Anthropic launches Project Glasswing, says Claude Mythos found risks in every major OS and browser

Anthropic has defined Project Glasswing, noting that Mythos has discovered vulnerabilities in thousands of systems.

Anthropic on Thursday announced Project Glasswing, a cybersecurity initiative that will restrict its new frontier model Claude Mythos Preview to a select group of launch partners including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.

"AI models have reached a level of coding capability beyond most skilled humans at finding and exploiting software vulnerabilities," Anthropic stated, adding that "Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser."

"Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely. The fallout -- for economies, public safety, and national security -- could be severe," the statement read.

Glasswing launch partners will use Mythos Preview

Glasswing launch partners will use Mythos Preview as part of their defensive security work. Anthropic said it will share findings with the broader industry and extend access to over 40 additional organisations that build or maintain critical software infrastructure, allowing them to scan and secure both first-party and open-source systems.

"Anthropic is committing up to $100M in usage credits for Mythos Preview across these efforts, as well as $4M in direct donations to open-source security organisations," it stated.

"Project Glasswing is a starting point. No one organisation can solve these cybersecurity problems alone: frontier AI developers, other software companies, security researchers, open-source maintainers, and governments across the world all have essential roles to play," the AI firm said.

Anthropic used Mythos Preview to identify thousands of zero-day vulnerabilities

Over the past few weeks, Anthropic used Mythos Preview to identify thousands of zero-day vulnerabilities -- flaws previously unknown to the software's developers -- many of them critical, across every major operating system and web browser.

Among the findings, Mythos Preview uncovered a 27-year-old vulnerability in OpenBSD, widely regarded as one of the most security-hardened operating systems and used to run firewalls and other critical infrastructure. The flaw allowed an attacker to remotely crash any machine running the OS simply by connecting to it.

It also discovered a 16-year-old vulnerability in FFmpeg, used by innumerable applications to encode and decode video, in a line of code that automated testing tools had hit five million times without catching the problem.

The model autonomously found and chained together several vulnerabilities in the Linux kernel -- the software that runs most of the world's servers -- to allow an attacker to escalate from ordinary user access to complete control of the machine.