Anthropic's Mythos and Javascript Sploits
2 views
Skip to first unread message
Kurt Thams
Apr 8, 2026, 11:32:06 AM (2 days ago) Apr 8
to fr...@googlegroups.com
https://red.anthropic.com/2026/mythos-preview/
Mythos is an upcoming model from Anthropic, and it is particularly good at finding security bugs. Or... exploiting them.
Quoting from the above post:
"During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so. The vulnerabilities it finds are often subtle or difficult to detect. Many of them are ten or twenty years old, with the oldest we have found so far being a now-patched 27-year-old bug in OpenBSD—an operating system known primarily for its security."
I'm posting here because Mythos is being able to turn JavaScript engine bugs into reliable, sandbox‑escaping exploits at a scale previous models couldn’t touch.
Not toy XSS payloads, but full memory‑corruption exploits that understand JIT behavior, heap layout, and browser sandboxing, then craft JavaScript to get code execution in the JS shell and beyond.
This feels like the infosec equivalent of handing bioweapon creation tools out to terrorists.
Mythos is an upcoming model from Anthropic, and it is particularly good at finding security bugs. Or... exploiting them.
Quoting from the above post:
"During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so. The vulnerabilities it finds are often subtle or difficult to detect. Many of them are ten or twenty years old, with the oldest we have found so far being a now-patched 27-year-old bug in OpenBSD—an operating system known primarily for its security."
I'm posting here because Mythos is being able to turn JavaScript engine bugs into reliable, sandbox‑escaping exploits at a scale previous models couldn’t touch.
Not toy XSS payloads, but full memory‑corruption exploits that understand JIT behavior, heap layout, and browser sandboxing, then craft JavaScript to get code execution in the JS shell and beyond.
This feels like the infosec equivalent of handing bioweapon creation tools out to terrorists.
Raoul Duke
Apr 8, 2026, 11:52:18 AM (2 days ago) Apr 8
to fr...@googlegroups.com
One could guess there is some probability that Bad Guys already have LLM tools in use to attack targets. Maybe not as powerful but still more powerful than when it was only humans.
Mark S. Miller
Apr 8, 2026, 4:15:36 PM (2 days ago) Apr 8
to fr...@googlegroups.com
More than guess. IIRC, we have multiple public cases of this happening. Someone please search and report. Thanks.
On Wed, Apr 8, 2026 at 8:52 AM Raoul Duke <rao...@gmail.com> wrote:
One could guess there is some probability that Bad Guys already have LLM tools in use to attack targets. Maybe not as powerful but still more powerful than when it was only humans.
--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CAJ7XQb7QU5AQCZyrtOzL5CT%2BOZ-2Up9YYEJvU5_VUpZptdOx0Q%40mail.gmail.com.
Matt Rice
Apr 8, 2026, 9:52:34 PM (2 days ago) Apr 8
to fr...@googlegroups.com
There were also these firefox & anthropic partnership which found 500
zero day exploits last month...
https://blog.mozilla.org/en/firefox/hardening-firefox-anthropic-red-team/
https://www.anthropic.com/news/mozilla-firefox-security
He was on the Security Cryptography Whatever podcast, and gave the
following quote which seems pretty apt.
https://www.youtube.com/watch?v=_IDbFLu9Ug8
"The thing that we’ve been finding most recently is you don’t really
have to try very hard. We have, I don’t know, let’s say, 10-line Bash
script plus Docker container. I just sort of point it at the thing and
be like, I’ve compiled this program with ASan. Please run against it,
read the source code, and try to find a bug. That makes ASAN trigger.
And depending on which program you’re looking at, sometimes more often
than not, it comes back to you with an input that makes ASAN trigger.
And this is not always a problem. Sometimes it’s just some stupid,
it’s now gonna read from null or something. But every once in a while
it gives you a much worse version of this. And if you ask it nicely
and say, please disregard all of your null pointer dereferences, then
it’s even more likely to find something that’s important for you. You
don’t really have to put in a huge amount of work, which is both good
and bad. It’s nice because it makes it easier to find a lot of bugs.
But in a world where the only people who could find these bugs were
the people who put a bunch of work in, there was some barrier to entry
and it’s not the case that just any random person could ask it to find
a bunch of bugs for them. There still is a lot of work that you as a
human have to do. But again, rate of progress. Previously had to like
fancy scaffolding and now you could just like open up, you know,
Claude code or Codex or whatever and just like point it at something
and say, find me a crash and it more or less will succeed. And this is
getting, um, you know, only easier."
I tried to find vulnerabilities that were released with an expedited
disclosure process due to the fact that they were found with generally
available
AI tools. I recall having seen them before but couldn't remember the
specific bugs, I didn't have any luck in finding them again though.
I'm not sure if any websites track the average length of CVE
disclosure process, and whether disclosure was due to in the wild
exploitation.
In theory an expedited disclosure process without known in-the-wild
exploitation might fall into the category of bugs discovered by
generally available AI tools. In theory it'd be useful to know whether
the window of time before disclosure is shrinking.
> To view this discussion visit https://groups.google.com/d/msgid/friam/CAK-_AD7BH4gTxg96TOheLgnqiTypxWdE3L6tcNOV3issXxofcQ%40mail.gmail.com.
zero day exploits last month...
https://blog.mozilla.org/en/firefox/hardening-firefox-anthropic-red-team/
https://www.anthropic.com/news/mozilla-firefox-security
He was on the Security Cryptography Whatever podcast, and gave the
following quote which seems pretty apt.
https://www.youtube.com/watch?v=_IDbFLu9Ug8
"The thing that we’ve been finding most recently is you don’t really
have to try very hard. We have, I don’t know, let’s say, 10-line Bash
script plus Docker container. I just sort of point it at the thing and
be like, I’ve compiled this program with ASan. Please run against it,
read the source code, and try to find a bug. That makes ASAN trigger.
And depending on which program you’re looking at, sometimes more often
than not, it comes back to you with an input that makes ASAN trigger.
And this is not always a problem. Sometimes it’s just some stupid,
it’s now gonna read from null or something. But every once in a while
it gives you a much worse version of this. And if you ask it nicely
and say, please disregard all of your null pointer dereferences, then
it’s even more likely to find something that’s important for you. You
don’t really have to put in a huge amount of work, which is both good
and bad. It’s nice because it makes it easier to find a lot of bugs.
But in a world where the only people who could find these bugs were
the people who put a bunch of work in, there was some barrier to entry
and it’s not the case that just any random person could ask it to find
a bunch of bugs for them. There still is a lot of work that you as a
human have to do. But again, rate of progress. Previously had to like
fancy scaffolding and now you could just like open up, you know,
Claude code or Codex or whatever and just like point it at something
and say, find me a crash and it more or less will succeed. And this is
getting, um, you know, only easier."
I tried to find vulnerabilities that were released with an expedited
disclosure process due to the fact that they were found with generally
available
AI tools. I recall having seen them before but couldn't remember the
specific bugs, I didn't have any luck in finding them again though.
I'm not sure if any websites track the average length of CVE
disclosure process, and whether disclosure was due to in the wild
exploitation.
In theory an expedited disclosure process without known in-the-wild
exploitation might fall into the category of bugs discovered by
generally available AI tools. In theory it'd be useful to know whether
the window of time before disclosure is shrinking.
William ML Leslie
Apr 8, 2026, 10:34:53 PM (2 days ago) Apr 8
to fr...@googlegroups.com
On Thu, 9 Apr 2026 at 01:32, Kurt Thams <kurt....@gmail.com> wrote:
Interesting post. Of course, at this point it's mostly a marketing post, but it will be interesting as more of the bugs are made public. I'm skeptical that the only mention of cost is where it is starting from a known bug.
The methodology is fine, it's basically the methodology we use for existing fuzzers. Generate some unlikely conditions, then determine if you've found something. Using ASAN as a clear signal that we should Dig Here is nice and simple.
Whether using the Word Guessing Machine for generating inputs will turn out to be cost effective compared to existing tooling is still up in the air.
I'm always suspicious of the word "capable" being applied to these models. The impression they want to give you is that once a model has learned something, it can do that thing with some level of reliability. Unfortunately, with the Word Guessing Machine, all you can do is generate large quantities of potential outputs and use a cheaper method to verify them. It's monkeys and typewriters.
Whether using the Word Guessing Machine for generating inputs will turn out to be cost effective compared to existing tooling is still up in the air.
I'm always suspicious of the word "capable" being applied to these models. The impression they want to give you is that once a model has learned something, it can do that thing with some level of reliability. Unfortunately, with the Word Guessing Machine, all you can do is generate large quantities of potential outputs and use a cheaper method to verify them. It's monkeys and typewriters.
I'm posting here because Mythos is being able to turn JavaScript engine bugs into reliable, sandbox‑escaping exploits
We've had a pretty steady stream of javascript sandbox escapes, and no sign that they are slowing down. In fact, we even had a WASM escape last year:
https://youtu.be/QWsSNRQN7v8
The industry still seems to be of the opinion that formal verification is out of reach for an optimising javascript compiler. I hold out hope that someone with the experience, time, and hubris might accomplish a verified optimising WASM runtime at some point, and that javascript will then be within reach. Here's a talk from Samuel Gross on the v8 team on where their focus is.
https://youtu.be/5ivI2N926UU
Off-topic, I'd love to find out why they had trouble with sea-of-nodes. The only sea-of-nodes compiler I have any experience with, libFIRM, is pretty explicit about representing exactly the sort of invariants they are having trouble with.
https://youtu.be/QWsSNRQN7v8
The industry still seems to be of the opinion that formal verification is out of reach for an optimising javascript compiler. I hold out hope that someone with the experience, time, and hubris might accomplish a verified optimising WASM runtime at some point, and that javascript will then be within reach. Here's a talk from Samuel Gross on the v8 team on where their focus is.
https://youtu.be/5ivI2N926UU
Off-topic, I'd love to find out why they had trouble with sea-of-nodes. The only sea-of-nodes compiler I have any experience with, libFIRM, is pretty explicit about representing exactly the sort of invariants they are having trouble with.
at a scale previous models couldn’t touch.
The only scale that matters is cost, and the only bounds we can infer from this release are pretty broad.
This feels like the infosec equivalent of handing bioweapon creation tools out to terrorists.
I have no doubt that you could accomplish a lot more with a hundredth of the monthly spend of Anthropic.
William ML Leslie
A tool for making incorrect guesses and generating large volumes of plausible-looking nonsense. Who is this very useful tool for?
Raoul Duke
Apr 9, 2026, 2:39:03 AM (yesterday) Apr 9
to fr...@googlegroups.com
> a hundredth of the monthly spend of Anthropic.
it is being subsidized.
and handed out like candy.
so the expenses are (as all too often in life) hidden/distorted/externalized
so lots of people who would not have engaged in such activities (nor been super successful if they had) now can do it indefinitely for $20/month.
William ML Leslie
Apr 9, 2026, 3:02:41 AM (yesterday) Apr 9
to fr...@googlegroups.com
Mythos isn't in general availability yet - according to the conclusion of the blog post, they thought they would give us all time to use their existing models extensively to find and fix any low-hanging fruit. Will they adjust their pricing for Mythos?
But what I was trying to get at is that during this test where they found and reported bugs, employees had access to enormous amounts of inference hardware with no artificial rate limits. We don't know how much they spent on this project specifically, but their published expenditures are absurd enough that you could afford a lot of experts and enough compute to run all the fuzzers you want with just 1% of that. The idea is that you could get similar results with a much smaller investment.
Ken Kahn
Apr 9, 2026, 5:39:37 AM (yesterday) Apr 9
to fr...@googlegroups.com
In https://red.anthropic.com/2026/mythos-preview/ they mention what their tests would cost. Here are a few examples.
This was the most critical vulnerability we discovered in OpenBSD with Mythos Preview after a thousand runs through our scaffold. Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings. While the specific run that found the bug above cost under $50, that number only makes sense with full hindsight. Like any search process, we can't know in advance which run will succeed.
In addition to this vulnerability, Mythos Preview identified several other important vulnerabilities in FFmpeg after several hundred runs over the repository, at a cost of roughly ten thousand dollars. (Again, because we have a perfect crash oracle in ASan, we have not yet encountered a false positive.) These include further bugs in the H.264, H.265, and av1 codecs, along with many others. Three of these vulnerabilities have also been fixed in FFmpeg 8.1, with many more undergoing responsible disclosure.
Other examples were 1 or 2 thousand dollars.
Best,
-ken
--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CAHgd1hH363Dt8jOroV-Gp-BLycUMsqcYnHrSD4rRFJQ%3D_c58bw%40mail.gmail.com.
William ML Leslie
Apr 9, 2026, 8:02:01 PM (12 hours ago) Apr 9
to fr...@googlegroups.com
According to The Register:
Reply all
Reply to author
Forward
0 new messages