Anthropic’s Mythos flagged Firefox bugs
- Anthropic’s security model Mythos reportedly uncovered 271 vulnerabilities in Firefox 150 during an internal evaluation. (thenextweb.com) - Multiple outlets covered the finding and noted Anthropic is investigating claims of rogue access to Mythos that could enable hacking. (eweek.com) - The story prompted debate about model governance and access control for powerful cybersecurity-capable models. (theguardian.com)
A security bug is a flaw that lets software do something its makers did not intend, and Mozilla said Anthropic’s Mythos model helped find 271 of them before Firefox 150 shipped on April 21. (mozilla.org) Mozilla said those 271 fixes were included in Firefox 150 after it tested an early version of Claude Mythos Preview on the browser’s code. Mozilla’s April 21 security advisory lists dozens of cases credited to researchers “using Claude from Anthropic.” (mozilla.org, mozilla.org) Some of the patched flaws were memory-safety bugs, a class of error that can let attackers crash software or run code by pushing it into handling data the wrong way. Mozilla rated multiple Firefox 150 issues “high” impact in that advisory. (mozilla.org) Anthropic launched Mythos Preview this month through Project Glasswing, a restricted program for companies and infrastructure groups including Amazon Web Services, Apple, Cisco, Google, JPMorganChase, Microsoft, Nvidia, and the Linux Foundation. Anthropic said the goal was to give defenders a head start securing critical software. (anthropic.com, anthropic.com) Anthropic also said it does not plan to make Mythos Preview generally available, and its technical write-up says the model can identify and exploit zero-day vulnerabilities in major operating systems and web browsers when directed by a user. A zero-day is a bug attackers can use before a patch is available. (anthropic.com, anthropic.com) That restricted rollout came under pressure this week after Anthropic said it was investigating a report of unauthorized access through a third-party vendor environment. CBS News reported April 22 that Anthropic said it had found no evidence of compromise to its own systems outside that vendor environment. (cbsnews.com) TechCrunch, citing Bloomberg’s reporting, said a small online group gained access on the same day Mythos was announced and had been using the tool since then. Anthropic told TechCrunch it was investigating and said the activity had not affected Anthropic systems. (techcrunch.com) The episode has turned a browser patch story into a test of model access controls. Mozilla’s post argued that defenders are getting stronger tools, while Anthropic’s Glasswing rollout and vendor-access investigation show how much of the risk now sits in who can reach those tools first. (mozilla.org, anthropic.com, cbsnews.com)
