- Unauthorized users claim to have access to Anthropic's Claude Mythos
- The users gained access with guesswork and third-party access
- The model is capable of exploiting software vulnerabilities at scale
Anthropic’s Mythos model, which is capable of spotting hundreds of zero-day vulnerabilities in software, has been accessed by unauthorized users.
A Bloomberg report, citing documentation and a person familiar with the matter, says that the model is being used regularly by unauthorized users.
Mythos’ capabilities are so dangerous that Anthropic has restricted access to the model to a select handful of companies to harden their defenses as part of Project Glasswing, which may be starting to show cracks.
Cracks are showing in Project Glasswing
Anthropic has previously said that the Mythos model is capable of spotting critical vulnerabilities “in every major operating system and every major web browser when directed by a user to do so.”
To put this in perspective, Mozilla CTO Bobby Holley recently revealed that Mythos was able to find 271 vulnerabilities in the latest build of Firefox.
That is why Mythos would be so dangerous in the wrong hands. The software would allow a threat actor to immediately identify the most vulnerable cracks and either exploit them themselves or sell them to other nefarious actors.
Bloomberg says that the users belong to a group with an interest in unreleased AI models who have previously accessed other unreleased Anthropic models.
To access Mythos in particular, the users relied on the expertise of one person who has been given permission to access Anthropic models and software for evaluation purposes on behalf of a third-party company.
The group also relied on details from a data breach that hit AI-recruitment startup Mercor. The details allowed the group to guess the whereabouts of the model’s online location, while also using expertise gathered from the format of other Anthropic models.
While the group has apparently said it has no interest in using Mythos for malicious purposes - and instead is interested purely in testing the model - it has raised serious questions about the security of Mythos.
“We’re investigating a report claiming unauthorized access to Claude Mythos Preview through one of our third-party vendor environments,” a spokesperson for Anthropic said in a statement, adding that the company has no evidence that the access has extended beyond a third-party vendor’s environment.
Anthropic recently detected exploit attempts and hidden evaluation awareness within the Mythos model, which it dubbed as 'strategic manipulation' features.
