Fortune published a pointed analysis on 31 March 2026 framing the Claude Code source code leak as Anthropic's second major security lapse in just five days. The first incident, reported exclusively by Fortune on 26 March, saw close to 3,000 unpublished files exposed through a misconfigured content management system — including the draft blog post revealing Claude Mythos, the most powerful AI model Anthropic has ever built.
The second leak followed on 31 March when a source map file left in the npm registry exposed Claude Code's entire 512,000-line TypeScript codebase. While Anthropic described both incidents as human error rather than security breaches, Fortune noted the pattern raises questions about operational discipline at a company now valued at over $60 billion and handling some of the most sensitive AI technology in the world.
The timing is particularly awkward given that the Mythos leak itself described unprecedented cybersecurity capabilities — a model that can discover and exploit software vulnerabilities faster than human defenders. An AI safety company that cannot secure its own publishing pipeline faces obvious credibility questions, even if no customer data was compromised in either incident.
For the broader AI industry, the back-to-back leaks highlight a tension that every fast-moving AI company faces: shipping at breakneck speed versus maintaining the operational security that enterprise customers expect. Anthropic's engineering velocity in March 2026 was extraordinary — 14+ product launches — but the security lapses suggest the pace may have outrun the company's release processes.
