OpenAI raises $122B at $852B valuation; Claude Code source permanently exposed via npm.

AI Digest — April 1, 2026

Your daily deep-dive on AI models, tools, research, and developer ecosystem news.

🔖 Project Releases

Claude Code

v2.1.89 — Released April 1, 2026 (new since v2.1.88 reported yesterday). This release includes several meaningful fixes and one delightful April Fools’ feature. The headliner for production users is a new "defer" permission decision for PreToolUse hooks in headless sessions — this allows hooks to pass a tool invocation back to the default permission logic rather than forcing an accept or deny, which is important for teams running Claude Code in CI/CD pipelines where you want selective override rather than blanket policies. A StructuredOutput schema cache bug causing approximately 50% failure rates has been fixed — if you’ve been seeing flaky structured output in agent workflows, this is likely the culprit. A memory leak where large JSON inputs were retained as LRU cache keys has been patched, which matters for long-running sessions processing large payloads. Other fixes: voice push-to-talk modifier combo bindings now work, /stats correctly counts tokens and preserves history beyond 30 days, LSP server zombie states after crashes are cleaned up, and prompt history entries with CJK or emoji characters are no longer silently dropped.

The fun addition: /buddy is live for April 1st — a Tamagotchi-style ASCII creature that hatches in your terminal and watches you code. There are 18 species (duck, dragon, axolotl, capybara, mushroom, ghost, and more), rarity tiers from common to 1% legendary, cosmetic accessories, and five stats including DEBUGGING, PATIENCE, CHAOS, WISDOM, and SNARK. Your buddy’s species is deterministically seeded from your userId hash, so you always get the same companion. This is planned as a teaser for April 1–7 with a real rollout in May — the companion has its own personality and can respond when addressed by name.

Full release notes: GitHub

Beads

No new release since v0.63.3 reported on March 31.

OpenSpec

No new release since v1.2.0 reported on March 8.

🧵 From the Community (r/LocalLLaMA & r/MachineLearning)

Reddit remains inaccessible via direct fetch. Community discussions are sourced from web search cross-references, secondary aggregators, and content syndicated to other platforms.

The Claude Code source leak is dominating discussion across both subreddits. The accidental exposure of 512,000+ lines of Claude Code source via an npm source map file (detailed below) has the r/LocalLLaMA community dissecting the internal architecture in real-time. Particular interest is focused on the unreleased feature flags — KAIROS (an always-on daemon mode), ULTRAPLAN (30-minute remote planning sessions), coordinator mode, and agent swarms. The practical question practitioners are debating: does the revealed tool architecture (40+ discrete, permission-gated tools with a 46,000-line query engine) validate the “tool-use agent” pattern, or does it reveal how much complexity is hidden behind seemingly simple agentic interactions? The repo backup has already been forked over 41,500 times.

GitHub Copilot’s default-on training policy is generating backlash. The March 25 announcement that GitHub will use Free, Pro, and Pro+ users’ code for AI training starting April 24 — with opt-out rather than opt-in — is being heavily discussed on r/MachineLearning. The debate centers on whether this changes the competitive calculus for developers choosing between Copilot, Cursor (which offers Zero Data Retention via Privacy Mode), and Claude Code. Enterprise customers are exempt, but individual developers and small teams are not.

LiteLLM supply chain attack post-mortems continue. The r/LocalLLaMA community is conducting real-time forensics on the TeamPCP supply chain attack that compromised LiteLLM’s PyPI packages. The multi-ecosystem nature of the campaign (PyPI, npm, Docker Hub, GitHub Actions, and OpenVSX simultaneously) has security-focused ML practitioners re-evaluating their dependency pinning and verification practices.

📰 Technical News & Releases

Claude Code Source Code Exposed via npm Source Map — 512K Lines of Internal Architecture Revealed

Source: The Register | Fortune | VentureBeat

On March 31, security researcher Chaofan Shou discovered that Claude Code v2.1.88’s npm package included an unobfuscated source map file (cli.js.map) containing the full TypeScript source — roughly 1,900 files and 512,000 lines. The leak reveals Claude Code’s internal architecture in detail: approximately 40 discrete tools (file read, bash execution, web fetch, LSP integration), each permission-gated, orchestrated by a 46,000-line Query Engine that handles all LLM API calls, streaming, caching, and orchestration. More intriguing are the unreleased features hidden behind feature flags: KAIROS (an always-on autonomous daemon mode), ULTRAPLAN (30-minute remote planning), the /buddy companion (which actually shipped today in v2.1.89), coordinator mode, and agent swarms. This is Anthropic’s second accidental exposure in a week — days earlier, a CMS misconfiguration made nearly 3,000 unpublished assets publicly accessible, revealing the existence of Claude Mythos. Anthropic called this “a release packaging issue caused by human error, not a security breach.” The repo backup has been forked 41,500+ times, effectively making the source permanently public.

If you build on Claude Code or compete with it, the source leak gives you an unusually detailed view of Anthropic’s tool architecture, permission model, and upcoming product roadmap. The unreleased features suggest Claude Code is evolving toward an always-on autonomous agent platform, not just a CLI tool.

OpenAI Closes Record $122 Billion Round at $852 Billion Valuation

Source: CNBC | TechCrunch | OpenAI Blog

OpenAI closed its funding round on March 31 at $122 billion total — up from the $110 billion announced in February — with a post-money valuation of $852 billion. The investor list reads like a who’s who of tech capital: Amazon committed up to $50 billion, Nvidia $30 billion, SoftBank $30 billion, with Andreessen Horowitz and D.E. Shaw Ventures co-leading. A notable first: OpenAI raised $3 billion from retail investors through bank channels, signaling the pre-IPO retail demand. The company reports $2 billion in monthly revenue, 900 million weekly active users, and 50 million subscribers. For developers, the valuation story matters less than what the capital enables: OpenAI has said the funds will accelerate compute infrastructure and model development. Combined with the Sora shutdown (freeing significant GPU capacity) and the GPT-5.2-Codex release earlier this year, OpenAI is clearly concentrating resources on its core model and API business rather than spreading across consumer products. An IPO is widely expected later in 2026.

LiteLLM Supply Chain Attack: TeamPCP Backdoors PyPI Packages, Hits Thousands of Companies

Source: Wiz Blog | BleepingComputer | Snyk

The LiteLLM supply chain compromise is now the most significant AI infrastructure security incident of 2026. On March 24, threat actor TeamPCP published backdoored versions 1.82.7 and 1.82.8 to PyPI after stealing publishing credentials via a compromised Trivy GitHub Action in LiteLLM’s CI/CD pipeline. The malicious payload was a .pth file (litellm_init.pth) that executes automatically on every Python process startup — not just when you import LiteLLM, but whenever Python runs in an environment where it’s installed. The three-stage payload harvested SSH keys, .env files, cloud provider credentials, cryptocurrency wallets, and AI API keys, then performed Kubernetes lateral movement and established a persistent backdoor for remote code execution. LiteLLM sees 3.4 million downloads per day; the malicious versions were live for approximately three hours before PyPI quarantined them. The most high-profile victim is Mercor, a $10B AI recruiting startup, where the Lapsus$ group claims to have exfiltrated 4TB of data including source code, a 211GB user database, and video interviews with identity verification documents. The campaign spanned PyPI, npm, Docker Hub, GitHub Actions, and OpenVSX simultaneously — one of the most sophisticated multi-ecosystem supply chain attacks documented to date.

If you use LiteLLM anywhere in your stack, verify your installed version immediately (

). Even if you weren’t on 1.82.7/1.82.8, audit your environment for any .pth files that shouldn’t be there. The .pth execution mechanism means the backdoor runs on every Python process, not just LiteLLM imports.

Anthropic’s Mythos Model Leak Reveals “Step Change” Frontier Model with Cybersecurity Concerns

Source: Fortune | CSO Online | Euronews

Anthropic’s upcoming frontier model — internally called Mythos (also codenamed Capybara) — was revealed through a CMS misconfiguration that exposed nearly 3,000 unpublished assets, including a draft blog post. Anthropic describes Mythos as “a step change” in performance and “the most capable we’ve built to date,” with meaningful advances in reasoning, coding, and cybersecurity. Capybara appears to be a new model tier above Opus, not just an Opus successor. The cybersecurity angle is the most consequential detail: leaked internal documents indicate Anthropic believes Mythos could significantly heighten cybersecurity risks by rapidly discovering and exploiting software vulnerabilities, and the company is privately briefing government officials that the model makes large-scale cyberattacks much more likely in 2026. The model is currently in limited early access. For developers, the key question is timeline and access — if Mythos represents a genuine capability jump above Opus 4.6, it could reshape the competitive landscape for agentic coding tools, security research, and reasoning-heavy workflows. Anthropic says it’s working to make the model more efficient before general release.

GitHub Copilot Will Train on Your Code by Default Starting April 24 — Opt-Out Required

Source: GitHub Changelog | The Register | DEV Community

GitHub announced on March 25 that starting April 24, 2026, it will use code from Copilot Free, Pro, and Pro+ users to train AI models by default. The data collection scope is broad: code completions, edits, usage patterns, inputs and code snippets sent to Copilot, code context around the cursor, comments, documentation, file names, repository structure, navigation patterns, and suggestion feedback. Users must manually navigate to privacy settings and toggle off “Allow GitHub to use my code for product improvements” to opt out. Enterprise and Business customers retain their existing protections and are excluded by default. The timing is notable: this policy change arrives just as Cursor is marketing its Zero Data Retention privacy mode and Claude Code’s local-first architecture is gaining traction. For individual developers and small teams writing proprietary code, this effectively creates a 30-day window (March 25 to April 24) to decide whether Copilot’s convenience is worth the data tradeoff — or whether to migrate to tools with stronger privacy guarantees.

If you’re on Copilot Free, Pro, or Pro+ and write proprietary code, go to Settings → Copilot → and disable “Allow GitHub to use my code for product improvements” before April 24. Enterprise customers are exempt. This is an opt-out, not opt-in — your code will be used for training if you do nothing.

OpenAI Shuts Down Sora: $1M/Day Burn Rate, 500K Users, and a Dead $1B Disney Deal

Source: TechCrunch | Outlook Respawn | OpenAI Help Center

OpenAI officially shut down Sora on March 24, and the financial details that emerged over the past week explain why. After its splashy launch, Sora’s user count peaked at around one million, then collapsed to under 500,000. The app was burning through roughly $1 million per day in operating costs (some reports cite peak inference costs of $15 million/day), against lifetime in-app purchases of just $2.1 million total. Disney, which had committed $1 billion to a Sora partnership, learned the product was being shuttered less than an hour before the public announcement — the deal died with it. The web and app experiences will be discontinued on April 26; the API will remain available until September 24, giving developers time to migrate. OpenAI framed the shutdown as a strategic reallocation of compute toward world simulation for robotics, but the economics tell the story: video generation at Sora’s quality level remains economically unviable as a consumer product. The freed GPU capacity will likely flow into model training and the core ChatGPT/API business. For developers who built on the Sora API, the September deadline is firm — start evaluating alternatives (Runway Gen-4, Pika, LTX 2.3) now.

California Governor Newsom Signs AI Procurement Executive Order, Defying Federal Deregulation

Source: Governor of California | Courthouse News | PYMNTS

Governor Newsom signed an executive order on March 30 requiring AI companies seeking California state contracts to certify their policies for preventing misuse — including protection against illegal content distribution, bias, civil rights violations, and free speech infringements. Within 120 days, state agencies must develop new certification processes. The order also directs the California Department of Technology to create watermarking recommendations for AI-generated images and manipulated video, a first-of-its-kind state-level requirement. The order explicitly enables California to separate its procurement authorization from the federal government’s if needed — a direct counter to the Trump administration’s deregulatory stance on AI. For AI companies selling to government: California is the largest state contract market in the US. If you’re building AI products targeting government procurement, the certification and watermarking requirements will become de facto standards that other states likely follow.

Anthropic’s Bumpy Week: Two Leaks in Five Days Raise Questions About Internal Security

Source: Fortune | Gizmodo

Stepping back from the individual incidents, Anthropic’s past week deserves a composite view. First, a CMS misconfiguration exposed nearly 3,000 unpublished assets including details about Claude Mythos — a frontier model that Anthropic itself warns poses unprecedented cybersecurity risks. Days later, an npm packaging error exposed 512,000 lines of Claude Code’s source, revealing internal architecture, unreleased features, and the product roadmap. Neither incident involved customer data or credentials, and both were attributed to human error rather than external attacks. But the timing is particularly awkward: Anthropic has positioned itself as the safety-first AI company, and these back-to-back exposures come precisely as the company is privately warning governments about AI cybersecurity risks from its own models. For developers building on Anthropic’s platform, neither leak affects API stability or data security — but the operational security gaps at a company that specializes in AI safety are worth noting.

📄 Papers Worth Reading

No major breakout papers today

The arXiv submissions for March 31–April 1 are dominated by domain-specific applications (medical imaging, manufacturing diagnostics, autonomous instrumentation) rather than foundational ML advances. The end-of-quarter timing likely means significant conference-deadline submissions will surface in the coming days. Recent papers worth revisiting if you missed them: the MiMo-V2-Flash reasoning model and GLM-5 multimodal architecture papers from the last two weeks remain the most relevant recent reads for practitioners. We’ll be watching for ICML 2026 and NeurIPS 2026 deadline submissions appearing on arXiv this week.

🧭 Key Takeaways

If you use LiteLLM, verify your installation immediately. The supply chain attack on versions 1.82.7–1.82.8 deployed a .pth file that executes on every Python process startup, not just LiteLLM imports. The three-hour window before quarantine was enough to compromise Mercor’s entire infrastructure. Run pip show litellm and audit for unexpected .pth files in your site-packages.
Claude Code v2.1.89 fixes a StructuredOutput schema cache bug that caused ~50% failure rates — if you’ve been seeing flaky structured output in agent workflows, update today. The memory leak fix for large JSON LRU cache keys also matters for long-running sessions.
The Claude Code source leak reveals Anthropic’s roadmap toward an always-on autonomous agent platform. KAIROS (daemon mode), ULTRAPLAN (remote planning), coordinator mode, and agent swarms are all in the codebase behind feature flags. If you’re building agent infrastructure, this is the most detailed public look at how a frontier AI company architects agentic tooling.
You have until April 24 to opt out of GitHub Copilot using your code for AI training. The default-on policy applies to Free, Pro, and Pro+ users. Enterprise is exempt. If you write proprietary code on Copilot, go to Settings → Copilot and disable the training toggle now — not after April 24.
OpenAI’s $122B round and Sora shutdown together signal a strategic contraction to core AI. The freed GPU capacity from Sora ($1M+/day in inference costs) combined with the largest private funding round in history means OpenAI is going all-in on model training and API infrastructure. Expect aggressive moves on pricing and capabilities in the next two quarters.
The LiteLLM + Mercor + Claude Code leak trifecta makes this the worst week for AI infrastructure security in 2026. Supply chain attacks on AI dependencies, data breaches at AI companies, and accidental source exposure — all in the same week. If your organization builds with AI, this is the week to audit your dependency pinning, secrets management, and build pipeline security.

Generated on April 1, 2026 by Claude