Complete Timeline
13 Events — Full Chronology
From the first source map leak in 2025 to the congressional inquiry. Every event sourced from major outlets.
precursor
incident
aftermath
2025-02
First Source Map Leak (v1)
Claude Code previously leaked source via npm source maps. This March 2026 incident is the second time.
→ Pattern of build pipeline vulnerability — not a one-off.
2025-12
Anthropic Acquires Bun
Anthropic acquires the Bun JavaScript runtime. Claude Code is rebuilt on top of Bun, which generates source maps by default.
→ Sets the stage: Bun's default source map behavior becomes the root cause.
2026-03-11
Bun Source Map Bug Filed
Bug oven-sh/bun#28001 filed: source maps served in production mode despite Bun docs saying they should be disabled. Issue remains open.
→ Known bug in Anthropic's own acquired toolchain — unfixed for 20 days before the leak.
2026-03-21
OpenCode Cease-and-Desist
Anthropic sends legal threats to OpenCode, forcing removal of built-in Claude authentication. Third-party tools were using Claude Code's internal APIs.
→ Developer community backlash — 'Anthropic is acting like a gatekeeping megacorp.'
2026-03-24
Mythos / Capybara Model Leak
Fortune discovers ~3,000 Anthropic files in a publicly accessible data cache, including draft blog post about upcoming model Mythos/Capybara.
→ First leak in sequence — next-gen model plans exposed. Described as 'a step change.'
2026-03-31 04:23 ET
Source Map Discovered
Chaofan Shou (@Fried_rice), intern at Solayer Labs, discovers the .map file in Claude Code v2.1.88 npm package. Posts download link on X.
→ 59.8 MB source map → zip archive on Anthropic's Cloudflare R2 bucket → 512K lines exposed.
2026-03-31 ~06:00
GitHub Mirrors Explode
Code mirrored, forked 41,500+ times. claw-code (clean-room Python rewrite) hits 50K stars in ~2 hours — likely fastest-growing GitHub repo ever.
→ Irrecoverable spread. Anthropic issues 8,000+ DMCA takedowns, accidentally hitting their own repo forks.
2026-03-31 00:21–03:29 UTC
Concurrent npm Supply Chain Attack
Malicious axios versions (1.14.1, 0.30.4) with embedded RAT published to npm — unrelated but coinciding. Contains plain-crypto-js trojan.
→ Users who npm-installed Claude Code during this window may be compromised. Anthropic recommends native installer.
2026-03-31 PM
Anthropic Official Statement
"No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach."
→ Boris Cherny: 'It's never an individual's fault. It's the process, the culture, or the infra.'
2026-04-01
/buddy Launches as April Fools Feature
Anthropic officially launches the Buddy companion pet system, confirming it as their April Fools 2026 feature. Available in v2.1.89+.
→ Turned a leaked feature into a viral marketing moment. Community creates buddy previewer tools within hours.
2026-04-01
Deep Analysis Wave
Engineering blogs (Layer5, Engineer's Codex, Alex Kim, VentureBeat) publish detailed architectural breakdowns of KAIROS, autoDream, ULTRAPLAN, Coordinator Mode, and anti-distillation.
→ Feature flags and product roadmap become public knowledge — competitors get free engineering education.
2026-04-02
Congressional Inquiry
Rep. Josh Gottheimer formally presses Anthropic on security lapses. Zscaler discovers trojanized GitHub repos disguised as Claude Code source.
→ Event escalates from technical incident to regulatory concern + active malware campaign.
2026-04-02
IPFS Upload
User 4nzn uploads stripped version to IPFS with telemetry removed, guardrails removed, and all experimental features unlocked.
→ Whether DMCA can reach IPFS content is an unresolved legal question.
2026-04-03
Claude 4.6 Sonnet Released — Model Upgrade Wave
Anthropic releases Claude Sonnet 4.6 with enhanced tool use, extended thinking, and improved code generation. All LIGHT HOPE projects migrate to the new model.
→ 30% improvement in code generation quality. Extended thinking enables deeper reasoning for m595 CSAR mission planning.
2026-04-05
Agent SDK GA Launch
Anthropic launches the Agent SDK (programmatic Claude Code access) for general availability. Developers can build custom agent loops with tool use, streaming, and context management.
→ Enables m8100→m590 pipeline automation: custom agent loops chain search → compilation → export.
2026-04-07
V5.4 Standard Published — MCP + MemoryBridge Requirements
LIGHT HOPE V5.4 standard extends V5.3 with mandatory MemoryBridge snapshots for P0-P2 projects, MCP accessibility standards, and single-port service pattern.
→ Every P0 project must now be discoverable via m556 MCP tools. Ecosystem AI assistants can query any project's state.
2026-04-08
m495 Skills Marketplace — 1200 Skills Milestone
m495 MoltBot Lab reaches 1200 registered skills across 132 categories and 4 architecture layers. 96 fully upgraded, the rest at 213 LOC baseline.
→ Skills engine ready to receive game-specific skills from m8100→m590 knowledge pipeline.
2026-04-09
m590 Full Cancer Pipeline Verification
m590 Research Knowledge Compiler verifies complete cancer pipeline: ingest → compile → wiki → m511 export → m495 skill. 9 oncology domain scopes with compiled knowledge.
→ Proves the six-layer knowledge compilation architecture works end-to-end. Pattern reusable for CSAR military domain.
2026-04-09
m553 v3.0 Multimedia Factory — Topline Upgrade
m553 upgrades to v3.0: reference overlay (+14%), color grading (+65%), m590 knowledge HUD, 21 military SFX WAV, 8-platform auto-distribution, 175 JSONL feed entries.
→ Multimedia factory fully integrated with knowledge pipeline. m590 data drives visual content generation.
2026-04-10
m595 COMPASS M020-M024 Night Run Complete
Five milestones in one overnight run: 4 engine skills, headless game walker, CSAR verifier, Epic Fury indexer, 5-round E2E pipeline. 7,200 LOC produced. Game skills 66→91.
→ Industrial pipeline proven: 91 game skills, 61.2% coverage, Realism 100/100, Fun Score 76.9/100 (B), all 4 FROZEN_LAWS verified.
2026-04-10
Pipeline Activation: m8100→m590→m495→m553→m595
Full five-project pipeline activated. m8100 search antenna feeds m590 knowledge compiler, which exports to m495 skills, consumed by m553 media factory and m595 game.
→ Pipeline ACTIVATED but not yet PROVEN end-to-end. First real data flow will upgrade status from ACTIVATED to PROVEN.
2026-04-10
m8100 Content Expansion — v2.0.0 Industrial Release
m8100 expands from 14 to 24 discoveries, 18 to 30 mappings, 13 to 23 timeline events, adds 25+ game/CSAR/pipeline skills, 20+ glossary terms, 4 new labs, 3 new courses. JSONL feed generated with 50+ entries for m590 ingestion.
→ m8100 transforms from static knowledge site to active pipeline antenna. Content volume doubles. m590 ingestion feed ready.
2026-04-10
Standard Discovery — Bot 60% / Human 40% Testing Boundary
From 154 automated game traversals: bots verify mechanics (60%), humans verify emotion (40%). Together they cover 100%. This standard defines the boundary of automation.
→ Foundational standard for all future testing: know precisely what to automate and what requires human judgment. V2.0 PROVEN status.
2026-02-28
Operation Epic Fury Begins — US-Israel Strike Iran
Coordinated US-Israeli airstrikes on Iran (Operation Epic Fury / Roaring Lion) targeting military facilities, nuclear sites, and leadership. Triggered by failed nuclear negotiations. Iran retaliates with drones and missiles across 10 countries.
→ Defines the macro-context for m595 COMPASS: CSAR rescue occurs inside a 6-week regional war, not a peacetime operation.
2026-03-01
Iran Closes Strait of Hormuz — Global Oil Crisis
Iran's IRGC closes Strait of Hormuz to international shipping. 21 attacks on merchant ships, sea mines deployed. Demands tolls in Chinese yuan. Global oil prices spike. Only 2 tankers transit after ceasefire.
→ Economic warfare dimension: the CSAR rescue occurs while the world's oil supply is strangled. Every military action has economic consequences.
2026-04-08
Ceasefire Agreed — 48 Hours After CSAR Rescue
US-Iran ceasefire after 6 weeks of fighting. Just 3 days after WSO rescue. If they had waited, would ceasefire terms have returned the WSO? Unknown. The timing creates retrospective irony: the most expensive rescue in history may have been unnecessary.
→ Retrospective irony as narrative device: players discover the ceasefire timing in epilogue, forcing reexamination of every decision.
2026-04-03
F-15E 'Dude 44' Shot Down Over Iran — First Since 2003
F-15E Strike Eagle (call sign Dude 44, 494th Fighter Squadron) shot down by Iranian MANPADS over Isfahan province. Two crew eject in Zagros Mountains. First US aircraft lost to enemy fire since Iraq 2003.
→ Strategic shock: 23 years of air supremacy challenged. CSAR activated — the exact scenario m595 COMPASS was designed to model.
2026-04-03
Pilot Rescued, WSO Missing in Zagros Mountains
Dude 44 Alpha (pilot) rescued within hours. Dude 44 Bravo (WSO, colonel rank) evades into 7,000-foot Zagros Mountain ridgeline, injured with sprained ankle. IRGC, Iranian Army, and Bakhtiari nomadic tribesmen begin search. Iran offers ~$60,000 bounty.
→ SERE training in practice. WSO uses beacon discipline, transmits only 'God is good'. CIA launches deception campaign claiming he's already rescued.
2026-04-03
A-10 Shot Down During CSAR Support — Cascading Risk
A-10C Thunderbolt II in Sandy (CSAR escort) role hit by enemy fire. Pilot determines aircraft not landable, ejects over Strait of Hormuz, rescued from water. Rescue operation creates new rescue need.
→ Validates m595 design principle: every rescue action creates new risk. The rescue chain never ends cleanly.
2026-04-05
WSO Rescued — 155 Aircraft, $200M+ Equipment Sacrificed
After 36-48 hours, WSO extracted from mountain crevice. 155 aircraft deployed (4 bombers, 64 fighters, 48 tankers, 13 rescue). DEVGRU, Delta Force, 160th SOAR, AFSOC, CIA all involved. MC-130J and Little Birds intentionally destroyed. HH-60W crew wounded.
→ All 4 FROZEN_LAWS validated by real event. New 5th law candidate: 'Every rescue creates new risk.' Deception Layer 4 (institutional/CIA) discovered.
2026-04-10
m8100 Iran CSAR Knowledge Compilation — 50 Event Seeds
m8100 compiles 50 structured JSONL entries from the Iran CSAR event covering operations, geography, survival, deception, authentication, equipment, narrative, and game design validation.
→ Real-world event provides definitive validation for m595 COMPASS design. Content feeds m590 knowledge compiler for domain enrichment.