The Anthropic source code leak that started as a packaging error on March 31 has escalated into a congressional matter.
On April 2, 2026, Rep. Josh Gottheimer (D-NJ) sent a letter to Anthropic CEO Dario Amodei, shared exclusively with Axios, pressing the company to explain the Claude Code leak and what the congressman described as rollbacks to internal safety protocols. Gottheimer’s letter directly cited the national security dimension: “Claude is a critical part of our national security operations.”
This is the second Claude-related source code exposure in just over a year.
What Gottheimer’s Letter Is Asking
The letter raises three concerns:
The leak itself. On March 31, a misconfigured debug file in the @anthropic-ai/claude-code npm package v2.1.88 bundled nearly 512,000 lines of internal TypeScript source code into a routine update. The code spread to over 8,100 GitHub repositories within hours before Anthropic issued takedowns. Anthropic attributed the incident to human error, not a deliberate breach.
The pattern. Gottheimer’s framing is not about a single incident. The reference to this being the second leak in roughly a year positions it as a systemic governance concern rather than a one-off accident. When the same type of failure happens twice, oversight bodies stop accepting “human error” as a complete explanation.
Safety protocol rollbacks. The letter asks Anthropic to explain changes to its internal safety processes. This is the more significant long-term concern. Anthropic has positioned itself as the safety-focused AI lab, with Responsible Scaling Policies and Constitutional AI as core differentiators. Any perception that safety guardrails are being loosened — whether to ship faster or meet commercial pressure — creates a credibility problem that is difficult to recover from.
Why Congressional Scrutiny at This Moment
Claude is embedded in U.S. defense and intelligence operations. That fact changes the risk profile of any security incident, even one caused by human error rather than a hostile actor.
When commercial AI tools are integrated into national security infrastructure, they are no longer purely private sector concerns. The governance frameworks, the access controls, the code release processes — these all become matters of public accountability. Gottheimer’s letter is the first formal signal that Congress intends to treat them that way.
The timing compounds the pressure. Anthropic filed paperwork widely interpreted as preparation for an IPO later in 2026. Congressional scrutiny of a repeated safety incident, combined with questions about safety rollbacks, is precisely the kind of narrative that complicates that path.
What This Means for Businesses Using Claude
If you are using Claude in enterprise workflows — through the API, through Claude Code, or through partner integrations — this story is not a reason to stop. Anthropic confirmed the incident was human error and the exposed code did not include model weights, training data, or customer information. There is no evidence of a hostile breach.
But the story does reinforce several practices that should already be in place for any enterprise AI deployment:
Vendor due diligence is ongoing, not one-time. A vendor’s security posture at the time you evaluated them is not the same as their security posture today. Regular reviews of how your AI vendors handle incidents, what they disclose, and how fast they respond are standard operational hygiene at this point.
Know what data touches your AI tools. Claude Code and similar AI development tools often have broad access to codebases, environment variables, and system contexts. Understanding the data surface your AI tools can access is the first step to limiting exposure if something goes wrong.
Watch for regulatory follow-through. Gottheimer’s letter is the beginning, not the end. If Anthropic’s response to Congress is inadequate, or if additional incidents emerge, the regulatory environment for enterprise AI tools could shift quickly. Businesses that have treated AI governance as a future concern will find themselves behind.
The Broader Pattern
The Anthropic story is one data point in a larger trend. As AI tools embed deeper into business operations, the expectation of enterprise-grade security, transparency, and accountability is rising to match. The informal standards that applied when AI was a productivity experiment no longer apply when AI is critical infrastructure.
Congressional letters, vendor scrutiny, and security incidents will accelerate over the next 12 months. Businesses that build their AI governance practices now, rather than reactively, will be better positioned to navigate that environment and to demonstrate trustworthiness to customers and partners who are asking harder questions.
For a deeper walkthrough of tools like this and how they fit together, the free Working With Claude field guide covers the ecosystem end to end. Get the guide.
Source
Axios
Free Resource
Going deeper with Claude?
Get the free 32-page implementation guide for ANZ teams.
Your guide is ready
Check your downloads folder. If it did not open automatically, use the button below.
Download the Guide