Mozilla researchers reported in March that Anthropic’s Claude Opus 4.6 identified 14 high-severity bugs and 22 Common Vulnerabilities and Exposures (CVEs) over two weeks, outperforming Mozilla’s human team. Following this, researchers from Palo Alto cybersecurity firm Calif claimed that they utilized a trial version of Anthropic’s Mythos model to bypass Apple macOS security technology.
The Calif researchers informed The Wall Street Journal that they executed a “privilege escalation exploit” combined with another attack vector, enabling potential control over a target device. They developed software that linked two distinct bugs and used additional methods to corrupt a Mac’s memory and access restricted areas of the device.
The discovery of the exploit took five days, and the researchers noted that success relied not only on Mythos but also on the skills of the human testers. Apple is currently reviewing the report’s findings, with a spokesperson stating, “Security is our top priority, and we take reports of potential vulnerabilities very seriously.”
Anthropic had launched Mythos, originally named Project Glasswing, in April, granting access to around 40 selected tech companies. The company stated that Mythos has identified thousands of high-severity vulnerabilities across major operating systems and web browsers, warning of severe consequences if such tools are misused.
Michał Zalewski, a security researcher at Google, reviewed the Calif research but did not test the findings. He commented on the hype surrounding Mythos, describing it as possibly “overblown,” yet acknowledged its capability for significant vulnerability research and code auditing.
Concerns have emerged regarding the distribution of Mythos. Gary McGraw, a former VP at Synopsys, remarked to The New York Times that the technology itself is not too dangerous to release. He emphasized that withholding such tools does not address the core issues of cybersecurity.
