Anthropic's Claude Mythos just found 271 vulnerabilities in Firefox while the Pentagon is suing them and the NSA is running their models on classified networks.

The Summary

The Signal

This is what happens when an AI gets good enough to break things. Claude Mythos found 271 vulnerabilities in Firefox, a mature browser with decades of security hardening. Not theoretical exploits. Real holes. The kind that get patched quietly and never make headlines unless someone actually uses them.

The Firefox discovery is proof of concept, but the real story is the institutional chaos around who gets to use this thing. The NSA is running Mythos Preview on classified networks, according to Axios reporting. At the same time, the Pentagon has designated Anthropic a supply chain risk and is actively suing them. Same government. Different buildings. Completely opposite positions on whether this company should exist near federal infrastructure.

"The NSA is running Anthropic's Claude Mythos Preview on classified networks, even as the Pentagon fights the AI giant in court."

The White House stepped in and granted federal agencies access to Mythos, bypassing the Pentagon's concerns entirely. Dario Amodei, Anthropic's CEO, met with White House Chief of Staff Susie Wiles while lawsuits were still active. That's not a courtesy call. That's negotiating which parts of the government get the keys to a model the military thinks is dangerous.

Why the split? Civilian agencies see offensive capability. The Pentagon sees risk. Anthropic delayed the public release of Mythos because they know what happens if this gets out: every bug bounty hunter, every security researcher, every script kiddie with API access starts scanning the entire internet for holes. The Financial Times framed it clearly: fears that Mythos "could turbocharge hacking and expose weaknesses faster than they can be fixed."

Key Mythos capabilities raising alarms:

  • Autonomous vulnerability discovery across complex codebases
  • Speed of exploitation mapping outpacing human patching cycles
  • Potential weaponization if model weights leak or API access spreads

The Firefox test wasn't a one-off. It was a demonstration. Anthropic wanted to show federal buyers that Mythos can do offense at machine speed. But demonstrating that capability to win contracts means proving the exact thing that makes regulators nervous. You can't show an AI is good at breaking software without also showing it's good at breaking software.

The White House decision to grant access tilts the debate toward deployment over caution. Agencies like CISA, which handles critical infrastructure defense, want Mythos to find holes before adversaries do. The Pentagon lawsuit argues that Anthropic's Chinese funding ties and lack of transparency make them a supply chain risk. Both things can be true.

The Implication

If you're building software, the threat model just changed. Automated vulnerability discovery at this scale means every application, every API, every smart contract is going to get scanned by something with more patience and pattern recognition than any human researcher. The window between "vulnerability exists" and "vulnerability is known" is collapsing.

For federal contractors and infrastructure operators, watch how this plays out. The White House gave Mythos a green light for civilian use while the Pentagon is still in court. That's a bet that offense wins, that finding holes faster than attackers matters more than whatever supply chain concerns are in the lawsuit. If you're securing critical systems, assume tools like Mythos are already scanning them. If the NSA is running it on classified networks, others are running similar models everywhere else.

Sources

RWA Times | Decrypt | Crypto Briefing | Financial Times Tech