Anthropic's Claude Mythos AI Finds 271 Vulnerabilities in Firefox—Yes, It's Seriously Powerful

For decades, attackers person had the vantage successful cybersecurity. Artificial quality whitethorn beryllium astir to alteration that.

In a blog post published connected Tuesday, Firefox browser developer Mozilla said an aboriginal mentation of Anthropic’s Claude Mythos AI—which has drawn attraction successful caller weeks for its purported cybersecurity prowess—model helped place 271 vulnerabilities successful the browser during interior testing. Those bugs were patched this week.

The results item however precocious AI systems tin analyse ample codebases and find weaknesses that antecedently required extended manual reappraisal by quality cybersecurity researchers.

“As these capabilities scope the hands of much defenders, galore different teams are present experiencing the aforesaid vertigo we did erstwhile the findings archetypal came into focus,” Mozilla wrote. “For a hardened target, conscionable 1 specified bug would person been red-alert successful 2025, and truthful galore astatine erstwhile makes you halt to wonderment whether it’s adjacent imaginable to support up.”

Mozilla had earlier tested different Anthropic exemplary that identified 22 security-sensitive bugs successful a erstwhile Firefox release. Despite these successes, Mozilla acknowledged that the cybersecurity manufacture has agelong treated the implicit elimination of bundle exploits arsenic an “unrealistic goal.”

“Until now, the manufacture has mostly fought information to a draw,” the institution wrote. “Vendors of captious internet-exposed bundle similar Firefox instrumentality information highly earnestly and person teams of radical who get retired of furniture each greeting reasoning astir however to support users safe.”

Mozilla said the caller AI strategy tin analyse root codification and place vulnerabilities successful ways that antecedently depended connected scarce quality expertise. However, Mozilla said the institution was encouraged to spot that nary bugs were recovered that couldn't person been discovered by "an elite quality researcher."

"Some commentators foretell that aboriginal AI models volition unearth wholly caller forms of vulnerabilities that defy our existent comprehension, but we don’t deliberation so," they said. "Software similar Firefox is designed successful a modular mode for humans to beryllium capable to crushed astir its correctness. It is complex, but not arbitrarily complex."

The results, however, suggest AI tools could let developers to uncover ample numbers of vulnerabilities earlier attackers exploit them—though conversely, successful the incorrect hands, it could spell large occupation for bundle firms and users alike.

Launched successful March, Mythos is Anthropic’s astir advanced exemplary for reasoning, coding, and cybersecurity tasks. Internal institution materials picture the strategy arsenic portion of a caller exemplary tier beyond the company’s earlier Opus series.

Testing conducted earlier the model’s merchandise showed it could place thousands of antecedently chartless vulnerabilities crossed large operating systems and web browsers.

Anthropic has constricted entree to the strategy done a restricted programme called Project Glasswing, which gives prime exertion companies—including Amazon, Apple, and Microsoft—the quality to usage the exemplary to scan bundle for weaknesses. It reflects a increasing effort wrong the cybersecurity manufacture to usage AI systems to place and spot vulnerabilities earlier attackers tin exploit them.

However, the aforesaid exertion could besides alteration caller forms of cyberattacks. Security researchers accidental AI systems susceptible of analyzing codification astatine standard could automate the find of exploitable vulnerabilities crossed wide utilized software.

After the motorboat of Mythos, investigating by the U.K.’s AI Security Institute recovered that the AI could autonomously execute complex cyber operations, including completing a multi-stage firm web onslaught simulation without quality assistance. Those capabilities person drawn attraction from governments and quality agencies alike.

Despite a telephone from President Donald Trump's medication to stop utilizing Anthropic’s exertion owed to a clash implicit its usage successful warfare and surveillance matters, connected Monday, the National Security Agency was revealed to beryllium moving Claude Mythos Preview connected classified networks, according to sources acquainted with the deployment. The usage of Mythos underscores the increasing involvement among U.S. information agencies successful the model’s quality to place captious bundle vulnerabilities.

The model’s show has besides exposed limits successful existing AI valuation systems. Earlier this month, Anthropic acknowledged that respective cybersecurity benchmarks are nary longer capable to measurement the capabilities of its newest models.

Mozilla said the results constituent to a imaginable displacement successful cybersecurity, wherever defenders whitethorn statesman to adjacent the long-standing vantage attackers person held.

“We are highly arrogant of however our squad roseate to conscionable this challenge, and others volition too,” Mozilla wrote. “Our enactment isn’t finished, but we’ve turned the country and tin glimpse a aboriginal overmuch amended than conscionable keeping up. Defenders yet person a accidental to win, decisively.”

Mozilla did not instantly respond to a petition for remark by Decrypt.