Anthropic's Mythos exposed thousands of bugs
An unreleased Anthropic model called 'Claude Mythos' reportedly discovered thousands of zero‑day vulnerabilities across operating systems and browsers, prompting an industry patching effort. That discovery triggered 'Project Glasswing' — a coalition of Apple, Google, Microsoft and others applying significant compute to patch critical software, with sources saying roughly $100M of compute was used. (x.com) (x.com)
Software is full of tiny mistakes, and a single one can act like a hidden spare key for an attacker. Anthropic said an unreleased model called Claude Mythos Preview found thousands of previously unknown security flaws, including flaws in every major operating system and every major web browser. (anthropic.com) A previously unknown security flaw is called a zero-day because the developer has had zero days to fix it once someone else finds it. Anthropic said many of the flaws Mythos found were high severity, which means they could let attackers hijack systems, steal data, or disrupt services. (anthropic.com) The surprise is that Mythos was not built as a hacker-only tool. TechCrunch reported that Anthropic described it as a general-purpose frontier model with unusually strong coding and reasoning skills, and those skills turned out to be good at finding exploitable bugs in real software. (techcrunch.com) That changes the old balance in cybersecurity. Anthropic said the model can surpass all but the most skilled humans at finding and exploiting software vulnerabilities, which means bug hunting starts to look less like a boutique craft and more like an industrial process. (anthropic.com) The software in question is not obscure lab code. Anthropic said the bugs showed up in operating systems, browsers, and other widely used software that underpins banking systems, medical records, logistics networks, and power grids. (anthropic.com) Instead of releasing the model widely, Anthropic built a closed repair shop around it. On April 7, 2026, it announced Project Glasswing with Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. (anthropic.com) Those companies are not there for branding. Anthropic said the partners will use Mythos Preview for defensive security work, and more than 40 additional organizations that build or maintain critical software infrastructure are also getting access to scan both their own code and open-source code. (anthropic.com; techcrunch.com) The scale is unusually large even by big-tech standards. Anthropic said it is committing up to $100 million in Mythos Preview usage credits and another $4 million in direct donations to open-source security organizations, which turns bug fixing into a compute-heavy coordination project instead of a normal vendor patch cycle. (anthropic.com) Anthropic’s argument is that this is an early warning, not a victory lap. Its post says frontier artificial intelligence capabilities are likely to advance substantially over the next few months, while defending the world’s cyber infrastructure could take years. (anthropic.com) That is why Mythos is news even though almost nobody can use it. The story is not just that one model found a lot of bugs; it is that one company decided the safer move was to keep a powerful model off the public market and spend nine figures helping the rest of the industry patch software before similar capabilities spread. (anthropic.com; techcrunch.com)
