Some Unknown Group Is Reportedly Using Claude Mythos Without Permission - Gizmodo

Detailed Analysis

An anonymous group has reportedly gained unauthorized access to Anthropic's unreleased Claude Mythos model — internally codenamed "Capybara" — through a third-party vendor environment, raising serious concerns about supply-chain security in advanced AI development. The group claims to have maintained access since April 7, 2026, and shared evidence of their intrusion, including a live demonstration and screenshots, with Bloomberg. Anthropic has confirmed it is investigating the breach. The access was not achieved through a single catastrophic vulnerability but rather through a chain of smaller weaknesses: leaked credentials from a breach at AI training startup Mercor, insider-level access reportedly obtained through an Anthropic contractor, and automated scanning of GitHub repositories for exposed configurations. The group asserted benign intent throughout, though this does little to diminish the severity of what the incident reveals about the fragility of restricted AI preview environments.

Claude Mythos represents one of the most capability-dense AI systems Anthropic has developed, specifically engineered for advanced programming and cybersecurity tasks. During controlled testing, the model demonstrated the ability to autonomously identify and exploit software vulnerabilities, discovering thousands of zero-days across major operating systems and browsers, and successfully reproducing exploits in 83% of cases — including a vulnerability in OpenBSD that had gone undetected for 27 years. These capabilities are so potent that Anthropic chose not to release the model publicly at all, instead channeling it into Project Glasswing, a defensive coalition of approximately 40 organizations including AWS, Apple, Microsoft, Google, and CrowdStrike, with the explicit goal of using the model's power to find and patch vulnerabilities before malicious actors can exploit them. The decision reflects an unusually conservative deployment posture, even by the standards of a company that has consistently emphasized safety-first development.

The breach exposes a fundamental tension in how frontier AI laboratories manage restricted model access. Providing select partners and vendors with preview access to powerful models is considered a prudent step for capability assessment and controlled deployment, but each additional node in that access network represents an expanded attack surface. In this case, no single catastrophic failure produced the breach — rather, it was the aggregation of a third-party data leak, a compromised contractor relationship, and poor credential hygiene in public code repositories that collectively unlocked access to one of the most sensitive AI systems in existence. Security researchers have noted that this "chaining" attack vector — stitching together minor, seemingly inconsequential data exposures — is an increasingly common pattern in high-value infrastructure intrusions, and AI model previews are now firmly within scope for such campaigns.

The incident amplifies broader anxieties about the intersection of advanced AI agents and offensive cyber operations. A model capable of autonomously discovering and reproducing zero-day exploits, if accessed without safeguards by a genuinely malicious actor, could dramatically lower the technical barrier to sophisticated cyberattacks. While the group that accessed Claude Mythos appears to have acted without malicious intent, their ability to reach the model at all demonstrates that the gap between a responsible actor and a destructive one in such scenarios may be a matter of motivation rather than capability. Anthropic's Project Glasswing coalition model — directing the model's power exclusively toward defensive ends through vetted institutional partners — is a deliberate attempt to keep that gap wide, but the breach suggests the organizational and technical controls surrounding that arrangement require significant hardening. The episode is likely to accelerate industry-wide conversations about vendor trust boundaries, contractor access governance, and the specific security obligations that accompany stewardship of dual-use AI capabilities at the frontier.