Anthropic Mythos finds 271 bugs
- Anthropic's Claude Mythos reportedly uncovered 271 zero-day vulnerabilities in Firefox, prompting a large patch cycle. - The finding is described as the biggest batch of fixes in Firefox history tied to AI-driven scanning. - Separate reports note concerns about unauthorized access and bypassing model restrictions, sparking debate on model governance and control ( ).
A zero-day is a software flaw the vendor does not know about yet; Mozilla said Firefox 150, released this week, fixes 271 of them after testing an early Claude Mythos Preview model. (blog.mozilla.org) Mozilla said it had been working with Anthropic since February 2026, after an earlier scan with Claude Opus 4.6 led to fixes for 22 security-sensitive Firefox bugs in version 148. Anthropic said 14 of those 22 were rated high severity. (blog.mozilla.org) (anthropic.com) The 271-fix batch came from an “initial evaluation” of Mythos Preview, according to Mozilla’s April 21 post. Anthropic launched the model publicly on April 7 and said it had started “Project Glasswing” to use the system on critical software. (blog.mozilla.org) (red.anthropic.com) Browsers are hard security targets because they process untrusted web content all day, and an attacker often needs one bug to corrupt memory and another to break out of a sandbox. Mozilla said Firefox still contains decades of C++ alongside newer Rust code, and that fuzzing and other automated testing had been its main machine-aided defenses until recently. (blog.mozilla.org) Anthropic said Mythos Preview can identify and exploit previously unknown flaws in “every major operating system and every major web browser” when directed to do so. The company also said more than 99% of the vulnerabilities it found across testing had not yet been patched, so it withheld technical details. (red.anthropic.com) Mozilla framed the Firefox result as a shift in workload, not just a larger bug bounty. Its engineers said they had to “reprioritize everything else” and work “around the clock” to validate findings and ship fixes to users. (blog.mozilla.org) Anthropic has paired the security push with a separate risk case for Mythos Preview. In an April 7 alignment report, the company discussed threats including “self-exfiltration and autonomous operation,” model weight security, and blocking systems meant to stop harmful behavior. (anthropic.com) Anthropic has also said attackers are already trying to route around safeguards on Claude. In threat reports published in 2025, the company said it was tracking misuse attempts and updating controls as criminal groups probed its models’ limits. (anthropic.com 1) (anthropic.com 2) For Firefox users, the immediate change is simpler: update the browser. For software vendors, Mozilla’s post says the new problem is handling hundreds of credible machine-generated bug reports before someone else points similar models at the same code. (blog.mozilla.org)
