Mythos possible breach probed

Anthropic is investigating whether outsiders got into its restricted Mythos preview model through a contractor-linked environment. (cbsnews.com) CBS News reported Anthropic confirmed the probe on Wednesday, April 22, after Bloomberg said a small group of unauthorized users had obtained access to the tool. Anthropic said it had not found breaches beyond the vendor environment or compromises to Anthropic’s own systems. (cbsnews.com) Gizmodo reported the group had been using Claude Mythos since April 7, the same day Anthropic published its Mythos system card and announced Project Glasswing. The report said the access path involved information from a Mercor breach, GitHub reconnaissance, and credentials tied to an Anthropic contractor. (gizmodo.com, anthropic.com, anthropic.com) Mythos is a large language model built to read code, spot software flaws, and in some cases help exploit them, much like an automated security researcher working at machine speed. Anthropic’s system card says the company chose not to make Mythos generally available because of a sharp jump in capability over its earlier frontier model, Claude Opus 4.6. (anthropic.com) Instead, Anthropic said it released Mythos through a limited research access program and Project Glasswing, with launch partners including Amazon Web Services, Apple, Google, JPMorganChase, Microsoft, and NVIDIA, plus more than 40 other organizations that maintain critical software infrastructure. (anthropic.com, gizmodo.com) That narrow rollout put unusual weight on access controls outside Anthropic’s own walls. Anthropic said it works with a small number of third-party vendors to develop its models, and the current investigation centers on one of those vendor environments. (cbsnews.com) The security concerns around Mythos were already drawing official attention before the access report surfaced. CBS News reported on April 10 that Federal Reserve Chair Jerome Powell, Treasury Secretary Scott Bessent, and major bank leaders discussed cyber risks tied to the model in a closed-door meeting. (cbsnews.com) Anthropic’s own risk materials describe Mythos as first deployed internally and then shared with a small set of external users, with sections devoted to model-weight security, sandboxing, and “self-exfiltration and autonomous operation.” Those documents show the company had already framed unauthorized propagation as a concrete risk category before this investigation. (anthropic.com, anthropic.com) For now, Anthropic says the probe is still underway and has not reported a compromise of its core systems. The next test is whether the company can show the access was contained to a contractor channel and cut off the users who reached Mythos without authorization. (cbsnews.com)