Anthropic's vulnerability-finding AI model, Mythos, was briefly accessible outside of its intended limited release program, Project Glasswing, due to a security lapse. While initially feared for potential misuse by criminals, early analysis suggests the risk may be overstated. Unauthorized access was gained through educated guesses about the model's location, highlighting insider and supply chain security concerns.
Anthropic 's Mythos model is purportedly so good at finding vulnerabilities that the Claude-maker is afraid to make it available to the general public for fear that criminals will take advantage.
But early analysis shows that Mythos may not be as dangerous as some would have you believe.to a select but ever-growing number of organizations under the title of Project Glasswing so they could find and fix vulnerabilities in their environment before criminals got hold of the purported zero-day machine and caused mayhem.that some non-Glasswing partners may have accessed the model - but not through Anthropic's production API.
"We're investigating a report claiming unauthorized access to Claude Mythos Preview through one of our third-party vendor environments," the spokesperson told us. The AI biz declined to name the third-party vendor, but said that it's a company Anthropic works with on model development. There's no evidence that unauthorized activity extended beyond the third-party vendor's environment or that Anthropic systems are affected, we're told.
, said that"a handful" of people gained access to Mythos by making"an educated guess about the model's online location" based on Anthropic's previous models, and that these details were revealed in the recentThis group of unauthorized users reportedly belongs to a private Discord channel and gained access to Mythos on the same day that Anthropic announced Project Glasswing. Since then, it's been"playing around" with the bug-hunting machine, and doesn't have any interest in using the model for evil, according to Bloomberg.
Claude Code source leak ), especially when the folks who want to kick the tires on the new model are cybersecurity and engineering types - and they didn't even need to hack into any network or database to do it. Insider and supply-chain threats are the real deal..
"It just required a contractor, a URL pattern, and a day-one guess, which means the 'controlled release' model failed at its weakest link before the model's capabilities were ever the issue. " Additionally, considering all the hype Anthropic spun around its new model, we shouldn't be surprised the genie is out of the lamp.
Anthropic's marketing message for Mythos was effectively a challenge, not dissimilar to a capture-the-flag exercise "Anthropic's marketing message for Mythos was effectively a challenge, not dissimilar to a capture-the-flag exercise, where success includes claims of unauthorized access to Mythos," Tim Mackey, head of risk strategy at supply chain security shop Black Duck, toldand Mozilla indicate that while the model is very good and very fast at finding vulnerabilities, and requires less hands-on guidance from security engineers - making it a welcome time-saver for the human teams - it has yet to eclipse human security researchers.
"So far we've found no category or complexity of vulnerability that humans can find that this model can't," Mozilla CTO Bobby Holleyhave been found by an elite human researcher. " In other words, it's like adding an automated security researcher to your team. Not a zero-day machine that's too dangerous for the world. Anthropic, in announcing the new model, claimed Mythos identified"thousands of additional high- and critical-severity vulnerabilities.
" VulnCheck researcher Patrick Garrity, however,Another engineer, Devansh, scoured the Mythos-related CVE advisories and Anthropic's exploit code, 44-prompt transcript, and 244-page system card, along with Glasswing partner agreements, red-team writeups. He also looked at Aisle's replication study, which tested Mythos' showcase vulnerabilities on small, cheap, open-weights models and found they produced much of the same analysis.
Additionally, the"'thousands of severe vulnerabilities' extrapolates from 198 manually reviewed reports. The Linux kernel bug was found by Opus 4.6, the public model, not Mythos," Devansh said.at all. With no CVE list, no CVSS distribution, no severity bucket, no disclosure timeline, no vendor-confirmed-novel table, no false-positive rate.
" Ottenheimer likens it to"the ending of the Wizard of Oz, a sorry disappointment about a model weaponizing two bugs that a different model found, in software the vendor had already patched, in a test environment with the browser sandbox and defense-in-depth mitigations stripped out. ","attackers didn't need Mythos to accelerate vulnerability research, 4.6 and open source models have already been accelerating the vulnerability process.
" When asked if the security community should be concerned about unauthorized Mythos access, Antani said no."In my honest opinion, it's a nothingburger," he told us. "The adversary doesn't need Mythos to hack you. " ®How JumpCloud unifies IT management to tame shadow AI25
Anthropic Mythos AI Security Vulnerability Research Project Glasswing
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Mozilla Leverages Anthropic AI to Transform Vulnerability DiscoveryMozilla's testing of the Mythos AI model has uncovered 22 bugs in Firefox, marking a major turning point for software security and defensive automation.
Read more »
Aldi garden gadget is £45 cheaper than similar Argos modelThe budget supermarket's gadget costs just £34.99 – significantly less than a similar Argos model – making it perfect for spring patio and garden cleaning
Read more »
Anthropic Briefly Removes Claude Code from Pro Plan, Calls it a TestAnthropic temporarily removed Claude Code from its Pro subscription plan for a small percentage of new users, causing confusion. The company clarified it was a test and existing subscribers are unaffected, citing evolving usage patterns and the introduction of the Max plan.
Read more »
Claude Mythos a 'warning shot' about AI risks, says top cybersecurity chiefMr Horne said AI did not yet constitute a national security threat in his view because the new models were 'not finding new attacks, they're just exposing more security vulnerabilities'.
Read more »
Anthropic's super-scary bug hunting model Mythos is shaping up to be a nothingburger: And that unauthorized access? 'A nothing burger,' hacking startup CEO tells El Reg
Read more »
Anthropic admits it dumbed down Claude when trying to make it smarter: System changes and bugs overlapped to create the impression of general decline
Read more »