Claude Mythos: access and bugs

A restricted Anthropic AI, Claude Mythos, was reportedly accessed by unauthorized users in April 2026 even as it helped Mozilla patch 271 Firefox vulnerabilities. (bloomberg.com) Bloomberg and TechCrunch reported on April 21–22, 2026 that a “small group” gained access to Mythos through a third‑party vendor portal and a private online forum, citing documents and people familiar with the matter. (techcrunch.com) Anthropic said it is investigating the claim and told reporters on April 22 that there is no evidence its internal systems were impacted beyond the vendor environment it referenced. (engadget.com) On April 21, 2026 Mozilla published a blog post saying an early Claude Mythos Preview run helped its Firefox team identify 271 issues that were fixed in the Firefox 150 release. (blog.mozilla.org) Mozilla’s official security advisory for Firefox 150 (MFSA 2026-30) lists 41 CVE entries, and it explicitly credits Anthropic‑assisted reports for three CVEs: CVE‑2026‑6746, CVE‑2026‑6757, and CVE‑2026‑6758. (mozilla.org) Anthropic announced Project Glasswing on April 7, 2026 and said Mythos Preview access was being limited to 12 launch partners and more than 40 additional organizations, naming partners including Amazon Web Services, Apple, Google, Microsoft and NVIDIA. (anthropic.com) Security practitioners flagged vendor and supply‑chain risk after the reported access; RunSafe CTO Shane Fry said, “Unauthorized users were able to access Anthropic’s Mythos model, reportedly by just changing a model name.” (securitymagazine.com) Anthropic’s probe is ongoing and Mozilla has shipped the Firefox 150 fixes (release dated April 21, 2026); both companies say they will continue internal reviews and collaborative security work as patches roll out. (firefox.com)