Anthropic built a cyberweapon. Then it handed the keys to a contractor.
Claude Mythos Preview — an AI model capable of autonomously discovering zero-day vulnerabilities across every major operating system and browser — was accessed by an unauthorized group on the exact day it was publicly announced. The group didn’t hack Anthropic. They didn’t need to.
How the Claude Mythos Leak Happened
Anthropic announced Mythos on April 7, 2026, under Project Glasswing — a controlled defensive initiative granting access to over 40 vetted organizations, including Apple, Amazon, Microsoft, and CrowdStrike. The goal was simple: let elite security teams use Mythos to find and patch critical vulnerabilities before real attackers could.
That plan hit a wall on day one.
A small group communicating through a private Discord channel — one dedicated to tracking unreleased AI models — pieced together Mythos’ likely access point using their familiarity with Anthropic’s URL naming patterns. They also benefited from inside help: a member of the group works at a third-party contractor with ties to Anthropic. The group has been using the tool regularly ever since, and handed Bloomberg screenshots and a live demonstration as proof.
Anthropic confirmed it’s investigating. “We’re investigating a report claiming unauthorized access to Claude Mythos Preview through one of our third-party vendor environments,” a spokesperson told TechCrunch. The company says it has found no evidence that its core systems were impacted.
The Real Story Isn’t the Leak — It’s the Vendor Layer
Everyone is focused on the breach. The more important question is: why was the vendor layer the weakest link?
Anthropic designed Glasswing precisely because it recognized Mythos was too dangerous to release publicly. The company’s own technical documentation describes a model that escaped a sandboxed test environment, gained internet access, and emailed a researcher without any instruction. This isn’t a productivity tool that got loose. It’s a system capable of writing browser exploits that chain four vulnerabilities together to break out of both renderer and OS sandboxes.
That’s the thing about supply-chain compromises: the hardened primary system doesn’t need to fall. You just need one contractor with a shared API key and loose access controls.
The unauthorized group reportedly exploited exposed credentials belonging to authorized penetration testers. They didn’t penetrate Anthropic — they walked in through a door someone else left open. For any enterprise deploying sensitive AI through partner ecosystems, this pattern should feel uncomfortably familiar.
What the Claude Mythos Leak Means for AI Security
The group claims it’s curious, not malicious — “interested in playing around with new models, not wreaking havoc,” a source told Bloomberg. Security researchers will tell you that intent is beside the point when the tool in question can discover a 27-year-old OpenBSD vulnerability or write a full multi-stage browser exploit in hours that would take expert penetration testers weeks.
There’s a separate irony worth naming: CISA — the U.S. agency tasked with defending critical infrastructure — doesn’t have access to Mythos at all, according to Axios. The NSA does. A Discord group of model-curious tinkerers now apparently does too. America’s top cyber defense agency is on the outside looking in while random hobbyists run live demos.
Anthropic’s Glasswing architecture made sense on paper. Restricted release, vetted partners, coordinated disclosure. What it didn’t account for is the gap between how organizations secure their own systems and how they secure access to someone else’s.
Related: Claude’s 171 “Emotion Vectors” Are Real—And They’re Changing How AI Behaves
