Anthropic's Second Leak in a Week, Sora Shuts Down, Shopify Goes Agentic

April 2, 2026

Executive Summary

Anthropic had a difficult week on the operational side. On March 31, the company accidentally shipped 512,000 lines of Claude Code's proprietary TypeScript source via a misconfigured npm package, the second major accidental exposure in under two weeks after the Claude Mythos CMS leak on March 26. By April 2, Congressman Josh Gottheimer had written formally to Anthropic citing national security concerns. OpenAI continued its product consolidation: Sora was officially discontinued on March 24, ending a $1 billion Disney partnership that collapsed less than an hour after the public announcement. Google moved into the gap on March 31 with Veo 3.1 Lite, cutting video generation API costs by more than half. Shopify activated Agentic Storefronts across ChatGPT, Gemini, and Microsoft Copilot on March 24, putting 5.6 million merchant catalogs inside AI conversations for the first time.

Top Stories

1. Anthropic Leaks Claude Code Source Code via npm Packaging Error

Claude Code Source Code Leaked

On March 31, version 2.1.88 of the @anthropic-ai/claude-code npm package was published with a 59.8 MB JavaScript source map file that should never have been included. The source map pointed directly to a publicly accessible zip archive on Anthropic's own Cloudflare R2 storage bucket, containing the full TypeScript source of Claude Code: 1,906 files, 512,000 lines. The root cause was a known bug in the Bun runtime (filed March 11) that causes source maps to be included in production builds despite documentation saying they should not be. That bug had been open for 20 days before this release shipped.

Within hours, the codebase was mirrored across GitHub and analyzed by thousands of developers worldwide. Anthropic issued DMCA takedown requests targeting copies on GitHub but inadvertently swept up thousands of unrelated repositories in the process. The company later reversed the overbroad takedowns, calling them an accident as well.

Anthropic confirmed no customer data or credentials were exposed. On April 2, Congressman Gottheimer sent a formal letter to Anthropic expressing concern about two major operational failures in a single week and citing national security implications, given Claude's use in defense and intelligence contexts.

The timing compounds the Mythos CMS leak from March 26, meaning Anthropic disclosed or had exposed two separate categories of sensitive information within five days.

Business Impact: For teams building on the Claude API or using Claude Code in production, the operational security incidents raise questions that will need answers before the Mythos launch. Neither incident involved customer data, but the pattern of accidental exposure is a credibility problem for a company whose brand is built on safety. Legal teams at enterprises with data processing agreements referencing Anthropic should review their contract terms for operational security requirements.

2. OpenAI Kills Sora, Disney's $1 Billion Partnership Dies With It

OpenAI Sora

OpenAI announced the discontinuation of Sora on March 24, with the app and web experience shutting down April 26 and the API remaining available until September 24. The decision followed a sustained collapse in usage: global active users peaked at roughly one million and fell below 500,000, while compute costs ran at approximately $1 million per day. The economics made the product financially unsustainable.

Disney had committed to a $1 billion investment in OpenAI, with Sora as a central part of the partnership's creative use case. Disney learned of the shutdown less than an hour before the public announcement. The partnership collapsed, and Disney released a formal statement saying it respected OpenAI's decision to exit video generation. The handling of the notice period has reportedly damaged the relationship significantly.

OpenAI's product consolidation is broader than Sora. The company has discontinued several non-core products in March 2026 as it prepares for its IPO, concentrating resources on ChatGPT, the API, and agentic infrastructure.

Business Impact: The Sora shutdown is a useful data point for enterprise teams evaluating AI media generation products. Consumer-facing AI video at scale is not yet economically viable without either massive usage volume or enterprise pricing that reflects true compute costs. Teams that have built workflows around Sora's API have until September 24 to migrate. Google's Veo, Runway, and Kling are the primary alternatives.

3. Google Launches Veo 3.1 Lite as Sora Exit Creates Opportunity

Google Veo 3.1 Lite

Google launched Veo 3.1 Lite on March 31, timed directly against the void left by Sora's shutdown. The model is priced at half the cost of Veo 3.1 Fast: 5 cents per second at 720p and 8 cents per second at 1080p for paid Google AI Studio users. It supports text-to-video and image-to-video generation in landscape (16:9) and portrait (9:16) formats at durations of 4, 6, or 8 seconds, with cost adjusting per second. The model is available immediately via the Gemini API and Google AI Studio.

Google's blog post explicitly stated the company's "commitment to video generation" in a week when its primary competitor exited the space entirely. Veo 3.1 Lite follows the pattern Google established with the Gemini Flash line: a cost-reduced variant of an existing model designed for high-volume API use cases where quality can be slightly lower than the flagship.

Business Impact: For developers and teams building video generation into their products, Veo 3.1 Lite offers a clear path to move away from Sora before the April 26 shutdown. The cost structure is predictable and the API is the same Gemini API most teams are already using. Teams generating large volumes of short-form videos, product demos, social content, or training data should evaluate Veo 3.1 Lite before committing to a Sora migration path to alternative services.

4. Shopify Agentic Storefronts Go Live Across ChatGPT, Gemini, and Copilot

Shopify Agentic Storefronts

Shopify activated Agentic Storefronts for all eligible merchants on March 24, making products from 5.6 million Shopify stores discoverable inside ChatGPT, Microsoft Copilot, Google AI Mode, and the Gemini app through a single opt-out rollout. Merchants do not need to configure each AI channel separately. Product data, pricing, and inventory sync from the Shopify Admin and are processed by specialized LLMs that standardize catalog data for AI-native retrieval. Customers browse inside the AI interface and complete purchases on the merchant's storefront via an in-app browser or new tab.

Pricing varies by channel. OpenAI charges a 4% Agentic Storefronts fee on completed ChatGPT sales after a 30-day trial period, stacking on top of Shopify's standard payment processing fees. Google and Microsoft charge no additional fee. Shopify also launched an Agentic Plan for brands not using Shopify as their primary commerce platform, allowing them to list products in the Shopify Catalog to appear in the same AI channels.

Business Impact: The opt-out rollout is meaningful: most of the 5.6 million eligible Shopify merchants are already inside these AI commerce channels whether they planned for it or not. For e-commerce teams, the immediate priority is verifying that product catalog data, pricing, and inventory are accurate in the Shopify Admin, since those details are feeding AI-driven product recommendations without additional curation. OpenAI's 4% fee is a new cost line to account for in per-channel margin analysis.

5. White House Releases National AI Policy Framework, Pushes to Preempt State Laws

National AI Policy Framework

The White House released its National Policy Framework for Artificial Intelligence on March 20, outlining legislative recommendations for Congress to create a unified federal standard. The framework's most consequential proposal is federal preemption of state AI laws that the administration considers "unduly burdensome," aiming for a single national standard in place of the current patchwork of state-level requirements across California, Colorado, Texas, New York, and others.

Additional provisions cover child safety and anti-deepfake rules, AI data center energy permitting, intellectual property protections for AI-generated content, and prohibitions on using AI to suppress lawful political speech. The framework does not carry the force of law on its own; it is a set of legislative recommendations that Congress must act on to take effect. State laws remain fully in force until Congress passes legislation.

The administration wants a bill signed this year, though legal experts broadly consider full legislative preemption of state AI laws a difficult political path given divided interests in Congress.

Business Impact: Until Congress acts, the compliance picture is unchanged: companies developing or deploying AI must still navigate California AB 1008, Colorado SB 205, and other state-level requirements. However, the framework signals that federal standardization is a stated policy goal and will shape congressional drafts over the next 12 to 18 months. Legal and compliance teams should begin scenario planning for a federal-first compliance regime, particularly if they operate across multiple state jurisdictions.

Quick Bytes

  • Congress presses Anthropic. Congressman Josh Gottheimer sent a formal letter to Anthropic on April 2 demanding answers on two source code leaks in a week, citing Claude's role in national security operations and expressing concern about adversarial model distillation by state-backed actors.
  • Google integrates Veo into Google Ads. On March 30, Google announced Veo integration into Google Ads Asset Studio, allowing advertisers to auto-generate approximately 10-second video ads from three photos. Targeted at YouTube and Demand Gen campaigns.
  • Sora alternatives gaining traction. Following the Sora shutdown announcement, Runway and Kling reported significant increases in new developer sign-ups. Neither company disclosed exact numbers but the trend appeared across multiple industry reports in the final week of March.

Industry Impact Analysis

Anthropic's two back-to-back operational failures, the Mythos CMS leak on March 26 and the Claude Code npm packaging error on March 31, are creating a credibility problem at an awkward time. Claude Mythos is Anthropic's most significant upcoming product, and the company needs enterprise trust to bring it to market successfully. Neither incident involved customer data breaches, but both happened in the same week and both involved human error in routine operational processes. Congressional scrutiny adds another layer of pressure the company did not need heading into a major launch.

The Sora shutdown and Veo 3.1 Lite launch tell a clear story about where AI video generation stands economically. Consumer video generation at scale is not yet viable without subsidized pricing or very high usage volume. Google's decision to launch a cheaper Veo variant the same week Sora died suggests Google sees a real opportunity to own the developer video generation market while OpenAI consolidates around ChatGPT and its API ecosystem.

Shopify's Agentic Storefronts rollout is the story with the most direct near-term business impact for e-commerce teams. The opt-out default means companies are already in the system. Getting that right, accurate catalog data, clean product descriptions, correct pricing, is more urgent than deciding whether to participate at all.

About Azumo

Azumo builds and scales AI-powered software for product teams that need to move fast without cutting corners on quality or security. The team specializes in custom AI agents, enterprise integrations, and production ML systems, with senior LATAM-based engineers who are time-zone aligned with US teams.

If your team is navigating Sora migration, building on agentic commerce APIs, or evaluating how the Claude Code ecosystem fits into your development workflow, Azumo's AI practice covers the full stack from architecture to deployment.

Sources

This newsletter is curated by Azumo's AI Intelligence Scanner to help engineering leaders and product teams stay current on AI developments that affect architecture, tooling, and strategy decisions.

Are You New to Outsourcing?
We Wrote the Handbook.

We believe an educated partner is the best partner. That's why we created a comprehensive, free Project Outsourcing Handbook that walks you through everything from basic definitions to advanced strategies for success. Before you even think about hiring, we invite you to explore our guide to make the most informed decision possible.