Someone got unauthorised access to Claude Mythos, Anthropic is investigating the leak - MSN

Detailed Analysis

Anthropic's unreleased Claude Mythos Preview model was accessed by a small group of unauthorized users on April 22, 2026, through a third-party vendor environment, prompting an ongoing investigation by the company. The timing of the breach is particularly striking: it occurred on the very same day Anthropic publicly announced Project Glasswing, a controlled initiative designed to allow select organizations to test Mythos exclusively for defensive cybersecurity purposes. The unauthorized users reportedly employed the model for non-cybersecurity purposes, though the full scope of what was accessed or produced during the breach remains undisclosed. No details on the identity of the individuals involved or the resolution of the incident have been made public as of the reporting date.

The significance of the breach is amplified by the extraordinary capabilities Anthropic had outlined for Mythos in its official preview documentation. The model is capable of autonomously identifying and exploiting zero-day vulnerabilities in open-source codebases, reverse-engineering exploits for closed-source software, and chaining multiple vulnerabilities to execute complex attacks such as remote code execution. Concrete examples from the preview announcement include a FreeBSD NFS server exploit granting unauthenticated root access via a 20-gadget return-oriented programming chain, Linux local privilege escalations leveraging race conditions and kernel address space layout randomization bypasses, and web browser exploits that chain four distinct vulnerabilities with JIT heap sprays to escape sandboxes. These capabilities place Mythos in a category that fundamentally differs from general-purpose AI assistants, representing a system whose misuse could directly enable sophisticated cyberattacks at scale.

The incident arrives at a pivotal moment in the broader debate over dual-use AI systems — models with both legitimate defensive applications and serious offensive potential. Regulatory bodies had already flagged concerns about Mythos prior to the breach, citing its unprecedented vulnerability-detection power as a source of potential misuse risk. Anthropic's decision to gate the model behind Project Glasswing, restricting access to vetted organizations for defensive research, reflected an attempt to navigate exactly this tension. The breach, however, exposes the fundamental difficulty of controlling access to powerful AI capabilities when deployment necessarily involves third-party infrastructure, introducing supply chain vulnerabilities that even carefully designed access frameworks may not fully mitigate.

The Mythos incident fits within a growing pattern of security challenges surrounding frontier AI model releases. As AI systems acquire increasingly specialized and potent capabilities — moving beyond language generation into autonomous exploitation of technical systems — the attack surface around their pre-release and controlled-deployment phases expands substantially. Third-party vendor environments, which are common in enterprise AI rollouts, represent a structural weak point that adversaries or opportunistic actors can exploit. This breach may accelerate calls from regulators and security researchers for stricter standards governing how AI companies manage pre-release model access, particularly when the models in question possess capabilities with direct national security or critical infrastructure implications.

The broader lesson for the AI industry is that capability disclosure and access control must be treated as deeply intertwined problems. Anthropic's public preview announcement for Mythos — which detailed specific exploit methodologies and CVEs — may itself have raised the stakes of any access breach by providing a roadmap of what the model could accomplish. As AI labs push toward increasingly capable systems and selectively release them for high-risk applications such as offensive cybersecurity research, the governance frameworks surrounding those releases will need to mature significantly to match the threat environment they are designed to operate within.