Check the Basement: A Scooby-Doo Guide to Anthropic's Worst Week
π¨ BREAKING: Anthropic Accidentally Releases Sentient Tamagotchi, Blames Human Error (As Usual)
Posted on The Cynical Nerd β April 1, 2026
Look, we don't do breaking news here. This is not a news platform. We exist to roast AI trends with citations and a healthy amount of contempt for hype cycles. We usually let the dust settle, wait for the think-pieces to pile up, and then descend like a vulture with a keyboard.
But it is April 1st, 2026, and the AI industry just pulled off the most chaotic misdirection since Ocean's Eleven, except nobody planned it, everyone got GOT, and one of the prizes was a Tamagotchi.
Consider this our April Fools post. Except we didn't write the joke. The npm registry did. We're just here to read it out loud.
EXCLUSIVE SCOOP: We have obtained information suggesting that Anthropic's entire "responsible AI" branding is actually a 47-slide PowerPoint made by an intern in 2021 and nobody has updated it since.
...okay, that part is our April Fools joke. We promise. The rest of this post is entirely real.
Which is somehow worse.
The Setup: A Company That Builds Safeguards For Everything Except Its Own npm Pipeline
Let me set the scene. It's March 31, 2026. Anthropic β the company famously founded on the premise that AI is potentially dangerous and must be handled with extreme care β has just published version 2.1.88 of Claude Code to the public npm registry.
Included in the package: a 59.8 MB JavaScript source map file containing 512,000+ lines of their internal source code. Every tool call, every orchestration trick, every anti-distillation hack, every embarrassing 3,167-line function nested 12 levels deep.
The culprit? They forgot to add one line to .npmignore.
A file. One line. The digital equivalent of leaving your diary on the subway and being surprised someone read it.
The Discovery: An Intern Did It In Minutes
Within minutes of publication, Chaofan Shou β an intern at Solayer Labs β found the source map, posted a direct download link on X, and watched the internet collectively lose its mind.
Tens of thousands of GitHub stars. Over 41,500 forks before Anthropic could do anything about it. Millions of tweet views.
And he would have gotten away with it too, if it weren't for one meddling intern with an npm account and a Twitter habit.
Anthropic filed DMCA takedowns, pulled the npm package, and issued a statement explaining it was "human error, not a security breach." Which is technically true in the same way that leaving your front door wide open is "architectural error, not a home invasion."
Also worth noting: a nearly identical source-map leak had already happened with an earlier version of Claude Code in 2025. Nobody noticed that time. So really this is less "human error" and more "company culture."
The Distraction: A Tamagotchi With a SNARK Stat
(This is the part of the heist movie where they wheel out the dazzling decoy)
Here's where it gets beautiful.
Buried deep in the leaked code, in src/buddy/companion.ts developers found BUDDY. A fully-built, production-ready, Tamagotchi-style AI companion pet. Complete with:
- 18 species including duck, dragon, axolotl, blob, and capybara
- 5 rarity tiers up to Legendary/Shiny (1% chance β yes, really)
- RPG stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, and my personal favourite β SNARK
- A deterministic pet assigned to your UUID, no rerolling, you get what you get
- A separate system prompt with the comment: "Buddy is a separate entity and is not you (Claude)."
The generation algorithm has a hardcoded salt value of friend-2026-401. The "401." April 1st. Somebody at Anthropic was very pleased with themselves.
The plan was a soft April 1 reveal, full product launch in May. Someone clearly spent weeks on this. Hex-encoded the word "duck" inside the codebase so their own scanners wouldn't find it early. Genuinely hid it from coworkers like it was a birthday present.
And then an npm packaging error detonated the entire surprise like a piΓ±ata with a grenade inside.
Anthropic's response? They shipped BUDDY on April 1 anyway. What else were they going to do.
The Hall of Leaked Horrors (A Quick Tour)
BUDDY wasn't even the most alarming thing in there. A partial list of what the internet found:
KAIROS: An always-on background agent that autonomously fixes bugs and sends you push notifications without you asking. A persistent AI daemon. Living in your terminal. Thinking about your code while you sleep.
Dream Mode: Claude "thinking" in the background while idle. No notes, just vibes.
Undercover Mode (internal only, supposedly): Instructions telling Claude to never identify itself as an AI in open-source commit messages and to hide internal Anthropic codenames. A secret identity. For a coding assistant.
Anti-distillation fake tools: Deliberately injected fake tool definitions into Claude's prompts to poison competitor training data. Poisoning the well with decoy tools. Responsibly, of course.
DRM written in Zig: API signing implemented in a language that can't be monkey-patched at runtime, so nobody can spoof requests. They built digital rights management into a coding tool. They were READY for corporate espionage. Just not for
.npmignore.A 5,594-line file with a single function that is 3,167 lines long and 12 nesting levels deep. This is not a roast. This is a cry for help.
π¬ Meanwhile, in the Basement
(This is the part of the heist movie where the camera cuts to what's happening downstairs)
While the entire internet was busy unmasking Anthropic's source code and cooing over a Tamagotchi with maxed-out SNARK stats, something considerably less adorable was happening on the same platform.
On the same day, literally hours before the Claude Code leak went viral, a suspected North Korean threat actor compromised the npm account of the main maintainer of axios, one of the most widely used JavaScript packages on earth. Over 100 million weekly downloads. They published backdoored versions that silently installed a cross-platform Remote Access Trojan the moment you ran npm install. macOS, Windows, Linux, all three got their own custom payload. And after it ran, the malware deleted itself and replaced its own metadata with a clean copy.
A self-cleaning crime scene.
Here's the punchline: Claude Code uses axios as a dependency. Anyone who installed or updated Claude Code via npm during that window didn't just get Anthropic's accidentally exposed source code. They potentially got a North Korean RAT as a bonus.
The gang was upstairs pulling masks off Anthropic's leaked Undercover Mode. The actual villain walked out through the basement with everyone's credentials in a bag.
Nobody in the Scooby-Doo episode ever checks the basement.
The Part Where We Get Slightly Serious For Exactly One Paragraph
The "was it a PR stunt?" theory making rounds on social media is tempting but doesn't hold up. DMCA takedowns don't come cheap or fast. Real security damage followed β typosquatting npm packages targeting developers who tried to build the leaked code appeared within days. Anthropic genuinely tried to suppress this. The real story is simpler and more instructive: a world-class AI lab with a $40B valuation and a mission statement about careful, responsible deployment of AI technology... has shipped the same broken build pipeline at least three times without anyone noticing. The moat isn't as deep as the pitch deck suggests.
The Moral of the Story
(Or: every good heist needs a distraction)
In every heist movie, there's a moment where you realize the flashy thing, the explosion, the car chase, the celebrity cameo, was never the point. The point was what happened while you were watching the flashy thing.
March 31, 2026 gave us: a leaked Tamagotchi, over 41,500 GitHub forks, DMCA takedowns, and the collective internet losing its mind over a dragon with maxed SNARK stats.
It also gave us a self-cleaning North Korean RAT quietly exiting through the service entrance.
Anthropic built Undercover Mode to prevent leaks. It leaked.
They built anti-distillation poison to protect their IP. It leaked.
They built one of the most sophisticated AI coding agents on the planet.
They forgot .npmignore.
And while we were all laughing (which, obviously, was completely correct and valid) somebody else was not laughing. They were working.
Somewhere, a very stressed engineer is writing a blameless post-mortem. A very excited developer is desperately trying to roll Legendary Shiny Axolotl BUDDY. And a North Korean threat actor is on a flight home, utterly unbothered.
The Tamagotchi was the distraction. It was a great distraction. 10/10, would be distracted again.
But maybe, just maybe, check the basement.