Anthropic’s Unreleased ‘Claude Mythos’ Exposes Critical Software Vulnerabilities

Anthropic’s Unreleased ‘Claude Mythos’ Exposes Critical Software Vulnerabilities

Anthropic has released a significant update on its internal AI security initiative, revealing that its highly capable vulnerability-scanning model, Claude Mythos, has uncovered tens of thousands of critical flaws across widely used software and open-source projects. Due to the model’s unprecedented ability to identify security weaknesses, Anthropic has opted to keep it out of public release, sharing access only with a select group of industry partners.

The Rise of Project Glasswing and Claude Mythos

Launched under the codename Project Glasswing, the initiative aims to defend critical software infrastructure from attacks by malicious AI systems. The project gained momentum after Anthropic developed Claude Mythos, a specialized model engineered to detect code vulnerabilities with remarkable precision. Recognizing the dual-use risk of such a powerful tool, the company decided against a public launch, instead distributing it to approximately 50 strategic partners, including AWS, Apple, Google, Microsoft, CrowdStrike, Nvidia, Broadcom, Cisco, and Palo Alto Networks.

Alarming Findings Across Critical Infrastructure

Early testing and partner deployments have yielded striking results. According to Anthropic’s May 22 advisory, Mythos has successfully identified vulnerabilities in software that forms the backbone of the internet and essential digital infrastructure. Partner reports highlight the model’s impact: Cloudflare discovered 2,000 bugs, 400 of which were classified as critical. Mozilla reported 271 vulnerabilities in Firefox, a tenfold increase over previous scanning efforts. Meanwhile, Palo Alto Networks noted that its latest release required five times the usual number of security patches.

Open-Source Scans and the Patching Challenge

Beyond enterprise partnerships, Anthropic deployed a preview version of Mythos to audit over 1,000 open-source projects. The scan identified 23,019 vulnerabilities, with 6,202 rated as high or critical severity. Among the most concerning discoveries was a severe flaw in wolfSSL, a widely adopted cryptography library, which could have been exploited to compromise secure communications. These findings underscore a growing challenge in software development: as AI-driven scanning becomes more sophisticated, the sheer volume of latent vulnerabilities is outpacing traditional patching cycles.

Implications for AI and Cybersecurity

Anthropic’s cautious approach with Claude Mythos reflects a broader industry reckoning with the dual-use nature of advanced AI. While the model offers unprecedented defensive capabilities, its offensive potential necessitates strict access controls. By partnering with major tech and cybersecurity firms, Anthropic is attempting to balance innovation with responsible deployment. As AI continues to reshape vulnerability research, the industry must adapt its development, auditing, and patching workflows to keep pace with both AI-assisted defenders and potential AI-driven threats.