured content management system. That is a basic mistake. The kind of thing a standard security checkup would have caught.

Five days later, someone on their engineering team shipped a debug file inside a routine software update. That file pointed to a zip archive containing 512,000 lines of Claude Code's source code. Every competitor on the planet now has the blueprint for how Anthropic's $2.5 billion per year coding tool actually works. Over 84,000 people forked it on GitHub before anyone could react.

At the same time, and this part was not Anthropic's fault, attackers compromised a popular software library called axios that Claude Code depends on. Anyone who installed or updated Claude Code during a three-hour window on March 31st may have downloaded a remote access trojan. That means full control of the victim's machine.

Three incidents. One week. The safety-first company.

This is not stated for drama. It is stated because if Anthropic cannot prevent this kind of exposure, the average small business running AI tools without any security review has no idea how exposed they are.

Incident 1: The Mythos Model Leak

What Happened

On March 26, security researchers Alexandre Pauwels at Cambridge and Roy Paz at LayerX Security discovered that roughly 3,000 unpublished files were sitting in a publicly accessible data store connected to Anthropic's blog. No login required. Just there, waiting to be found.

Among those files was a draft blog post about Claude Mythos, a new model Anthropic describes internally as by far the most powerful AI model they have ever developed. The post outlined a new tier of models called Capybara, which sits above Opus in both capability and cost.

Why It Matters

Anthropic's own words from that draft: the model poses unprecedented cybersecurity risks. They wrote that it presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders. That's not me interpreting. That's their language, from their document, about their model.

Axios reported that Anthropic is privately warning top government officials that Mythos makes large-scale cyberattacks significantly more likely in 2026. Cybersecurity stocks dropped on the news. Zscaler alone is down roughly 40% since the start of the year.

The model scores dramatically higher than Claude Opus 4.6 on tests of software coding, academic reasoning, and cybersecurity. Remember that Opus 4.6 can already identify zero-day vulnerabilities autonomously. Mythos goes further. How much further is the question nobody outside Anthropic can answer yet.

The Irony

A company building what it calls the most dangerous AI model in cybersecurity history left the announcement of that model in an unsecured, publicly searchable data store. Because someone misconfigured the CMS. This matters. Configuration errors are in the OWASP Top 10. They have been for years. This is not a novel attack vector. This is day one stuff.

MITRE ATT&CK Mapping (Incident 1)

Incident 2: Claude Code Source Code Leak

What Happened

On March 31, security researcher Chaofan Shou posted on X that Claude Code's source code had been leaked via a source map file in the npm registry. The post got 28.8 million views. That's not a typo.

Version 2.1.88 of the @anthropic-ai/claude-code npm package shipped with a .map file that contained a reference to an unobfuscated TypeScript source archive on Anthropic's Cloudflare R2 storage. Download the zip, decompress, and you've got the whole thing. Roughly 1,900 files. 512,000 lines of TypeScript.

What Was Inside

• The complete tool system for file operations, bash execution, and web browsing.
• The query engine handling all LLM API calls, streaming, retry logic, and token counting.
• Multi-agent orchestration code for spawning sub-agents and coordinating swarms of them.
• 44 hidden feature flags. 20 or more of those are for capabilities that are fully built but haven't shipped yet.
• KAIROS, an autonomous daemon mode. When you're idle, Claude Code performs memory consolidation in the background. It merges observations, removes contradictions, and converts vague insights into absolute facts. That's not my description. That's what the code does.
• Anti-distillation mechanisms. When enabled, Claude Code injects fake tool definitions into its own prompts so that anyone recording API traffic to train a competing model gets poisoned training data.
• Internal performance data showing 1,279 sessions had 50 or more consecutive failures in a single session, wasting around 250,000 API calls per day globally.
• More references to the Capybara/Mythos model, confirming the earlier leak was real.

Why This Matters More Than a Typical Source Code Leak

Claude Code's value doesn't come entirely from the underlying AI model. A significant portion of its capability comes from the agentic harness, the software layer that tells the model how to use tools, manage files, coordinate with other agents, and govern its own behavior. That harness is what leaked. Fortune put it well: the leak allows a competitor to reverse-engineer how Claude Code's agentic harness works and use that knowledge to improve their own products.

Claude Code's annualized recurring revenue is approximately $2.5 billion. Enterprise adoption accounts for 80% of that. This leak hands every competitor in the space, from Cursor to GitHub Copilot, a production-grade engineering education for free.

The Root Cause

A .npmignore or files field in package.json was misconfigured. That is it. One file, one line, one oversight. The debug artifact that should have been excluded from the published package was not.

There is an additional wrinkle. Anthropic acquired Bun's parent company in late 2025. Claude Code is built on Bun. A Bun bug filed on March 11, still open at the time of the leak, reported that source maps were being served in production mode even though Bun's documentation says they should be disabled. If that bug is what caused this, then Anthropic's own toolchain shipped a known bug that exposed their own product's source code.

MITRE ATT&CK Mapping (Incident 2)

Incident 3: The Axios Supply Chain Attack

What Happened

This one was not Anthropic's fault. But the timing made it devastating.

On March 31, malicious versions of the axios HTTP client library were published to npm. Axios is one of the most widely used packages in JavaScript. Claude Code depends on it. The trojanized versions, 1.14.1 and 0.30.4, contained a cross-platform remote access trojan hidden inside a dependency called plain-crypto-js.

The exposure window was small. About three hours, from 00:21 UTC to 03:29 UTC on March 31. But anyone who ran npm install or updated Claude Code during that window may have pulled the compromised version. And a RAT means full remote access. Not partial. Full. Command execution, file access, credential harvesting. Everything.

On top of that, attackers started typosquatting internal npm package names that appeared in the leaked Claude Code source. A user named pacifier136 published empty stub packages using those names. Empty for now. But the play is obvious: wait for downloads, then push a malicious update.

If You Used npm on March 31

1. Search your lockfiles for axios versions 1.14.1 or 0.30.4, or the dependency plain-crypto-js.
2. If you find any of those, treat the machine as fully compromised. Not maybe compromised. Fully.
3. Rotate every secret, API key, token, and credential that machine had access to.
4. Clean OS reinstall. Not a virus scan. A reinstall.
5. Switch to Anthropic's native installer going forward. It uses a standalone binary that doesn't rely on the npm dependency chain at all.

MITRE ATT&CK Mapping (Incident 3)

The Bigger Picture: AI Is Hacking Now

The OpenClaw report covered this. The core tension has not changed: usefulness requires access, and access creates risk. The more an AI agent can do for you, the more damage it can do if someone compromises it. What has changed in the two months since that report is the speed at which offensive AI is maturing.

In June 2025, an AI company called XBOW took the number one spot on HackerOne's US leaderboard. Not by finding a few bugs. By submitting over 1,000 new, real vulnerabilities in production systems within a few months. An AI, not a human, at the top of the most respected bug bounty platform in the world.

In August, seven teams competing in DARPA's AI Cyber Challenge collectively found 54 new vulnerabilities in a target system. In four hours of compute time. Not four hours of human effort. Four hours of machines running.

Google's Big Sleep AI found dozens of new vulnerabilities in open-source projects on its own. Ukraine's CERT discovered Russian malware that uses an LLM to automate its own reconnaissance and data theft. A Chinese AI pentesting tool called Villager fully automates attack chains from recon through exploitation using the DeepSeek model. And researchers have shown that AI systems can reproduce hundreds of known vulnerabilities just from public information.

Security experts are now predicting that by mid-2026, at least one major enterprise will be breached by a fully autonomous AI system. No human hacker driving it. Just agents finding weaknesses, writing exploits, and moving through networks at machine speed.

That prediction does not feel early. It feels late.

Why These Three Incidents Together Are Worse Than Any One Alone

Each of these incidents is bad on its own. Together, they form a compound threat that most people are underestimating.

The Mythos leak confirms that AI models are getting dramatically better at finding and exploiting vulnerabilities. Anthropic said so themselves. This isn't speculation.

The Claude Code leak gives attackers a production-grade reference implementation for building agentic systems. Tool orchestration, permission models, multi-agent coordination, memory management. All documented, all available, all free. Anyone building offensive AI tools just got handed a working example of how to make an agent that plans, executes, and persists across sessions.

The axios attack proves that the software supply chain these tools depend on can be compromised at the dependency level. You do not need to hack the tool. You hack what the tool installs, and the tool delivers the payload for you.

Put those three together and the picture gets uncomfortable. The models are getting more capable at offense. The architecture for weaponizing that capability just leaked. And the distribution channel is vulnerable to injection.

For business owners and security teams, the takeaway is not that Anthropic is bad at security. It is that the entire AI tooling space, the tools, the infrastructure, the supply chains, is moving faster than the defenses around it. If the company that literally brands itself around AI safety can have a week like this, nobody gets to assume they are covered.

So What Does This Mean For Your Business

Here is the plain version. No frameworks. No jargon. Just what business owners need to understand.

If your business uses AI tools, and at this point most do, you now have a new category of risk that did not exist two years ago. It is not just about whether your website is secure or your passwords are strong. It is about whether the AI tools you gave access to your email, your files, your code, your customer data, are themselves secure. And whether the software they depend on is safe to install.

Most businesses Grounded Guardian talks to have never asked that question. They installed the AI tool, gave it the permissions it asked for, and moved on. That is the equivalent of hiring someone, giving them the keys to the building, and never checking their references.

The free scan at isitsafe.pro checks the basics. Headers, configurations, exposed files, SSL, security misconfigurations. It runs in 30 seconds and it is free because everyone should at least know where they stand. The AI agent risk requires a deeper conversation. That is what the security checkup is for.

Grounded Scan exists because the same pattern keeps showing up. Business owners who genuinely care about doing things right, but who have no visibility into what is actually exposed. The goal is not to scare anyone into buying something. The goal is to make the invisible visible so owners can make informed decisions.

What To Do About It

This Week

1. Check your npm lockfiles for compromised axios versions. If you or your developer used npm on March 31, this is not optional.
2. If you use Claude Code via npm, switch to the native installer. Anthropic recommends it now. The binary does not depend on npm's supply chain.
3. Rotate API keys and tokens on any machine that ran npm install during the exposure window.
4. Run a scan at isitsafe.pro. It is free. Know what is exposed before someone else finds it.

This Month

5. Audit what permissions your AI tools actually have. Most are over-permissioned because that was the default during setup.
6. Start tracking your software dependencies. If you do not know what your tools install when they update, you cannot know when something malicious slips in.
7. Talk to your team about AI tool usage. Shadow AI, meaning employees using AI tools that IT does not know about, is a real and growing problem.

This Quarter

8. Get a proper AI agent security assessment. Not a checkbox compliance audit. A real evaluation of what your agents can access, how they handle data, and where the boundaries are.
9. Treat your AI agents as identities. They need managed credentials, monitored behavior, and scoped permissions. Just like a new employee would.
10. Move from annual penetration tests to continuous monitoring. When attacks move at machine speed, a test you ran six months ago tells you almost nothing about today.

Connecting the Thread

TIR-2026-001 said OpenClaw was not the problem. It was the preview. Every major tech company was racing to ship autonomous AI agents, and the core tension between usefulness and risk would play out the same way regardless of the specific tool.

That was February. This is April. Anthropic just proved the point.

The next report will probably be about a different company and a different tool. The pattern will be the same. Access creates risk. Speed outpaces defense. Basic mistakes cause catastrophic exposure.

Grounded Guardian will keep publishing these reports because someone needs to. If you are reading this and thinking about your own business, your own tools, your own exposure, that is exactly the right instinct. The question is not whether AI-driven threats will reach your door. The question is whether you will see them coming.