Has Mythos just broken the deal that kept the internet safe?
jnord
37 points
55 comments
April 10, 2026
Related Discussions
Found 5 related stories in 58.3ms across 4,179 title embeddings via pgvector HNSW
- Assessing Claude Mythos Preview's cybersecurity capabilities sweis · 278 pts · April 07, 2026 · 58% similar
- AI Cybersecurity After Mythos: The Jagged Frontier evelinag · 12 pts · April 09, 2026 · 57% similar
- Anthropic's Mythos leak: 3k files in a public CMS, and what the docs revealed Aedelon · 20 pts · March 29, 2026 · 55% similar
- Anthropic's Claude Mythos isn't a sentient super-hacker, it's a sales pitch edwardsrobbie · 36 pts · April 10, 2026 · 50% similar
- A leak reveals that Anthropic is testing a more capable AI model "Claude Mythos" Tiberium · 11 pts · March 27, 2026 · 49% similar
Discussion Highlights (13 comments)
theamk
> According to Anthropic, Mythos Preview successfully generates a working exploit for Firefox's JS shell in 72.4% of trials Why are AI people so dramatic? Ok, there is yet another JS sandbox escape - not the first one, not the last one. It will be patched, and the bar will be raised for a bit... at least until the next exploit is found. If anything, AI will make _weaponized_ exploits less likely. Before, one had to find a talented person, and get pretty lucky too. If this AI is as good as promised, you can have dependabot-style exploit finder running 24/7 for the 1/10th cost of a single FTE. If it's really that good, I'd expect that all browser authors adopt those into their development process.
ece
Standard disclosure rules should apply, give security stake holders 90-days of advance access, then release the model.
heliumtera
>Anthropic just launched a model so good it scapes every know sandboxed. No, they launched a card with that capability written on.
0xbadcafebee
No, you have not been safe all this time. Every security person I know has known for ages that you need to run NoScript to block all javascript if you want to be remotely secure on the web. We also know about all the 0days found on all browsers every year. Same for mobile devices. You have always been insecure. AI just makes it slightly faster to do what hackers have been doing for ages. BTW: Mythos is not new. OpenAI literally released a press release 1 month ago talking about GPT 5.4's redteaming features being so powerful they require ID verification to use it, and will use heuristics to downgrade you if you look like you're doing something shady. I guess everyone's got a short-term memory, or Anthropic's PR is so good that people genuinely don't understand that OpenAI's models are superior to Anthropic's.
rcxdude
I dunno, it's not obvious to me that it shift the balance that way. It's always kind of been the case that a sufficiently determined attacker is going to be able to spend way more effort than you put into secure a system to break into it. If anyone can find the holes that includes the people defending the system. This might actually make the state-level threats are less scary than they were before.
sharts
Meh the cybersecurity risk isn’t LLMs. It’s the already fundamentally broken systems that it easily can exploit. Are folks going to actually go back and fix things that were only secure because they were or buried in layers of obfuscation and obscurity? Probably not. And that’s the real cyber security risk. Short term profit always wins.
bloppe
If only there were some way to patch vulnerabilities once they are discovered.
readthenotes1
I tried to read the article and what I got out of it was that the author believes that the deal that keeps the internet safe is that we just don't try to break it hard enough. Ignoring all the state actors who do that all the time. Seems something of a unusual take on the state of the world
rvz
This is instead another great advertisement for Rust. Anthropic really got the Mythos marketing scarecrows out once again. Dario is trying to scare you to buying into his IPO and you're over-estimating the capability of Mythos...because he said so? With no independent reviews on the research and with many security researchers and experts accusing them of blatant scaremongering. This is Anthropic's latest attempt to frame local models and to get them banned as they stand to be a threat against their business model.
jMyles
> the deal has been simple: you click a link, arbitrary code runs on your device, and a stack of sandboxes keeps that code from doing anything nasty. At most, Mythos has reminded us that this "deal" is subject to frequent cycles of being compromised-and-patched. From time to time, I have run browsers configured for opt-in javascript (eg, umatrix), but man it's a lot of work to live that way.
ajross
I honestly think this argument (that cheap vulnerabilities means more zero days) is backwards. Making vulnerability detection cheaper shifts the balance in favor of the good guys, because it dilutes the size of the black market that the discoverers might otherwise be tempted to sell into. Stated differently: right now black hat hacking is a valuable skill that can be turned into money easily. Once everyone can do it the incentives shift and the black hats will disappear. And that leaves the next most incentivized group in control of the market, who are presumably the software vendors. Basically Microsoft and Google and company used to have to pay bug bounties and pray. Now it's practical just to throw a few million dollars at Anthropic instead.
jauntywundrkind
I see this as a Brandolini's Law 2.0, a software supplemental really. Where-as before it was: > The amount of energy needed to refute bullshit is an order of magnitude bigger than that needed to produce it. Now the energy needed to secure against exploits is orders of magnitude bigger than the effort needed to secure it. The combination of deep expertise + infinite patience of the LLM meeting the vastly increasing surface of software has a certain apocalyptic chaos gods ruin to it all, just as well known bias for mistruth to unfairly propogate itself bedevils this good planet.
firer
Security efforts are not evenly distributed, even within a single project. This includes both the thinking that the developers put in, and the scrutiny given to a piece of code by researchers. The initial batch of publicly disclosed vulnerabilities by Mythos demonstrates that perfectly. None of the bugs themselves are especially interesting or complex, in my opinion. They were found by applying effort to a very large amount of code which included under-scrutinized areas, where bugs hid. Yes, even in projects like Linux and OpenBSD there are many pieces of code that aren't that properly vetted, because of the finite amount of developer/researcher time allotted. The fact that this effort is much cheaper does indeed change things. But really strong sandboxing solutions, such as gvisor or firecracker, do a really good job of having very little attack surface, all of which is heavily scrutinized. Until we see more of the bugs that were found, it remains to be seen whether or not the post's premise about sandboxes is correct.