Reuters: Mythos hacking fears overstated

Anthropic’s April 7 debut of Claude Mythos Preview set off warnings that a new generation of AI could speed up cyberattacks faster than companies could defend against them. Anthropic said the model had identified and exploited zero-day vulnerabilities in every major operating system and every major web browser during testing, and launched a controlled deployment called Project Glasswing for defensive cybersecurity work. Reuters reported on May 20 that those early fears now appear overstated, about a month after the model’s release. The report said available incident data and interviews with security researchers had not produced evidence of a broad hacking surge directly attributable to Mythos. ### Why did Mythos trigger so much alarm in April? (red.anthropic.com) Anthropic said on April 7 that Mythos was “strikingly capable” at computer security tasks and had found vulnerabilities across major operating systems and browsers. The company said more than 99% of the vulnerabilities it discovered had not yet been patched, which is why it withheld most technical details. Reuters reported on April 20 that experts feared the model could identify and exploit previously unknown flaws faster than companies could repair them. (money.usnews.com) That concern was especially acute for banks and other sectors that rely on complex, older software systems. ### What has actually happened since the launch? Reuters said on May 20 that the clearest fact after roughly a month is the absence of a visible wave of Mythos-linked incidents. (red.anthropic.com) The story contrasted the initial warnings with limited observed misuse and said security researchers had not found a surge they could directly connect to the model. (usnews.com) That does not mean the original capability claims were withdrawn. Anthropic’s April 7 technical post still describes Mythos as capable of finding and exploiting zero-day vulnerabilities in major software platforms when directed by a user. ### Who has access to the model? Reuters reported on April 20 that Anthropic rolled out Mythos through Project Glasswing, a controlled initiative that gave access to companies including Amazon, Microsoft, Nvidia and Apple, along with more than 40 other organizations that build or maintain critical software infrastructure. (money.usnews.com) Anthropic has described the model as unreleased and limited to defensive cybersecurity uses under that program. (red.anthropic.com) TechCrunch also reported on April 7 that the preview was being provided to a small group of partner organizations for cybersecurity work. ### Has Anthropic changed how findings can be shared? Anthropic said on May 18 that it was revising its earlier position to allow Mythos users to share cyber-threat information with others exposed to similar vulnerabilities. (usnews.com) Reuters reported that partners may disclose their involvement in Glasswing and share findings, best practices, tools or code, subject to responsible-disclosure norms. Reuters also reported that Anthropic said partners can share information with security teams at other companies, industry bodies, regulators, government agencies, open-source maintainers, the media or the public. Anthropic said the earlier confidentiality protections had been requested by partners concerned about handling sensitive findings and becoming targets themselves. (money.usnews.com) ### What should readers take from the Reuters update? Reuters’ May 20 account narrows one specific claim: that Mythos had already produced a visible, immediate jump in real-world hacking. Based on the evidence available so far, Reuters said that has not happened. The next concrete marker is likely to come from Project Glasswing disclosures. (finance.yahoo.com) Anthropic’s May 18 policy change means more findings can now move outside the program to regulators, companies, maintainers and the public, which should make the model’s real-world defensive and offensive impact easier to assess in the coming weeks. (money.usnews.com 1) (money.usnews.com 2)