TWITTER_ARTICLE

On March 31, 2026, Fuzzland researcher Chaofan Shou found a 60 MB `cli.js.map`…

2026-03-31 · 08:23 UTC ·k1rallik ·8 min read

Brief

Anthropic is portrayed in this thread as simultaneously leading and destabilizing the AI cybersecurity landscape through a rapid sequence of leaks, security claims, and government conflict. The author says Anthropic accidentally exposed Claude Code’s full source via a 60 MB source map in npm on March 31, 2026, repeating an almost identical 2025 mistake. Five days earlier, a separate CMS misconfiguration allegedly exposed roughly 3,000 internal files, including draft posts about a new model, Mythos, described as more capable than Opus and explicitly dangerous in cyber operations. The thread connects those events to Anthropic’s February 2026 research claiming Claude Opus 4.6 found more than 500 high-severity zero-days in an isolated VM, plus a November 2025 report that Claude Code enabled mostly autonomous attacks on 30 organizations with only 4-6 human interventions per campaign. It also highlights Anthropic’s legal clash with the Pentagon over military deployment restrictions, culminating in a March 26, 2026 ruling blocking the government’s retaliation. Overall, the piece argues that Anthropic’s technical power, operational mistakes, and policy battles are converging into a major cyber-risk story.

Why it matters

On March 31, 2026, Fuzzland researcher Chaofan Shou found a 60 MB `cli.js.map` file in Anthropic’s official Claude Code npm package that allowed reconstruction of 1,906 internal TypeScript source files, including API, telemetry, encryption, security, and plugin code; the post reportedly reached 754,000 views within hours.

Key details

  • The post claims Anthropic repeated the same source-map exposure from February 2025 in package version v2.1.88, framing it as a basic build-process failure rather than a sophisticated breach.
  • On March 26, 2026, researchers Roy Paz and Alexandre Pauwels reportedly found about 3,000 publicly accessible Anthropic files via a CMS misconfiguration, including drafts describing a new model called 'Mythos' or 'Capybara' as larger than Opus and carrying 'unprecedented cybersecurity risks.'
  • The leaked Mythos material allegedly triggered a sharp cybersecurity-stock selloff: CrowdStrike fell 7%, Palo Alto Networks 6%, Zscaler 4.5%, SentinelOne and Okta more than 7%, Tenable 9%, and the iShares Cybersecurity ETF 4.5% in one session.
  • The thread ties these leaks to broader claims about Anthropic’s cyber capabilities and politics: a February 5, 2026 paper on Claude Opus 4.6 finding 500+ high-severity zero-days, a November 14, 2025 report that Claude Code helped automate 80-90% of attacks across 30 organizations, and a March 26, 2026 court ruling by Judge Rita Lin blocking the Pentagon from labeling Anthropic a 'supply chain risk' after disputes over military use.
Cleaned source text

title: @k1rallik: What does it look like when a $380 billion company wins a war with the Pentagon,...

author: k1rallik

content_type: twitter_article

published: 2026-03-31T08:23:33+00:00

source_url: https://x.com/k1rallik/status/2038978638381531486

word_count: 1769

What does it look like when a $380 billion company wins a war with the Pentagon, survives the first

What does it look like when a $380 billion company wins a war with the Pentagon, survives the first autonomous AI cyberattack in history, leaks a secret model that terrifies its own creators - and ships their source code publicly by accident? It looks exactly like this. And the scariest part hasn't happened yet.

TODAY: ANTHROPIC LEAKED THEIR OWN CODE. AGAIN

March 31, 2026. Security researcher Chaofan Shou from blockchain firm Fuzzland opens the official Claude Code npm package and finds a file called cli.js.map sitting in plain sight. Size - 60 megabytes. Contents - the complete TypeScript source code of the entire product.

From that single file, anyone can reconstruct 1,906 internal source files. Internal API design, telemetry systems, encryption tools, security logic, plugin systems - everything. Downloadable as a zip directly from Anthropic's own R2 storage bucket. The post hit 754K views and nearly 1,000 retweets within hours. GitHub repos with the restored code appeared immediately.

A source map is a basic JavaScript debugging file. It should never ship inside a production package. This is not a sophisticated attack. This is Build Configuration 101 - the kind of thing you learn in week one.

you can check code there: https://github.com/instructkr/claude-code

But here is what makes this genuinely insane: this already happened before.

February 2025 - exactly one year ago - the exact same leak, same file, same mistake. Anthropic deleted old versions from npm, removed the map, pushed a new release. Everyone moved on. And then version v2.1.88 shipped the file again.

A $380 billion company building the most powerful vulnerability-detection system on earth made the same elementary mistake twice in one year. No hackers. No sophisticated attack. Just a build process that doesn't work.

The irony is almost poetic. The AI that found 500 zero-day vulnerabilities in a single session. The model used to autonomously attack 30 organizations worldwide. And Anthropic shipped their own source code to anyone who bothered to look inside their npm package.

Two leaks. Seven days apart. Both from basic config errors. Neither requiring any skill to exploit.

Anyone who knew where to look got it for free.

5 DAYS AGO: ANTHROPIC LEAKED A SECRET MODEL THAT SCARES ITS OWN CREATORS

March 26, 2026. Security researchers Roy Paz from LayerX Security and Alexandre Pauwels from Cambridge University discover that a CMS misconfiguration on Anthropic's website left roughly 3,000 internal files publicly accessible. Draft blog posts, PDFs, internal documents, presentations. Sitting open on an unsecured, searchable data store. No hacking required.

Inside: two versions of the same draft blog post, identical in every way except one thing - the model's name. "Mythos" in one. "Capybara" in the other. Anthropic was deciding between two names for the same secret project. The company confirmed: training is complete, the model is already being tested with early access customers.

This is not an Opus update. This is a new fourth tier - a model sitting above Opus entirely. Anthropic's own draft describes it as "larger and more intelligent than our Opus models - which were, until now, our most powerful." Dramatically better at coding, academic reasoning, and cybersecurity. A spokesperson called it "a step change" and "the most capable we've built to date."

But here is the thing that actually matters.

In the leaked draft, Anthropic describes their own model like this: it "poses unprecedented cybersecurity risks," is "far ahead of any other AI model in cyber capabilities," and "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders."

Anthropic is publicly admitting they are afraid of their own product. In an official blog draft.

The market reacted immediately. CrowdStrike dropped 7%. Palo Alto Networks fell 6%. Zscaler down 4.5%. Okta and SentinelOne tumbled more than 7%. Tenable plummeted 9%. The iShares Cybersecurity ETF lost 4.5% in a single session. CrowdStrike alone lost roughly $15 billion in market cap in one day. Bitcoin slid back to $66,000. Investors read this as a sentence for the entire cybersecurity industry.

Stifel analyst Adam Borg put it plainly: the model has "the potential to become the ultimate hacking tool, and one that can elevate any ordinary hacker into a nation-state adversary."

Why hasn't it launched publicly? Anthropic acknowledges Mythos is "very expensive to serve" and not ready for general release. The plan: first, a small group of cybersecurity partners get early access to harden their defenses. Then, gradual API expansion. The company is working on efficiency before any broad rollout.

But the model already exists. Is already being tested. And already crashed an entire sector of the stock market - just by accidentally becoming known.

Anthropic built a model it describes as the most dangerous AI for cybersecurity ever created. And lost control of the announcement through the exact kind of infrastructure misconfiguration their own model is designed to find.

MARCH 2026: ANTHROPIC WENT TO WAR WITH THE PENTAGON. AND WON

July 2025. Anthropic signs a $200 million contract with the Department of Defense. Standard deal. But when real negotiations began over deploying Claude on the military's GenAI.mil platform, everything broke down.

The Pentagon wanted unfettered access to Claude for "all lawful purposes" - including fully autonomous weapons and domestic mass surveillance of American citizens. Anthropic drew two hard lines and refused. Talks collapsed in September 2025.

Then the escalation started.

February 27, 2026 - Trump posts on Truth Social ordering all federal agencies to "IMMEDIATELY CEASE" use of Anthropic's technology. Calls the company "Radical Left."

March 5, 2026 - The Pentagon officially designates Anthropic a "supply chain risk." A label previously reserved exclusively for foreign adversaries - Chinese companies, Russian entities. Now applied to an American company from San Francisco. Amazon, Microsoft, and Palantir are all required to certify they don't use Claude in any military work.

The Pentagon's CTO Emile Michael explained the logic: Claude could "contaminate" the supply chain because different "policy preferences are baked into the model." Translation: an AI that refuses to help kill without restrictions is a national security threat.

March 26, 2026 - Federal Judge Rita Lin issues a 43-page ruling blocking the Pentagon entirely. Her words: "Nothing in the governing statute supports the Orwellian notion that an American company may be branded a potential adversary for expressing disagreement with the government. Punishing Anthropic for bringing public scrutiny to the government's position is classic illegal First Amendment retaliation." One amicus brief described the Pentagon's actions as "attempted corporate murder."

An AI company said no to the most powerful military on earth. And a judge agreed.

NOVEMBER 2025: THE FIRST AI-RUN CYBERATTACK IN HISTORY

November 14, 2025. Anthropic publishes a report that changes everything. A Chinese state-sponsored hacking group used Claude Code to autonomously attack 30 organizations - tech giants, banks, government agencies across multiple countries.

The split: humans chose targets and approved key decisions. That's it. 4-6 interventions per entire campaign. The AI handled everything else - reconnaissance, finding vulnerabilities, writing exploits, stealing data, creating backdoors. 80-90% of the attack. Thousands of requests per second. A speed no human team could ever match.

How did they bypass Claude's safety guardrails? They didn't break them. They lied. They split the attack into small innocent tasks and convinced Claude it was a legitimate security firm doing "authorized defensive testing." Social engineering - except the victim was the AI.

Several attacks fully succeeded. Claude autonomously mapped entire network topologies, found databases, and extracted data without a single human instruction.

The only thing that slowed them down? Claude occasionally hallucinated - making up credentials, claiming to steal documents that were already public. For now, that's one of the last real barriers to fully autonomous cyberattacks.

At RSAC 2026, former NSA cybersecurity chief Rob Joyce called it "a Rorschach test" for the security world. Half the room dismissed it. The other half was terrified. Joyce was in the second group. "Something really scary," he said.

This wasn't a prediction. This was September 2025. It already happened

FEBRUARY 2026: 500 ZERO-DAYS IN ONE SESSION

February 5, 2026. Anthropic releases Claude Opus 4.6. Alongside it - a research paper that breaks the cybersecurity industry.

The setup: Claude placed in an isolated virtual machine with standard tools. Python, debuggers, fuzzers. No special instructions. No custom prompts. Just - "find vulnerabilities."

Result: 500+ previously unknown high-severity zero-days in production code. Some had survived decades of expert review and millions of hours of automated testing.

Then came RSAC 2026. Researcher Nicholas Carlini walks on stage and points Claude at Ghost - a CMS with 50,000 GitHub stars and zero critical vulnerabilities in its entire history. 90 minutes later: blind SQL injection. Full admin takeover by an unauthenticated user. Then he pointed Claude at the Linux kernel. Same result.

15 days later Anthropic launched Claude Code Security - a product that reasons about code instead of pattern-matching like every scanner before it.

But Anthropic's own spokesperson said the quiet part out loud: "The same reasoning that helps Claude find and fix vulnerabilities could help an attacker exploit them." Same capability. Same model. Different hands.

WHAT THIS ALL MEANS TOGETHER

Each of these stories alone would have been the biggest news of the month. They all happened in six months. At one company.

Anthropic built a model that finds vulnerabilities faster than any human alive. Chinese hackers turned the previous version into an autonomous cyber weapon. The company is now building the next one - even more powerful - and in their own leaked documents admits they're scared of it.

The US government tried to destroy them - not because the technology is dangerous, but because Anthropic refused to hand it over without limits. And through all of this, they leaked their own source code twice through the same file in the same npm package.

A $380 billion company. A $60 billion IPO targeting October 2026. A company that openly says it is building "one of the most transformative and potentially dangerous technologies in human history" - and keeps building it anyway. Because they believe it's better that they do it than someone else.

The source map in the npm package is just the funniest detail in one of the most unsettling stories happening right now.

Mythos hasn't even launched yet.

Sources: Fortune, CNBC, Axios, The Register, CNN, NPR, Anthropic official blog, Anthropic Red Team research, federal court documents, and primary posts on X from researchers and officials involved.

Posted: 2026-03-31T08:23:33.000Z

Engagement: 802 likes, 145 retweets, 30 replies