Launch-day Mythos leak traced to compromised vendor credentials

Anthropic is investigating reports that unauthorized users accessed its restricted Claude Mythos Preview model through a third-party vendor environment on April 7, the day the company announced Project Glasswing. (bloomberg.com) (techcrunch.com) Anthropic spokespersons said the company was investigating “unauthorized access” through one of its vendor environments and had found no evidence that Anthropic’s own systems were affected. (techcrunch.com) (cybernews.com) Bloomberg reported that a small private online forum got into Mythos on launch day after using access tied to a third-party contractor and making an educated guess about the model’s online location. (bloomberg.com) (techcrunch.com) Mythos is not a consumer chatbot release. Anthropic describes it as a general-purpose frontier model with unusually strong cybersecurity skills, including finding and exploiting zero-day flaws in every major operating system and web browser during internal testing. (red.anthropic.com) (anthropic.com) Anthropic said more than 99% of the vulnerabilities Mythos found were still unpatched when it published its April 7 technical write-up, which is why the company withheld most details. (red.anthropic.com) That risk is why Anthropic launched Project Glasswing instead of a broad public release. The company said the program started with 12 launch partners, including Amazon Web Services, Apple, Google, Microsoft, JPMorganChase, and Palo Alto Networks. (anthropic.com) Anthropic also said it extended Mythos access to more than 40 additional organizations that build or maintain critical software infrastructure, and committed up to $100 million in usage credits plus $4 million in donations to open-source security groups. (anthropic.com 1) (anthropic.com 2) The social-media claim that Anthropic created Glasswing only after the leak does not match Anthropic’s public timeline. Anthropic announced Project Glasswing and published its Mythos technical report on April 7, while reports of the unauthorized access surfaced on April 21. (anthropic.com) (red.anthropic.com) (bloomberg.com) Claims that Indian firms were singled out for exclusion are also not established by the public record. Bloomberg, via The Economic Times, reported that Indian fintech groups including One97, Razorpay, and Pine Labs were pressing Anthropic for access after the initial limited rollout. (economictimes.indiatimes.com) What is established is narrower and more concrete: Anthropic limited Mythos from the start because it believed the model could accelerate cyberattacks, and that containment failed at least once through a vendor-linked environment. (anthropic.com) (bloomberg.com) The result is a story less about a secret post-leak lockdown than about whether a model Anthropic says is too risky for general release can stay contained once outside parties touch it. (anthropic.com) (techcrunch.com)