Anthropic published a safety charter. Then it leaked its own source code. Twice in two weeks.
The latest incident, confirmed Tuesday: approximately 500,000 lines of code across nearly 2,000 files from Claude Code — Anthropic's AI-powered coding assistant — were accidentally published to the npm registry and quickly copied to GitHub. A security researcher flagged it on X; the post reached 29 million views within hours. A rewritten version of the code became GitHub's fastest-ever downloaded repository. Anthropic issued copyright takedown requests to contain the spread. "No sensitive customer data or credentials were involved or exposed," a spokesperson told Axios. "This was a release packaging issue caused by human error, not a security breach."
It is the second data incident in recent weeks. Fortune previously reported that Anthropic was storing thousands of internal files on publicly accessible systems — including a draft blog post revealing an upcoming model called Mythos — before anyone intended to announce it. That earlier leak is what put Mythos into public view ahead of schedule. The source code leak is the second time internal material has escaped in the same period.
What the code revealed is more interesting than the leak itself. Independent developers poring through the archive — Ars Technica documented the findings — found references to disabled, hidden, or unreleased features that provide a genuine peek into Anthropic's roadmap. The most significant is Kairos: a persistent daemon designed to operate in the background even when the Claude Code terminal is closed. It uses periodic "<tick>" prompts to regularly assess whether new actions are needed, and a "PROACTIVE" flag for surfacing information "the user hasn't asked for and needs to see now." The system would maintain a file-based memory across user sessions to preserve context between sessions.
There is also AutoDream: a memory consolidation process that runs when a user goes idle or manually tells Claude Code to sleep. The system prompts Claude to scan the day's transcripts for new information worth keeping, consolidate near-duplicates, resolve contradictions, and prune outdated memories. The goal, per the internal prompt: "synthesize what you've learned recently into durable, well-organized memories so that future sessions can orient quickly."
These are not shipped features. They are disabled flags and unreleased code. But they reveal something about the direction Anthropic is moving: toward persistent, always-on coding assistants that maintain memory across sessions and surface proactive suggestions. The Tamagotchi analogy — which appeared in several outlet headlines — is not entirely unfair for the always-on, memory-persistent version. Whether that is a direction users want, or a direction Anthropic should be moving given its own public warnings about autonomous agents, is a different question.
The competitive implications are real. The Wall Street Journal reported that the leak included commercially sensitive information about how Anthropic's AI models work as coding agents. Competitors now have an unusually detailed look at Claude Code's internal architecture. That is a meaningful cost for a company that has built part of its identity on being the safety-conscious alternative.
Anthropic is simultaneously fighting a federal designation as a supply chain risk. The US government designated the company as a supply chain risk in March; Anthropic is contesting that designation in court. Last week a judge granted a temporary injunction blocking the designation. The company is in an awkward position: arguing to the Pentagon that it is trustworthy enough to be a defense contractor while having twice in two weeks exposed internal material that its customers and the public were not supposed to see.
The pattern does not inspire confidence in internal security practices. It does not, by itself, prove anything about AI safety. But for a company that has made safety its primary selling point, the gap between the public posture and the operational reality is getting harder to explain away.
The Guardian, Axios, Fortune, Ars Technica, and The Hacker News covered the incident. Chaofan Shou's X post is the primary social signal. Anthropic's official confirmation came via Axios.
