Anthropic pauses model release
Anthropic reportedly kept a new, more capable model private after it found thousands of external security vulnerabilities across major operating systems and browsers, prompting an internal patching initiative. The discovery makes clear that more powerful models can surface large, real‑world attack surfaces and force vendors to treat releases as operational security events. That raises the bar for enterprise buyers who must now weigh capability against emergent vulnerability risk. (artificialintelligence-news.com)
A software vulnerability is a mistake in code that leaves a hidden weak spot, like a window latch that looks shut but still opens from the outside. On April 7, Anthropic said its new model, Claude Mythos Preview, could find and exploit those weak spots across every major operating system and every major web browser. (red.anthropic.com) Anthropic did not put the model on the open market. It limited access to a handpicked group of technology and cybersecurity companies because it said the model’s hacking ability was too dangerous to release publicly without stronger safeguards. (axios.com) The company says the model found thousands of high-severity zero-day vulnerabilities. A zero-day vulnerability is a bug the software maker does not know about yet, which means there is no patch waiting on the other side. (red.anthropic.com) Anthropic says more than 99 percent of the vulnerabilities it found are still unpatched, so it is withholding technical details. Even the small slice it can discuss includes a 27-year-old bug in OpenBSD, an operating system with a long reputation for security. (red.anthropic.com) This did not come out of nowhere. On March 6, Anthropic said an earlier model, Claude Opus 4.6, found 22 Firefox vulnerabilities in two weeks, and Mozilla rated 14 of them high severity before shipping fixes in Firefox 148.0. (anthropic.com) A browser bug is especially dangerous because the browser is the front door to untrusted websites, ads, files, and scripts. Anthropic said hundreds of millions of people rely on Firefox daily, which is why it used browser testing as a harder measure of whether its models could uncover novel flaws. (anthropic.com) The new step is called Project Glasswing. Anthropic says 12 launch partners, including Amazon Web Services, Apple, Google, Microsoft, NVIDIA, Cisco, and Palo Alto Networks, will use Mythos Preview for defensive security work instead of public experimentation. (anthropic.com) Anthropic also says it is giving up to $100 million in usage credits to more than 40 additional organizations that build or maintain critical software infrastructure. The point is to let the defenders search for cracks before criminals or state-backed hackers do. (infosecurity-magazine.com) This is a different kind of model release. Instead of shipping a chatbot and watching people find uses for it, Anthropic is treating deployment like a coordinated vulnerability disclosure process, where bugs are triaged, validated by human reviewers, and reported to maintainers before details spread. (red.anthropic.com) Anthropic says Mythos can also reverse-engineer exploits for closed-source software and turn known-but-unpatched bugs into working attacks. That means the old buffer between “someone found a bug” and “someone can weaponize it” is getting shorter. (red.anthropic.com) For companies buying artificial intelligence tools, the question is no longer just whether a model writes better code or answers faster. The question is whether a more capable model also changes your security exposure the day you connect it to real systems, real codebases, and real browsers. (cnbc.com)
