Weekly AI Dev News Digest: March 30 - April 3, 2026

On March 31, a misconfigured .map file in Claude Code's npm package pointed to a zip archive on Anthropic's Cloudflare R2 storage. The archive contained the full TypeScript source for Claude Code: ~1,900 files, 512,000 lines. Security researcher Chaofan Shou spotted it around 4 AM UTC. By breakfast, the repo had 25,000+ GitHub stars and was being forked faster than Anthropic could issue takedowns. ([The Register][1])

The leak was caused by a known Bun build bug (issue #28001) that had been open for 20 days. Anthropic acquired Bun at the end of 2025. Their own toolchain contributed to exposing their own product. No customer data or model weights were involved, but the architectural damage was done: competitors now had a free engineering education on how to build a production-grade AI coding agent. ([VentureBeat][2])

Within hours, developers on Reddit and X had mapped the entire codebase and catalogued 44 hidden feature flags. The discoveries read like a product roadmap Anthropic never intended to publish. ([Axios][38])

Anthropic responded by mass-filing DMCA takedown notices on GitHub. Then executives said the scope of the takedowns was itself accidental, and retracted most of them. For a company that built its brand on being careful, this was a rough week for the brand. ([TechCrunch][3])

And the timing was worse than anyone initially realized.

The Axios Collision

The same morning the Claude Code source leaked, a separate and unrelated attack compromised the axios npm package, one of the most widely used HTTP clients in JavaScript with ~100 million weekly downloads. Attackers published malicious versions (1.14.1 and 0.30.4) after compromising a maintainer account, injecting a fake dependency called plain-crypto-js that silently deployed a cross-platform remote access trojan. The attack window was roughly 2-3 hours (00:21 to ~03:20 UTC on March 31). ([Microsoft Security Blog][6])

Microsoft attributed the attack to Sapphire Sleet, a North Korean state actor. Google's threat intelligence group tracked it as UNC1069. The attacker pre-staged a clean decoy version of plain-crypto-js 18 hours earlier to build registry history. Three parallel RAT implementations, one each for Windows, macOS, and Linux, shared an identical C2 protocol. This wasn't opportunistic. It was planned. ([Elastic Security Labs][7])

The intersection with the Claude Code leak was the part that kept developers up: Claude Code depends on axios. Anyone who ran npm install during those overlapping hours to grab the leaked source, patch their tools, or just do normal development could have pulled in both a leaked codebase and a trojan. Two unrelated events, one compounding crisis.

And the axios compromise wasn't even isolated. LiteLLM, a popular AI proxy library on PyPI, was also hit as part of the broader "TeamPCP" campaign that compromised four widely used open-source projects between March 19-27, including the Trivy vulnerability scanner and KICS infrastructure-as-code scanner. (SANS)

The Mythos Shadow

The Claude Code leak landed on top of an already uncomfortable week for Anthropic. Days earlier, Fortune reported that ~3,000 unpublished documents had been left in a publicly searchable data store, including a draft blog post describing "Claude Mythos" as "by far the most powerful AI model we've ever developed." The post warned the model poses "unprecedented cybersecurity risks" and is "currently far ahead of any other AI model in cyber capabilities." (Fortune)

Anthropic confirmed the model exists and called it "a step change." Cybersecurity stocks including CrowdStrike, Palo Alto Networks, and Zscaler extended their selloffs. Axios reported Anthropic is privately warning government officials about Mythos-scale attacks in 2026. The model has no public release date and is reportedly too expensive to serve at scale.

The irony was hard to miss. The company warning the government about unprecedented cybersecurity risks couldn't keep its own blog drafts, source code, or DMCA notices from leaking.

DeepSeek added to the reliability narrative on March 30 with a 7+ hour global outage, its longest ever. No root cause was confirmed, but speculation centered on infrastructure prep for DeepSeek V4. For developers building on third-party AI services, it was another data point in the same argument. (STEMGeeks)

OpenAI closed $122 billion in committed capital on March 31, the largest private funding round in history. Post-money valuation: $852 billion. Amazon invested $50B ($35B contingent on IPO or AGI milestone). NVIDIA and SoftBank each put in $30B. For the first time, $3B came from retail investors via bank channels. ([OpenAI][8])

The numbers OpenAI shared read like a draft S-1: $2B/month in revenue, 900M weekly active users, 50M+ subscribers. The ads pilot hit $100M ARR in under six weeks. Enterprise now makes up 40% of revenue, on track for consumer parity by year-end. Codex serves 2M+ weekly users, up 5x in three months. APIs process 15 billion tokens per minute.

Two days later, OpenAI acquired TBPN, the Technology Business Programming Network, a daily live tech talk show hosted by John Coogan and Jordi Hays. The show has featured CEOs from Meta, Microsoft, and Salesforce, and is on track for $30M+ in ad revenue this year. TBPN will sit under OpenAI's strategy org reporting to Chris Lehane. OpenAI framed it as necessary because "the standard communications playbook just doesn't apply" to the company. ([TechCrunch][9])

OpenAI also shipped pay-as-you-go pricing for Codex on April 2. ChatGPT Business and Enterprise teams can now add Codex-only seats with per-token billing, no fixed seat fee, no rate limits. Annual Business pricing dropped from $25 to $20/seat/month. (OpenAI)

But the secondary market told a different story this week. Reports surfaced that OpenAI demand is cooling while Anthropic shares are "running hot." A viral "OpenAI Graveyard" post cataloged the company's unfulfilled product promises, including the shelved Sora video tool. The $122B round is massive, but not everyone is buying the narrative at face value. (Hacker News)

Oracle: 25,000 Jobs for Data Centers

Oracle began its largest layoff in company history on March 31. Employees received 6 AM termination emails with no prior warning from managers. TD Cowen estimates 20,000-30,000 workers affected, roughly 18% of Oracle's workforce. Revenue and Health Sciences and SaaS/Virtual Operations Services were both reportedly cut 30%+. (CNBC)

The layoffs are expected to free up $8-10B in cash flow for AI data center buildout. Oracle has taken on $58B in new debt in the past two months and its stock is down ~30% this year. But the company posted a 95% jump in net income last quarter ($6.13B). This is cost-reallocation, not distress. Oracle is betting that AI infrastructure is worth more than the people it currently employs. That is a sentence worth sitting with.

While the security stories grabbed headlines, the week's most consequential developments were arguably quieter: the agentic developer stack stopped being experimental and started becoming infrastructure.

The first MCP Dev Summit ran April 2-3 in New York City. The Agentic AI Foundation (Linux Foundation) organized 95+ sessions from MCP co-creators, maintainers, and production deployers. MCP now has 97 million+ monthly SDK downloads across Python and TypeScript. The AAIF has 146 members including AWS, Anthropic, Google, Microsoft, and OpenAI. This is no longer a side project. ([Linux Foundation][14])

The Agent-to-Agent (A2A) protocol hit v1.0 at the summit, shipping gRPC transport, multi-tenancy support, and signed "Agent Cards" for cryptographic identity verification between autonomous agents. If MCP defines how agents talk to tools, A2A defines how agents talk to each other. Both are now production-ready. ([DEV Community][15])

The tooling reflected the same shift:

• Cursor 3 launched with an "Agents Window" on April 2, running multiple parallel AI coding agents (local, cloud, SSH, worktrees) simultaneously. The interface is explicitly an orchestrator, not an assistant. (Cursor)
• Claude Code shipped "Auto Mode" and "Dispatch." Auto Mode handles development tasks fully autonomously (disabled by default for enterprise). Dispatch lets Claude interact directly with macOS interfaces, point and click. Both launched into reliability headwinds as Opus 4.6 hit availability issues. (LinkedIn)
• Google released Agent Development Kit (ADK) for Java 1.0.0 on March 30, with structured tool-calling, memory, and orchestration for production Java backends. (Google Developers Blog)
• Claw Code hit 72k GitHub stars in days after launching April 2 as a clean-room Python + Rust agent framework inspired by the Claude Code leak. Positioned as an auditable foundation for agent runtimes. (Hacker News)
• OpenAI released a Codex plugin for Claude Code (openai/codex-plugin-cc), bringing Codex into Claude Code workflows for review and task delegation. Competitors building plugins for each other's tools signals the market is fragmenting into interoperable layers, not walled gardens. (Future Tools)
• Zhipu AI shipped GLM-5V-Turbo, a multimodal vision-to-code model for turning mockups and screenshots into code. A rare non-Western frontier release gaining developer traction. (Hacker News)

Models Are Getting Smaller and More Open

Google shipped Gemma 4 on April 2. Four model sizes from edge (E2B, under 1.5GB) to dense (31B, 256K context). All multimodal. Built from the same research as Gemini 3. The Apache 2.0 license is the headline: it removes restrictions from previous Gemma terms that blocked enterprise deployments. Hugging Face co-founder Clément Delangue called it "a huge milestone." The edge models are 4x faster than Gemma 3 and use 60% less battery, forming the foundation for Gemini Nano 4 on Android later this year. (Google DeepMind)

PrismML emerged from stealth the same day with 1-bit Bonsai, the first commercially viable 1-bit LLM. The 8B model fits in 1.15GB (14x smaller than standard), runs 8x faster, uses 4-5x less energy, and is a native 1-bit architecture trained from scratch, not post-training quantization. On r/LocalLLaMA, it scored 73.3% on the Berkeley Function Calling Leaderboard. Interestingly, the FP16 version performed worse at tool use, suggesting the 1-bit design is essential to its characteristics. Caveat: Q1_0_g128 requires a GPU. CPU inference produces garbage. Apache 2.0. $16.25M from Khosla Ventures. (PrismML)

Ollama 0.19 (March 30) switched to Apple's MLX framework on Macs, roughly doubling generation speed. The timing matters more than the benchmarks. OpenClaw's explosion past 300k stars and growing developer frustration with rate limits and subscription costs have pushed local model experimentation well beyond the hobbyist crowd. The preview supports only Qwen3.5 35B (requires 32GB+ RAM), but for coding tasks and privacy-sensitive workflows, the gap between local and frontier is narrowing. (Ollama)

Intel added to the local inference momentum with leaked specs for a $949 GPU with 32GB VRAM targeting the local AI community. At that price and VRAM, it would comfortably run Bonsai-8B and quantized larger models that currently need expensive NVIDIA hardware. (Reddit)

Google also released a 200M-parameter time-series foundation model with a 16K context window for forecasting and anomaly detection (Hacker News), and Trinity Large Thinking launched on OpenRouter as a new reasoning model option (Hacker News).