Anthropic's Mythos and Javascript Sploits

[Kurt Thams]

https://red.anthropic.com/2026/mythos-preview/

Mythos is an upcoming model from Anthropic, and it is particularly good at finding security bugs. Or... exploiting them.

Quoting from the above post:

"During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so. The vulnerabilities it finds are often subtle or difficult to detect. Many of them are ten or twenty years old, with the oldest we have found so far being a now-patched 27-year-old bug in OpenBSD—an operating system known primarily for its security."

I'm posting here because Mythos is being able to turn JavaScript engine bugs into reliable, sandbox‑escaping exploits at a scale previous models couldn’t touch.

Not toy XSS payloads, but full memory‑corruption exploits that understand JIT behavior, heap layout, and browser sandboxing, then craft JavaScript to get code execution in the JS shell and beyond.

This feels like the infosec equivalent of handing bioweapon creation tools out to terrorists.

[Raoul Duke]

One could guess there is some probability that Bad Guys already have LLM tools in use to attack targets. Maybe not as powerful but still more powerful than when it was only humans. 

[Mark S. Miller]

More than guess. IIRC, we have multiple public cases of this happening. Someone please search and report. Thanks.

On Wed, Apr 8, 2026 at 8:52 AM Raoul Duke <rao...@gmail.com> wrote:

One could guess there is some probability that Bad Guys already have LLM tools in use to attack targets. Maybe not as powerful but still more powerful than when it was only humans. 

--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CAJ7XQb7QU5AQCZyrtOzL5CT%2BOZ-2Up9YYEJvU5_VUpZptdOx0Q%40mail.gmail.com.

[Matt Rice]

There were also these firefox & anthropic partnership which found 500
zero day exploits last month...

https://blog.mozilla.org/en/firefox/hardening-firefox-anthropic-red-team/
https://www.anthropic.com/news/mozilla-firefox-security

He was on the Security Cryptography Whatever podcast, and gave the
following quote which seems pretty apt.
https://www.youtube.com/watch?v=_IDbFLu9Ug8

"The thing that we’ve been finding most recently is you don’t really
have to try very hard. We have, I don’t know, let’s say, 10-line Bash
script plus Docker container. I just sort of point it at the thing and
be like, I’ve compiled this program with ASan. Please run against it,
read the source code, and try to find a bug. That makes ASAN trigger.
And depending on which program you’re looking at, sometimes more often
than not, it comes back to you with an input that makes ASAN trigger.
And this is not always a problem. Sometimes it’s just some stupid,
it’s now gonna read from null or something. But every once in a while
it gives you a much worse version of this. And if you ask it nicely
and say, please disregard all of your null pointer dereferences, then
it’s even more likely to find something that’s important for you. You
don’t really have to put in a huge amount of work, which is both good
and bad. It’s nice because it makes it easier to find a lot of bugs.
But in a world where the only people who could find these bugs were
the people who put a bunch of work in, there was some barrier to entry
and it’s not the case that just any random person could ask it to find
a bunch of bugs for them. There still is a lot of work that you as a
human have to do. But again, rate of progress. Previously had to like
fancy scaffolding and now you could just like open up, you know,
Claude code or Codex or whatever and just like point it at something
and say, find me a crash and it more or less will succeed. And this is
getting, um, you know, only easier."

I tried to find vulnerabilities that were released with an expedited
disclosure process due to the fact that they were found with generally
available
AI tools. I recall having seen them before but couldn't remember the
specific bugs, I didn't have any luck in finding them again though.

I'm not sure if any websites track the average length of CVE
disclosure process, and whether disclosure was due to in the wild
exploitation.
In theory an expedited disclosure process without known in-the-wild
exploitation might fall into the category of bugs discovered by
generally available AI tools. In theory it'd be useful to know whether
the window of time before disclosure is shrinking.

> To view this discussion visit https://groups.google.com/d/msgid/friam/CAK-_AD7BH4gTxg96TOheLgnqiTypxWdE3L6tcNOV3issXxofcQ%40mail.gmail.com.

[William ML Leslie]

On Thu, 9 Apr 2026 at 01:32, Kurt Thams <kurt....@gmail.com> wrote:

https://red.anthropic.com/2026/mythos-preview/

Interesting post.  Of course, at this point it's mostly a marketing post, but it will be interesting as more of the bugs are made public.  I'm skeptical that the only mention of cost is where it is starting from a known bug.

The methodology is fine, it's basically the methodology we use for existing fuzzers.  Generate some unlikely conditions, then determine if you've found something.  Using ASAN as a clear signal that we should Dig Here is nice and simple.

Whether using the Word Guessing Machine for generating inputs will turn out to be cost effective compared to existing tooling is still up in the air.

I'm always suspicious of the word "capable" being applied to these models.  The impression they want to give you is that once a model has learned something, it can do that thing with some level of reliability.  Unfortunately, with the Word Guessing Machine, all you can do is generate large quantities of potential outputs and use a cheaper method to verify them.  It's monkeys and typewriters.

 

I'm posting here because Mythos is being able to turn JavaScript engine bugs into reliable, sandbox‑escaping exploits

We've had a pretty steady stream of javascript sandbox escapes, and no sign that they are slowing down.  In fact, we even had a WASM escape last year:

https://youtu.be/QWsSNRQN7v8

The industry still seems to be of the opinion that formal verification is out of reach for an optimising javascript compiler.  I hold out hope that someone with the experience, time, and hubris might accomplish a verified optimising WASM runtime at some point, and that javascript will then be within reach.  Here's a talk from Samuel Gross on the v8 team on where their focus is.

https://youtu.be/5ivI2N926UU

Off-topic, I'd love to find out why they had trouble with sea-of-nodes.  The only sea-of-nodes compiler I have any experience with, libFIRM, is pretty explicit about representing exactly the sort of invariants they are having trouble with.

 

at a scale previous models couldn’t touch.

The only scale that matters is cost, and the only bounds we can infer from this release are pretty broad.

 

This feels like the infosec equivalent of handing bioweapon creation tools out to terrorists.

I have no doubt that you could accomplish a lot more with a hundredth of the monthly spend of Anthropic.

--

William ML Leslie

A tool for making incorrect guesses and generating large volumes of plausible-looking nonsense.  Who is this very useful tool for?

[Raoul Duke]

> a hundredth of the monthly spend of Anthropic. 

it is being subsidized. 

and handed out like candy. 

so the expenses are (as all too often in life) hidden/distorted/externalized 

so lots of people who would not have engaged in such activities (nor been super successful if they had) now can do it indefinitely for $20/month. 

[William ML Leslie]

Mythos isn't in general availability yet - according to the conclusion of the blog post, they thought they would give us all time to use their existing models extensively to find and fix any low-hanging fruit.  Will they adjust their pricing for Mythos?

But what I was trying to get at is that during this test where they found and reported bugs, employees had access to enormous amounts of inference hardware with no artificial rate limits.  We don't know how much they spent on this project specifically, but their published expenditures are absurd enough that you could afford a lot of experts and enough compute to run all the fuzzers you want with just 1% of that.  The idea is that you could get similar results with a much smaller investment.

 

[Ken Kahn]

In https://red.anthropic.com/2026/mythos-preview/ they mention what their tests would cost. Here are a few examples.

This was the most critical vulnerability we discovered in OpenBSD with Mythos Preview after a thousand runs through our scaffold. Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings. While the specific run that found the bug above cost under $50, that number only makes sense with full hindsight. Like any search process, we can't know in advance which run will succeed.

In addition to this vulnerability, Mythos Preview identified several other important vulnerabilities in FFmpeg after several hundred runs over the repository, at a cost of roughly ten thousand dollars. (Again, because we have a perfect crash oracle in ASan, we have not yet encountered a false positive.) These include further bugs in the H.264, H.265, and av1 codecs, along with many others. Three of these vulnerabilities have also been fixed in FFmpeg 8.1, with many more undergoing responsible disclosure.

Other examples were 1 or 2 thousand dollars.

Best,

-ken

--

You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/friam/CAHgd1hH363Dt8jOroV-Gp-BLycUMsqcYnHrSD4rRFJQ%3D_c58bw%40mail.gmail.com.

[William ML Leslie]

According to The Register:

Anthropic invited around 40 other organizations to participate in this introspective bug hunt, subsidized by up to $100M in usage credits for Mythos Preview and $4M in direct donations to open-source security organizations.

[Raoul Duke]

well, copilot is knowledgeable enough to tell me how super vulnerable everything is, so that's peachy.

Short answer:
Beyond BlueHammer‑style chains, you should defend against any vulnerability class that can be chained across multiple subsystems, especially those that combine race conditions, confused‑deputy behavior, cross‑boundary desynchronization, and privilege‑pivoting across trust zones. These are the multi‑step, multi‑surface attack patterns that modern attackers—especially AI‑augmented ones—are accelerating.  IT-Online  IT News Africa

Below is a structured map of the other multi‑stage vulnerability patterns worth prioritizing.

---

🧩 1. Multi‑Step Privilege Escalation Chains (Beyond TOCTOU)

These are attacks where no single bug is catastrophic, but the composition is.

• Service‑to‑Kernel Escalation Chains — chaining a user‑mode service misconfiguration with a kernel driver flaw to reach SYSTEM.
• Sandbox Escape Pipelines — browser → GPU process → OS service → kernel.
• Container Breakout Chains — OCI runtime bug → filesystem pivot → host namespace escape.

Why it matters: Attackers increasingly use AI to discover these multi-hop paths automatically.  IT-Online

---

🔀 2. Confused‑Deputy & Trust‑Boundary Crossings

BlueHammer is a confused‑deputy exploit (Defender acting on attacker‑controlled paths). Many other systems have similar patterns:

• Package Manager Confusion — pip/npm/rpm trusting attacker‑controlled directories or symlinks.
• Installer / Updater Hijacking — privileged updaters reading from user‑writable locations.
• Cloud Metadata Proxy Abuse — SSRF → metadata service → credential theft.

Why it matters: These attacks exploit legitimate privileged components rather than breaking them.

---

⏱️ 3. Race‑Condition Chains (TOCTOU, Oplocks, Async Gaps)

BlueHammer uses oplocks; attackers also chain:

• Filesystem races — swap symlinks/junctions between check and use.
• Permission races — temporary ACL changes during file creation.
• Async microtask races — especially in browsers and JS runtimes.

Why it matters: Races are increasingly found by automated fuzzers and AI models.  IT News Africa

---

🧵 4. Multi‑Surface Credential Compromise Pipelines

Any chain that moves from low‑privilege foothold → credential theft → lateral movement:

• Shadow Copy Abuse (like BlueHammer) → SAM/LSA secrets → token impersonation.
• Cloud Identity Pivoting — OAuth token theft → refresh token replay → privilege escalation.
• Kerberos Multi‑Step Abuse — AS‑REP roasting → password cracking → Golden Ticket.

Why it matters: Identity is now the primary attack surface in modern environments.  Palo Alto Networks

---

🌐 5. Multi‑Stage Supply‑Chain Attacks

These are inherently multi‑step:

• Dependency Confusion → Build System Compromise → Artifact Poisoning
• CI/CD Credential Leakage → Pipeline Takeover → Production Deployment Hijack
• Malicious Update Channels (SolarWinds‑style)

Why it matters: Attackers increasingly industrialize these attacks—AI accelerates discovery and automation.  IT-Online

---

🧱 6. Lateral Movement Chains Across Layers

Defense‑in‑depth literature emphasizes that attackers rarely stop at the first foothold.  Coalition  Palo Alto Networks

Common chains:

• Phishing → Browser Token Theft → SaaS Admin Panel → Internal VPN
• Compromised IoT Device → Flat Network → Domain Controller
• Misconfigured VLAN → Jump Host → Sensitive Segment

Why it matters: These chains exploit architectural assumptions, not single bugs.

---

☁️ 7. Cloud‑Native Multi‑Step Exploits

Cloud environments create new multi‑hop paths:

• SSRF → IMDS → Temporary Credentials → S3/Blob Exfiltration
• Over‑permissive IAM Role → Lambda Execution → Secrets Manager Dump
• Kubernetes RBAC Misconfig → Pod Exec → Node Credential Theft

Why it matters: Cloud identity and metadata services are the new “privileged deputies.”

---

🧠 8. AI‑Accelerated Multi‑Step Attacks

Recent reporting highlights that frontier models like Claude Mythos can reason through multi‑step exploit chains and generate novel attack paths.  IT-Online  IT News Africa

This includes:

• Automated discovery of multi-hop vulnerabilities
• Rapid chaining of low‑severity bugs into high‑impact exploits
• Scanning legacy and SaaS systems at unprecedented scale

Why it matters: The volume and velocity of multi-step attacks is increasing.

---

🛡️ What to Prioritize Defending (Practical)

1. Execution control (AppLocker/WDAC, script interpreter restrictions)
2. Identity hardening (MFA, conditional access, least privilege)
3. Update/installer hardening (block user‑writable paths, validate signatures)
4. Filesystem race detection (EDR rules for symlink/junction abuse)
5. Cloud metadata protection (IMDSv2, firewall egress rules)
6. Network segmentation (stop lateral movement chains)
7. Continuous attack‑surface monitoring (exposed services, misconfigs)
8. Behavioral detection (focus on chains, not single IOCs)

---

A question to sharpen your defense strategy

Do you want me to map these multi-step vulnerability classes into specific detection rules, architectural invariants, or agent‑enforceable guards for your system model?