Anthropic’s ‘Too Powerful’ Mythos Triggers Global Alarm Bells & Hackers May Already Be Inside

Anthropic’s latest AI model, Claude Mythos, was designed to strengthen cybersecurity.

Instead, it’s rapidly becoming one of the industry’s biggest security concerns after governments, banks, and cybersecurity leaders warned that the model could just as easily supercharge attacks as it can prevent them.
 

TL;DR

 

• Australia and New Zealand’s central banks are actively monitoring Anthropic’s Claude Mythos rollout
• Anthropic says Mythos discovered thousands of high-severity flaws across major operating systems and web browsers
• Mozilla fixed 271 Firefox vulnerabilities after testing the model
• A separate report claims an unauthorized group accessed Mythos through a third-party vendor environment
• Regulators fear AI-powered cyberattacks could scale faster than companies can defend against them

 

What Is Claude Mythos And What Is Project Glasswing?

Claude Mythos is Anthropic’s newest large language model that was initially trained as a general-purpose AI system but unexpectedly developed advanced cybersecurity capabilities as its coding and reasoning abilities improved.

According to Anthropic, the model can autonomously complete complex multi-step security tasks, uncover vulnerabilities buried in decades-old systems, assist software engineering workflows, and accelerate research processes.

The company said Mythos performs significantly better than its previous models, including Claude Opus, particularly in cybersecurity-related tasks.

That performance is exactly why Anthropic has kept it away from the public.

Instead of a broad rollout, the company launched Project Glasswing, a tightly controlled research initiative that gives access only to critical infrastructure operators, open-source developers, and select enterprise partners under strict rules that limit usage to defensive cybersecurity purposes.

The move was designed to give security teams a head start before more malicious actors can potentially gain access to similar capabilities.

 

Why Anthropic’s Claude Mythos Is Raising Cybersecurity Concerns Worldwide

Anthropic introduced Claude Mythos Preview earlier this month through Project Glasswing, but concerns escalated quickly after the company revealed what the model had already uncovered.

Anthropic claimed Mythos has identified “thousands” of high-severity vulnerabilities, including flaws across every major operating system and web browser.

One of those vulnerabilities had reportedly remained hidden for 27 years.

That revelation immediately caught the attention of global regulators.

The Reserve Bank of Australia said it is closely tracking the development and "engaging with peer regulators, government and regulated entities."

The Reserve Bank of New Zealand confirmed it is also coordinating with regulators domestically and in Australia over what it described as a "developing ‌risk."

Germany’s Bundesbank President Joachim Nagel called Mythos a double-edged sword, and said "it could be used not only to improve digital security systems, but also to leverage their vulnerabilities for ​malicious purposes."

Banking leaders remain particularly concerned because many financial institutions still operate on complex legacy infrastructure that could become easier targets for AI-powered attacks.
 

Mozilla’s Fixes Show Why Defenders Are Racing Against Time

Anthropic has granted access to major companies including Amazon, Microsoft, NVIDIA, Apple, Google, Broadcom, and more than 40 organizations responsible for maintaining critical software infrastructure.

The company’s strategy appears focused on giving defenders a temporary advantage.

Mozilla has already demonstrated why that matters.

After testing Claude Mythos Preview, Firefox engineers reportedly fixed 271 vulnerabilities identified by the model, highlighting both its defensive value and how quickly organizations may need to move before similar tools become widely available.

Cybersecurity experts believe AI tools like Mythos could ultimately benefit defenders, but only if organizations strengthen basic cybersecurity practices before attackers catch up.
   

Unauthorized Access Claims Create A New Security Nightmare

That defensive advantage may already be shrinking.

Anthropic confirmed it is investigating reports that an unauthorized group gained access to Claude Mythos through a third-party vendor environment.

The group reportedly shared screenshots and a live demonstration with Bloomberg showing access to the restricted model.

According to reports, the group combined leaked data from AI startup Mercor, insider access through a contractor, and automated GitHub scans to locate hidden endpoints connected to Mythos.

The attack reportedly relied on relatively simple tactics rather than sophisticated zero-day exploits.

That’s what makes the incident particularly alarming.

It highlights how leaked credentials, weak vendor oversight, and fragmented infrastructure can create serious risks around highly restricted AI systems.

Anthropic positioned Mythos as the future of cyber defense.

Instead, it may already be showing the world how dangerous powerful AI tools can become when security gaps emerge faster than organizations can close them.