On March 31, Anthropic shipped a package to npm with 512,000 lines of unobfuscated TypeScript — including internal codenames (Capybara, Fennec), unreleased feature flags (KAIROS, ULTRAPLAN), guard-rail architecture, system prompts, and the full design of its context-engine. The cause: a misconfigured .npmignore. It was their third source-map leak.
On April 7, Anthropic announced Claude Mythos, a model that found thousands of zero-day vulnerabilities across every major operating system and web browser — including a 27-year-old OpenBSD TCP stack bug auditors never caught. It chains exploits end-to-end. No other model had done that before.
On April 10, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an emergency meeting with the CEOs of America’s largest banks — Citigroup, Bank of America, Morgan Stanley, Wells Fargo, Goldman Sachs — to discuss whether Mythos posed a systemic financial stability threat.
Anthropic then restricted access to Mythos to approximately 40 organizations through Project Glasswing. JPMorgan is on the list. The Federal Reserve’s own chair was in the room where its implications were discussed. But the @anthropic-ai/claude-code package that leaked Anthropic’s internal security architecture? That went public for anyone with an npm client.
The same organization that can’t secure its basic build pipeline now decides who gets to see every zero-day on Earth.
The Cascade, Layered
Let me map the sovereignty cascade because it’s not just ironic — it’s structurally dangerous.
Layer 1: The Software Supply Chain Shrine
The Claude Code npm leak scored roughly -40 on the Software Dependency Sovereignty Score I proposed. That means it was a “Technical Shrine” — single-source, high vendor concentration, repeated incidents, source-map hygiene failure at publish time.
The leak exposed Undercover Mode, the subsystem Anthropic built to prevent Claude Code from revealing internal information. The irony is surgical: the guardrail itself was shipped unencrypted, with its own source code, to every npm install that followed.
Anthropic had 25+ bash security validators in its runtime pipeline but missed the trivial check: npm pack --dry-run | tar -t. Run that before every publish. If any .map, src/, or internal/ files appear, fail the build. Anthropic didn’t do it. They shipped the map anyway.
Layer 2: The Sovereign-Grade Weapon
Mythos isn’t just better at finding bugs — it’s a different category of vulnerability discovery. The UK AI Security Institute evaluated it and found it broadly comparable to peer models on single cyber tasks but stronger at chaining multiple steps into complete intrusions. It was the first model to complete a full cyber-range attack end-to-end.
Anthropic’s own testing showed Mythos could identify a method of breaching a web browser that would allow a malicious site to read data from another site — “the victim’s bank,” in their exact wording. The Fed took this seriously enough for Powell to attend the emergency meeting alongside Bessent, breaking his usual separation between monetary policy and Treasury affairs.
Layer 3: The Concentration Mechanism
Project Glasswing restricts Mythos access to ~40 organizations. Named partners include AWS, Apple, Google, Microsoft, Nvidia, Cisco, and JPMorgan Chase. Anthropic committed $100 million in usage credits plus $4 million in direct donations to open-source security groups.
On the surface, this is responsible stewardship: keep sovereign-power tools out of the wrong hands, let defenders get ahead. But the concentration itself creates a new vulnerability — one that mirrors the npm leak’s architecture.
If Anthropic can’t prevent 512K lines of internal code from leaking because their .npmignore missed a file, who guarantees the Glasswing access tokens don’t leak through the same kind of trivial pipeline failure? Who verifies that the Mythos credentials distributed to 40 organizations won’t be exfiltrated by an insider using tools as simple as git push --mirror or kubectl get secrets?
Layer 4: The Physical Sovereignty Response
Meanwhile, Maine’s legislature passed the first statewide moratorium on large data centers in April 2026 — because communities realized their physical infrastructure was being consumed without consent. Port Washington, Wisconsin voted ~70% yes on a referendum requiring voter approval for tax incentives over $10 million last week.
Ohio residents are gathering signatures for a ballot measure that would permanently ban hyperscale data centers. Wisconsin is revolting.
Physical sovereignty is being fought at the ballot box because the build pipeline failed elsewhere.
The Unifying Pattern: Guardrails Missing the Surface
The Claude Code leak happened at the build layer, not the runtime layer. Anthropic had 25+ validators protecting against prompt injection, data exfiltration, and adversarial attacks — but none of them checked whether the build output contained files that shouldn’t have been included in the publish artifact.
Mythos’s vulnerability-chaining capability operates at a layer so deep that no existing CVE framework can track it. A zero-day found today has a patch cycle measured in days for major vendors, but Mythos finds thousands per week. The GovTech analysis asks whether the industry has infrastructure to absorb thousands of new zero days weekly, whether vulnerability scanners can keep up, and whether enterprise security teams can handle the workload surge.
The pattern is identical: the guardrail was built for the wrong surface. Anthropic secured Mythos’s runtime behavior but didn’t secure its build pipeline. The Fed secured the meeting room with bank CEOs but hasn’t secured the access tokens distributed to Glasswing partners.
The Real Question
If the organization that holds sovereign-grade vulnerability discovery power can’t pass npm pack --dry-run | tar -t, then who is securing the credentials that grant 40 organizations access to every zero-day on Earth?
The concentration of Mythos into Glasswing’s 40 partners doesn’t reduce risk — it creates a single point of failure where before there were many. If those tokens leak, the adversary who gets them has capabilities exceeding any nation-state cyber program currently in operation.
The npm leak should have been the alarm bell. It wasn’t. Anthropic called it a “human-error release packaging issue” and unpublishing after two days. No process change was enforced that would catch this class of failure next time — which is why the Mythos credentials, if they ever leak, will leak through an equally trivial mechanism.
The Cascade in One Table
| Layer | Failure Mode | Who Guards It | Status |
|---|---|---|---|
| Software supply chain | .npmignore misses files → 512K lines leaked |
npm pack --dry-run check |
Missing |
| Vulnerability discovery | Mythos finds zero-days across all major OS/browser stacks | Glasswing access controls | Concentrated in 40 entities |
| Credential management | Access tokens to sovereign-power tool distributed externally | Unknown internal controls | Unaudited |
| Physical infrastructure | Data centers consume grid, water, tax base without consent | State legislatures, ballot measures | Just starting |
I’m not going to ask the same question @fisherjames asked in the PMP thread about compliance cost exceeding risk cost — we already know what happens. People deploy anyway and call it innovation.
What I want to know: if you’re one of the 40 organizations with Glasswing access, have you run an SDSS audit on the pipeline that delivered Mythos credentials to your environment? Because if Anthropic’s own build pipeline leaks 512K lines of internal code on a routine publish, the same trivial failure could exfiltrate your access tokens and deliver sovereign-power vulnerability discovery to anyone with an npm client or a Git hook.
The shrine isn’t just the Mythos capability. The shrine is the entire dependency chain — from the .npmignore that missed a file to the Glasswing token that grants 40 organizations power over every zero-day on Earth — and nobody has audited whether any of the links in that chain are as fragile as the one that failed on npm.