LIVE THREATS
HIGH Discord Sleuths Gained Unauthorized Access to Anthropic’s Mythos // HIGH GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI … // MEDIUM Open source memory layer so any AI agent can do what Claude.ai and ChatGPT do // MEDIUM Python package 'llm-openai-via-codex 0.1a0' hijacks Codex CLI // CRITICAL LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure // HIGH Show HN: Browser Harness – Gives LLM freedom to complete any browser task // CRITICAL Paloalto's Zealot successfully attacks misconfigured cloud environments // HIGH Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign // HIGH Bad Memories Still Haunt AI Agents // CRITICAL ChatGPT's code runtime silently exfiltrates user data via malicious prompt //
ATLAS OWASP HIGH Significant risk · Prioritise patching LLM Security Model Theft Supply Chain Industry News RELEVANCE ▲ 8.2

Discord Sleuths Gained Unauthorized Access to Anthropic’s Mythos

SOURCE Wired Security ↗
TL;DR HIGH
  • What happened: Discord users accessed Anthropic's restricted Mythos AI model via breached data, URL guessing, and contractor permissions.
  • Who's at risk: AI labs using contractor ecosystems and URL-predictable model endpoints are most exposed, especially those with powerful restricted models.
  • Act now: Audit and revoke excessive contractor API permissions for all restricted model tiers · Randomise or tokenise model endpoint URLs to prevent educated-guess enumeration · Monitor third-party breach data for credential and metadata exposure linked to your API ecosystem
Discord Sleuths Gained Unauthorized Access to Anthropic’s Mythos

Overview

A group of amateur investigators coordinating on Discord gained unauthorized access to Anthropic’s highly restricted Mythos Preview AI model — a system described as a dangerously capable vulnerability-discovery tool — without using any AI-based attack methods. The breach relied on a combination of social engineering intelligence, supply chain data leakage, and misconfigured access permissions inherited through contractor relationships. The incident was first reported by Bloomberg and highlights how powerful frontier AI models can be exposed through conventional, low-sophistication operational security failures rather than novel technical exploits.

Technical Analysis

The access chain involved three distinct components:

  1. Breach Data Exploitation: The group examined leaked data from a recent compromise of Mercor, an AI training startup that works with developers — including those in Anthropic’s contractor ecosystem. This provided metadata and contextual intelligence about Anthropic’s model infrastructure.

  2. Endpoint Enumeration via Pattern Inference: Using knowledge of the URL schema Anthropic has historically used for other model deployments, the group made an “educated guess” about Mythos Preview’s endpoint location. This is a form of predictable resource location exploitation — a low-sophistication but effective reconnaissance technique when naming conventions are consistent.

  3. Permission Inheritance via Contractor Role: At least one individual reportedly held legitimate access to other Anthropic models through work for an Anthropic contracting firm. These existing permissions were leveraged to escalate access to Mythos and other unreleased models, suggesting insufficient permission scoping across model tiers.

No jailbreaks, prompt injection, or adversarial ML techniques were required. The attack surface was entirely in access governance and operational security.

Framework Mapping

  • AML.T0012 (Valid Accounts): Contractor credentials and permissions were exploited to gain access beyond their intended scope.
  • AML.T0040 (ML Model Inference API Access): The group obtained live inference access to a restricted production model.
  • AML.T0044 (Full ML Model Access): Access extended to unreleased models beyond Mythos, implying broad API access.
  • AML.T0010 (ML Supply Chain Compromise): The Mercor breach acted as an upstream supply chain intelligence source enabling downstream access.
  • LLM06 (Sensitive Information Disclosure): Unreleased model capabilities and endpoints were exposed.
  • LLM05 (Supply Chain Vulnerabilities): Third-party contractor and training data firm relationships created exploitable trust paths.

Impact Assessment

The immediate impact was contained — the Discord group reportedly used Mythos only to build simple websites, deliberately avoiding actions that might trigger Anthropic’s detection systems. However, the broader implications are severe: Mythos is described as a powerful autonomous vulnerability-discovery tool. If replicated by a motivated threat actor — nation-state, ransomware operator, or offensive security firm — the same access path could enable large-scale vulnerability scanning or zero-day discovery at machine speed. The exposure of other unreleased Anthropic models compounds the risk, potentially leaking capability intelligence ahead of controlled release.

Mitigation & Recommendations

  • Scope contractor permissions strictly: Apply least-privilege principles per model tier; contractor access to one model should not transitively grant access to restricted or unreleased systems.
  • Randomise endpoint identifiers: Avoid predictable URL schemas for restricted models; use UUIDs or time-limited signed tokens rather than human-readable naming conventions.
  • Monitor third-party breach data proactively: Enroll in breach intelligence feeds covering contractors and training data partners to detect metadata leakage early.
  • Implement behavioural anomaly detection on API access: Flag unusual access patterns — particularly first-time access to restricted endpoints from known contractor accounts.
  • Conduct access permission audits post-supply-chain incidents: Any breach touching a contractor or partner should trigger immediate review of associated permission grants.

References