Irony: Anthropic Fails to Protect Cybersecurity Champion Claude Mythos From Unauthorized Access

Anthropic’s new Mythos model, promoted as a powerful tool for identifying software vulnerabilities, is facing questions after reports that unauthorized users gained access to the preview system.

The company had limited Mythos availability to select organizations under a program called Project Glasswing, allowing partners to test the model for security use cases.

An Anthropic spokesperson confirmed to The Register that some users outside the Glasswing partner group may have accessed the model, though not through Anthropic’s production API.

The company said it is investigating claims that access occurred through one of its third-party vendor environments.

Anthropic added that there is no evidence its internal systems were affected.

Bloomberg reported that a small group allegedly gained access by making an educated guess about the model’s online location based on previous Anthropic systems.

The report said the incident may have involved data linked to Mercor, an AI staffing startup that works with major AI labs, including Anthropic.

Mercor recently disclosed that it was among the companies affected by the LiteLLM supply-chain attack.

Security experts said the case highlights how contractor access and third-party systems can become weak points even when core systems remain protected.

Anthropic has described Mythos as a major advancement for cybersecurity and said it identified thousands of additional high and critical severity vulnerabilities.

However, early outside analysis suggests the model may be less disruptive than some claims implied.

Mozilla CTO Bobby Holley said Mythos found 271 vulnerabilities in Firefox 150, but added that none appeared beyond what elite human researchers could also discover.

He described it more as an automated security researcher than a fully autonomous zero-day discovery machine.

Other researchers reviewing public materials linked to Mythos said some headline claims lacked full supporting details.

They questioned the number of confirmed zero-day findings, severity breakdowns, disclosure timelines, and false-positive rates.

Some also said several showcased exploits required significant human guidance rather than full autonomous operation.

Snehal Antani, CEO of Horizon3.ai, told The Register that attackers do not need Mythos to accelerate vulnerability research.

He said public models and open-source systems are already speeding up that process.

The incident has increased debate over whether Mythos represents a major new cyber threat or a strong but incremental tool for security teams.