Lapsus$, Claude Code, and the European Commission: Every Major Breach From April 1, 2026
Five separate security incidents landed on April 1, 2026 — and none of them were jokes. Lapsus$ executed a supply chain attack on LiteLLM, ShinyHunters exfiltrated 350GB from the European Commission, Anthropic confirmed a source code leak, Apple shipped an emergency patch, and Hasbro filed an SEC 8-K breach disclosure. The pattern is clear: no sector, no organisation, no codebase is off the table.
In This Article
01Anthropic Claude Code: 1,900 Files, 512,000 Lines Exposed
02Lapsus$ Hits Mercor and LiteLLM Supply Chain
03European Commission: 350GB Stolen by ShinyHunters
04QualDerm Partners: 3.1 Million Patient Records Exposed
05Apple Emergency Patch: iOS 18.7.7 for DarkSword Exploit
06April 1, 2026 — Breach Summary
07Frequently Asked Questions
Table of Contents
- Anthropic Claude Code: 1,900 Files, 512,000 Lines Exposed
- Lapsus$ Hits Mercor and LiteLLM Supply Chain
- European Commission: 350GB Stolen by ShinyHunters
- QualDerm Partners: 3.1 Million Patient Records Exposed
- Apple Emergency Patch: iOS 18.7.7 for DarkSword Exploit
- April 1, 2026 — Breach Summary
- Frequently Asked Questions
Anthropic Claude Code: 1,900 Files, 512,000 Lines Exposed
Anthropic confirmed that a release packaging misconfiguration exposed the source tree for Claude Code — 1,900 files and 512,000 lines of internal production tooling. The company characterised it as a build pipeline error rather than an intrusion, noting no model weights or customer data were accessed.
From a security standpoint, the distinction matters less than the exposure. 512,000 lines of production code for a frontier AI system hands adversaries a detailed map of prompt handling, toolchain architecture, and internal scaffolding. Even without weights, that intelligence is valuable. KrebsOnSecurity’s analysis of the Claude Code leak.
Supply chain and build pipeline security failures — from SolarWinds to XZ Utils to this Claude Code leak — are now a recurring pattern. The code that ships is only as secure as the infrastructure that builds and packages it. Anthropic’s error is a reminder: internal tooling needs the same security scrutiny as externally facing systems.
Lapsus$ Hits Mercor and LiteLLM Supply Chain
The notorious Lapsus$ hacking collective executed a supply chain attack targeting Mercor (an AI hiring platform) and LiteLLM (an open-source LLM proxy library). The attackers exfiltrated Slack workspace data and AI contractor interview videos — sensitive material that could expose client companies, candidate identities, and internal AI evaluation processes.
LiteLLM is widely used across the AI developer ecosystem as a unified interface to multiple LLM APIs. A supply chain compromise at LiteLLM is not an isolated incident — it is a vector into every organisation that depends on it. Lapsus$ has historically used social engineering and SIM swapping rather than purely technical exploits, suggesting insider access or credential theft may have played a role. The Record’s reporting on the LiteLLM supply chain attack.
European Commission: 350GB Stolen by ShinyHunters
The ShinyHunters threat actor group claimed responsibility for exfiltrating 350GB of data from the European Commission. ShinyHunters is a prolific data theft group known for large-scale breaches — past targets include Ticketmaster, Santander, and AT&T. A 350GB EC breach, if confirmed, would represent one of the most significant incursions into EU institutional infrastructure on record.
The European Commission had not issued an official statement confirming the breach at time of publication. ShinyHunters has a history of publicising breaches before organisations acknowledge them, often using the disclosure as leverage. BleepingComputer’s coverage of the ShinyHunters EC claim.
The European Commission governs GDPR enforcement — the world’s most consequential data protection regulation. If ShinyHunters’ 350GB claim holds up, it will be the most ironic breach in regulatory history. Large institutions are not more secure; they are larger attack surfaces with more complex, harder-to-monitor systems.
QualDerm Partners: 3.1 Million Patient Records Exposed
QualDerm Partners, a dermatology practice management company, disclosed a breach exposing 3.1 million patient records. The exposed data includes protected health information (PHI) — names, dates of birth, Social Security numbers, insurance details, and medical records. This is a HIPAA-covered breach requiring formal notification to affected individuals and HHS. Additionally, Hasbro filed an SEC 8-K breach disclosure, joining the growing list of public companies required to report material cybersecurity incidents under the SEC’s 2023 cyber disclosure rules.
Apple Emergency Patch: iOS 18.7.7 for DarkSword Exploit
Apple released iOS 18.7.7 as an emergency out-of-band patch targeting the DarkSword exploit — a zero-click vulnerability being actively exploited in the wild. DarkSword reportedly allows remote code execution without user interaction, placing it in the highest severity tier. Apple’s rapid response — an emergency patch outside its normal release schedule — indicates intelligence suggesting active use by sophisticated threat actors, potentially state-sponsored. Update immediately.
April 1, 2026 — Breach Summary
| Target | Actor | Impact | Status |
|---|---|---|---|
| Anthropic Claude Code | Packaging Error | 512K lines exposed | Confirmed |
| Mercor / LiteLLM | Lapsus$ | Slack data + contractor videos | Confirmed |
| European Commission | ShinyHunters | 350GB stolen | Claimed |
| QualDerm Partners | Unknown | 3.1M patient records | Disclosed |
| iOS DarkSword | Active exploitation | Zero-click RCE | Patched iOS 18.7.7 |
Frequently Asked Questions
Yes. The DarkSword exploit is a zero-click vulnerability under active exploitation, meaning no user interaction is required for an attacker to execute code on your device. Apply the iOS 18.7.7 update immediately. Settings → General → Software Update.
A supply chain attack targets the software, libraries, or services that an organisation depends on — rather than the organisation directly. By compromising a widely-used dependency like LiteLLM, attackers can propagate malicious code or exfiltrate data from every downstream user of that dependency.
Yes. 3.1 million patient records including PHI, SSNs, and medical data were exposed. QualDerm Partners is required by HIPAA to notify affected individuals. Affected patients should monitor credit reports and consider identity protection services.
No. Lapsus$ is believed to be a financially motivated cybercriminal collective with members predominantly in their teens and early twenties. Past members have been arrested in the UK and Brazil. Their methods rely heavily on social engineering, SIM swapping, and insider access rather than sophisticated zero-days.
Under SEC rules effective since 2023, publicly traded companies must disclose material cybersecurity incidents within four business days via an 8-K filing. Hasbro’s 8-K indicates the company determined its breach met the materiality threshold — suggesting significant operational, financial, or reputational impact.
Breaking security news with clear analysis — no FUD, no filler.