Hi Dotikers!

A week ago, we covered the internal document leak at Anthropic, CMS files left publicly accessible that had exposed details about a never-before-announced model, Claude Mythos. That was embarrassing. What happened on March 31st is worse, and of an entirely different nature.

By publishing version 2.1.88 of its Claude Code command-line tool to the npm registry, Anthropic inadvertently bundled a nearly 60 MB source map file that pointed directly to a zip archive sitting on their own Cloudflare R2 infrastructure. No vulnerability to exploit. The file was just there, accessible to anyone who knew where to look. Security researcher Chaofan Shou was the first to spot it and make it public, triggering a wave of mirroring on GitHub within hours.

The exposed content covers approximately 512,000 lines of TypeScript across nearly 2,000 files: tool execution logic, permission schemas, memory systems, telemetry, system prompts, and feature flags for functionality not yet released. Among the most discussed findings: an "Undercover" mode designed to prevent the AI from leaking internal codenames into git commits, a background daemon called KAIROS that consolidates memory during idle time, and a terminal companion with 18 animal species including a capybara. There is a certain irony in Anthropic having built an entire subsystem to prevent internal information from leaking through its AI, only for someone to ship the entire source code alongside a routine update.

Some researchers suggest the likely cause is a known bug in Bun, the JavaScript runtime Anthropic acquired in late 2024, which serves source maps in production mode despite the tool's own documentation saying otherwise. The incident may therefore be more than a simple human error in the release pipeline ; it may be the product of an uncontrolled technical dependency.

What stands out here is not so much the leak itself as its timing. Two significant incidents in less than a week at a company that puts safety and reliability at the center of its commercial pitch. The blueprint for building a competitor to Claude Code is now considerably easier to assemble. DMCA takedowns are doing their job, but forks keep multiplying. For a company that sells trust, the bill is starting to add up.

Alex.

Viktor is an AI coworker that lives in Slack, right where your team already works.

Message Viktor like a teammate: "pull last quarter's revenue by channel," or "build a dashboard for our board meeting."

Viktor connects to your tools, does the work, and delivers the actual report, spreadsheet, or dashboard. Not a summary. The real thing.

There’s no new software to adopt and no one to train.

Most teams start with one task. Within a week, Viktor is handling half of their ops.

Add Viktor to Slack for free.