Anthropic and Mercor leaks

Anthropic’s leaked package was the @anthropic‑ai/claude‑code npm release v2.1.88, which included a 59.8MB JavaScript source‑map that reconstructed original source files. (techspot.com) Researchers and reporters reconstructed roughly 512,000 lines of internal code from that package and identified orchestration logic, OAuth flows and 44 hidden feature flags in the exposed files. (thehackernews.com) Anthropic described the incident as a human packaging error rather than an external breach and stated no customer data or credentials were exposed while announcing internal mitigation steps. (businessinsider.com) Mercor confirmed it was hit via a supply‑chain compromise tied to the LiteLLM project after Lapsus$ posted claims it exfiltrated about 4TB of data, including ~939GB of source code, a ~211GB user database, and nearly 3TB of uploaded interview/KYC files. (cybernews.com) Public reporting ties the Mercor intrusion to a backdoored LiteLLM distribution and to the theft of VPN credentials that reportedly allowed lateral access; security firms flagged the incident as a supply‑chain vector rather than a single‑server exploit. (securityweek.com) A Stanford‑led scan of 10 million webpages found 1,748 distinct API credentials across nearly 10,000 pages that included valid keys for services such as AWS, GitHub, Stripe and OpenAI, creating direct cloud‑access risk for any org with exposed keys. (arxiv.org)