The "safe" AI company leaked its code

What's up, everyone? Welcome to Next in Dev, a weekly overview of all the news I could find in the modern web dev industry. This week, Anthropic accidentally published the entire source code for Claude Code, Railway's brand new CDN leaked authenticated user sessions, Google wants you to dump your AI chatbot for Gemini, and Cloudflare announced a WordPress successor that half the internet thought was an April Fools' joke. Let's dive in.

The biggest story this week is an embarrassing one. Anthropic accidentally leaked Claude Code's source code through an npm packaging error. A recent release contained a source map file pointing to a zip archive on Anthropic's own cloud storage. There were nearly 2,000 TypeScript files, over 500,000 lines of code.

A security researcher flagged it on X and within hours the codebase was mirrored across GitHub with 84,000 stars before Anthropic could issue takedowns.

What's actually in the code is fascinating. There's a three-layer memory architecture where the agent treats its own memory as hints rather than facts and verifies everything against the actual codebase. There's an unreleased autonomous mode that lets Claude Code work in the background while you're away. And there's further evidence of an upcoming model codenamed Capybara.

This comes days after Fortune reported that Anthropic had already left 3,000 internal files publicly accessible. Two leaks in one week from the company whose entire brand is built on being more careful than everyone else isn't great. The features are impressive engineering, but the this is a 19 billion dollar ARR company, and it just gave every competitor a free look into how the sausage is made. Source map leaks are an easy mistake, but Anthropic chose to position itself as the safe one, and they need to earn it operationally, not just philosophically.

Speaking of things leaking: Railway launched CDN support on March 27. Three days later, a configuration update accidentally enabled caching on domains that had CDN turned off. For about an hour, Railway cached and served HTTP GET responses, including authenticated ones, across affected domains. Railway's incident report says roughly 0.05% of domains were affected, but users on the support forums reported being logged in as other users entirely. One user had evidence of customer data being exposed and hadn't received any notification almost 48 hours later. Railway acknowledged they didn't even have CDN logs initially. If you're running anything with authenticated users on Railway, audit your cache headers today.

Google had a busy week. They launched a switching tool for Gemini that let you import memories and full chat history from other AI chatbots. This is similar to Anthropic's switching tool that released around the Pentagon kerfuffle. The memory import works through a copy-paste workflow where Gemini gives you a prompt, you paste it into your current app, it generates a summary, and you paste that back. For chat history you can upload a ZIP file. Google is betting that once you're inside the Gemini ecosystem with Gmail, Photos, and Search all connected, you won't want to leave. I get the thinking, but I don't agree.

Separately, Google released Gemma 4. The 31B dense model ranks number 3 among all open models on Arena AI, outcompeting models 20 times its size. What's most interesting is the license. Gemma 4 is Apache 2.0, a real open-source license, not the restrictive terms they used for previous Gemma releases. Google is directly responding to community criticism with this move. They've claimed previous models have been open, but the licenses they've provided have always been more restrictive than that.

Cloudflare announced EmDash, an open-source TypeScript CMS they're calling the spiritual successor to WordPress. It runs serverless on Workers, uses Astro as its frontend framework, and has a fundamentally different plugin security model. Each plugin runs in its own isolated sandbox and declares exactly what permissions it needs. No filesystem access, no database access unless explicitly granted. This seeks to address the fact that 96% of WordPress security issues come from plugins. But the early criticism is fair. Search Engine Journal pointed out there's no visual site builder, setup requires a CLI, and the announcement is entirely developer-focused. At v0.1.0, this is a developer preview, not a WordPress replacement. But the plugin security model is actually innovative, and if Cloudflare builds out the user experience, this could become significant. Also, launching on April 1 was... a choice. A lot of people dismissed it as an April Fools' joke.

On the topic of CMSes, Payload released v3.81.0 with an LLM evaluation suite for testing whether AI coding tools generate correct Payload code. This is Payload building automated benchmarks to make sure that when you ask Claude Code or Cursor to scaffold a collection, the output follows Payload conventions. Much of this release is focused on stability and adjusting dependencies.

Claude Code pushed seven releases since I last covered it, 2.1.84 through 2.1.90. Highlights include a PowerShell tool for Windows, transcript search, and major performance fixes. Fixes like SDK sessions will no longer slow down on long transcripts. Auto mode now actually respects explicit user boundaries like "don't push" or "wait before doing something." Previously it could override those instructions, which is a meaningful trust issue for an autonomous coding tool. And yes, 2.1.88 was the version that leaked the source code. It's been pulled down.

A few rapid fire things.

Figma launched Make kits and Make attachments, which are kits that let design system teams package their npm components with guidelines that teach Figma Make how to use them, and attachments let you bring real datasets, screenshots, and brand docs into prompts so prototypes use actual content instead of placeholders. AI image tools also expanded to FigJam, Slides, and Buzz.

Astro 6.1 added global Sharp image encoding defaults, advanced configuration for non-English typography, and internationalization fallback routes for integrations.

TanStack Router replaced its reactive core with a signal graph built on alien-signals. Client-side navigation dropped about 35% in React. No API changes required; it's the same hooks, just with fewer re-renders.

What did I miss? Let me know by leaving a comment wherever you're watching or listening, or by joining my Discord server and subscribing to the Next in Dev newsletter at nlvcodes.com.

Thanks for watching or listening. See you in the next video.