An AI just found 271 security holes in Firefox before Mozilla knew they existed, and the US government is fighting itself over whether to use it or ban it.
The Summary
- Mozilla shipped Firefox 150 this week with patches for 271 vulnerabilities discovered by Anthropic's Claude Mythos Preview in a single initial scan through Project Glasswing, Anthropic's coordinated defense program for critical infrastructure partners.
- The NSA is running Mythos on classified networks while the Pentagon simultaneously sues Anthropic over supply chain risk designation, creating a split-screen government policy crisis.
- The White House granted federal agencies access to Mythos for defensive cybersecurity work even as Anthropic delayed public release over fears the model could turbocharge offensive hacking.
- Anthropic CEO Dario Amodei met with White House Chief of Staff Susie Wiles to negotiate access terms while his company faces active Pentagon litigation over national security concerns.
The Signal
This is what happens when defense capability moves faster than defense policy. Anthropic's Claude Mythos Preview found 271 security vulnerabilities in Mozilla Firefox during an initial evaluation, not over months of security research but in a single automated scan. Mozilla patched all 271 in Firefox 150 this week. The discovery came through Project Glasswing, Anthropic's program that gives limited Mythos access to critical infrastructure partners for defensive security work.
The Firefox haul demonstrates what security researchers have feared and hoped for in equal measure. An AI that can identify hundreds of exploitable flaws in battle-tested software isn't just a better fuzzing tool. It's a fundamental shift in the offense-defense balance. The Financial Times reported that Mythos has "sparked fears it could turbocharge hacking and expose weaknesses faster than they can be fixed." That's not speculation anymore. Firefox 150 is the proof.
"The model could expose weaknesses faster than they can be fixed."
Meanwhile, the US government is running three incompatible policies on the same AI system. The NSA is reportedly using Mythos Preview on classified networks, according to Axios reporting. At the same time, the Pentagon has designated Anthropic as a supply chain risk and filed lawsuits. And separately, the White House granted federal civilian agencies access to Mythos for cybersecurity defense work.
This isn't bureaucratic confusion. It's three different parts of government making three different bets on the same capability. The NSA bet that Mythos helps them more than it helps adversaries. The Pentagon bet that Anthropic's structure or funding creates unacceptable risk. The White House bet that civilian agency cyber defenses need this now, litigation or not.
Anthropic has delayed the public release of Mythos over exactly these concerns. But "delayed" doesn't mean contained. The technology exists. Anthropic CEO Dario Amodei met with White House Chief of Staff Susie Wiles to work out access terms for federal deployment even as his company fights Pentagon lawsuits. The negotiation isn't whether to use Mythos. It's who gets it, under what restrictions, and how long before everyone else catches up.
Key timeline points:
- April 16: White House begins granting agency access
- April 17-18: Amodei meets with White House officials
- April 18: Anthropic announces public release delay
- April 20: NSA use on classified networks reported
- April 22: Mozilla ships 271 Mythos-discovered patches
Project Glasswing represents Anthropic's attempt to thread this needle. Give limited access to critical infrastructure partners. Let them harden defenses before offensive capabilities proliferate. Federal access to Claude Mythos could enhance Anthropic's competitive edge, according to Crypto Briefing analysis. That's true, but it's also beside the point. The competitive edge is that Anthropic built something powerful enough that the US government is simultaneously using it, suing over it, and negotiating for more of it.
The Implication
If you're running security for anything that matters, the Firefox disclosure is your warning shot. 271 vulnerabilities means your penetration testing assumptions are out of date. Anthropic isn't licensing Mythos to red teams yet, but someone will build something comparable. Six months, maybe twelve. The defensive window is now.
For policy people, the NSA-Pentagon-White House split is the tell. When different agencies make opposite calls on the same technology, it means the decision framework broke. We don't have a coherent model for AI capabilities that shift the offense-defense balance this fast. The lawsuit, the deployment, and the negotiation are all happening in parallel because nobody knows which frame wins. Watch how this resolves. It sets the pattern for every dual-use AI capability coming next.
Sources
BeInCrypto | RWA Times | Decrypt | Crypto Briefing | Financial Times Tech