Mythos raises red flags
Officials are alarmed that Anthropic’s new model, Mythos, can find and exploit hidden software flaws — a capability that shifts AI risk from sloppy answers to active cyber‑vulnerability hunting. The concern was flagged publicly this week as a signal the AI arms race is moving into offensive capabilities rather than just mis‑information or hallucinations (x.com).
A software bug is a mistake in code. A security vulnerability is the smaller, nastier kind of bug that can act like a hidden spare key for whoever finds it first. (anthropic.com) Anthropic says its new model, Claude Mythos Preview, is good enough at finding those spare keys that it is not releasing the system to the public at all. On April 7, 2026, the company said it would keep Mythos inside a restricted program called Project Glasswing instead. (anthropic.com) (bloomberg.com) The reason officials reacted so fast is that Anthropic is not talking about chat errors or bad summaries. It says Mythos can both find and exploit vulnerabilities in every major operating system and every major web browser when a user points it at the task. (bloomberg.com) (anthropic.com) One phrase in this story matters more than any other: zero-day vulnerability. That means a flaw the software maker did not know about yet, so the defender has zero days of warning before an attacker can start using it. (bloomberg.com) Anthropic says Mythos has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. The company also says some of those flaws survived decades of human review and millions of automated security tests before the model found them. (anthropic.com) (bloomberg.com) That changes the shape of the risk. A model that writes bad history homework is annoying, but a model that can chain together four browser flaws into one working break-in is closer to an automated lockpick set. (bloomberg.com) Washington treated it that way this week. Bloomberg reported that Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell called Wall Street leaders to an April 7 meeting in Washington to warn that tools like Mythos could open a new phase in cybersecurity risk. (bloomberg.com) The banks were in the room because modern finance runs on software the way a city runs on roads. If attackers can find hidden cracks faster than defenders can patch them, payment systems, trading systems, and customer data all sit on shakier ground. (anthropic.com) (bloomberg.com) Anthropic’s answer is to give defenders a head start. Project Glasswing launched with Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, and Anthropic says it has also extended access to more than 40 additional organizations that maintain critical software. (anthropic.com) Anthropic is putting up to $100 million in usage credits behind that effort, plus $4 million in direct donations to open-source security groups. The bet is that a closed rollout can help patch the digital plumbing before similar capabilities spread to criminals or hostile states. (anthropic.com) There is one big caveat. Researchers quoted by Bloomberg said they have not had enough independent access to verify Anthropic’s claims yet, so the company’s numbers are driving the story for now. (bloomberg.com) Even with that caveat, the line has moved. The public argument about artificial intelligence used to center on wrong answers; this week’s argument is about whether the best models can become tireless vulnerability hunters before the world’s software is ready. (bloomberg.com) (anthropic.com)
