LIVE THREATS
MEDIUM Microsoft Scout Autonomous Agent Expands Attack Surface Across Microsoft 365 // HIGH High-Autonomy AI Agents With Broad Permissions Pose Enterprise Security Crisis // HIGH Indirect Prompt Injection via Notifications Hijacks Google Gemini on Android // HIGH Only 11 of 100 AI Agents Pass Security and Capability Benchmarks // HIGH Prompt Injection Flaw in Gemini Voice Assistant Enables Notification-Based Attacks // HIGH 2,000 AI-Built Apps Expose Corporate Data via Misconfigured Vibe-Coding Platforms // MEDIUM Anthropic Documents Sandbox Escape Risks and Credential Exfiltration Vectors in Claude … // HIGH ChatGPhish Exploit Turns ChatGPT Summarisation Into a Live Phishing Surface // HIGH LLMShare Campaign Weaponises ChatGPT Sharing Feature to Distribute Malware // MEDIUM Process-Level CAPTCHA Analysis Exposes Behavioural Fingerprints of AI Agents //
ATLAS OWASP HIGH Significant risk · Prioritise patching LLM Security Agentic AI Research Industry News RELEVANCE ▲ 8.5

On Anthropic’s Mythos Preview and Project Glasswing

SOURCE Schneier on Security ↗
TL;DR HIGH
  • What happened: Claude Mythos Preview demonstrates autonomous LLM exploit generation, narrowing defender advantage in vulnerability discovery.
  • Who's at risk: Software vendors and infrastructure operators facing imminent threat of commoditised zero-day exploits from advanced LLM capabilities.
  • Act now: Accelerate vulnerability patching cycles before public LLM release · Invest in automated exploit detection and containment systems · Participate in controlled LLM security programmes like Project Glasswing
On Anthropic’s Mythos Preview and Project Glasswing

Overview

Bruce Schneier’s April 2026 commentary examines Anthropic’s controlled release of Claude Mythos Preview and the associated Project Glasswing — a proactive programme in which the model is deployed internally to scan public-domain and proprietary software for vulnerabilities, with the intent of patching them before the model reaches general availability. Anthropic’s decision to withhold the model from public release, citing its advanced cyberattack capabilities, has drawn significant industry attention and prompted rival OpenAI to make similar claims about its own latest model. Schneier frames the announcement as partly a PR exercise, but does not dismiss the underlying technical reality: these models represent a qualitative step forward in autonomous offensive capability.

Technical Analysis

Several capability advances are highlighted that distinguish this generation of models from predecessors:

  • Autonomous exploit operationalisation: The models can move from vulnerability identification to working exploit code without human involvement, removing a historically significant barrier for lower-skilled attackers.
  • Complex vulnerability chaining: Models can identify and chain multiple memory corruption bugs — a task that previously required expert-level knowledge and manual effort.
  • One-shot prompting: Advanced cyberattack tasks can now be completed with minimal prompt engineering, eliminating the need for complex agent orchestration frameworks.

Importantly, security firm Aisle was reportedly able to replicate some of Mythos’s vulnerability findings using older, cheaper, publicly available models — though with a critical caveat noted in comments: smaller models required hints about where to look and frequently hallucinated vulnerabilities in patched code, suggesting the replication is noisier and less reliable than it first appears.

Schneier draws a key distinction: finding a vulnerability for the purpose of patching is currently easier for AI than finding plus reliably exploiting. This asymmetry provides defenders a temporary advantage, but one expected to erode as model capabilities continue to improve.

Framework Mapping

  • AML.T0047 (ML-Enabled Product or Service): Mythos and comparable models are being used as offensive security tools, whether by defenders (Project Glasswing) or potential adversaries.
  • AML.T0044 (Full ML Model Access): Concern centres on what happens when highly capable models become publicly accessible, granting full offensive utility to a broad attacker population.
  • AML.T0040 (ML Model Inference API Access): Even API-gated access to such models could enable scaled vulnerability discovery campaigns.
  • LLM08 (Excessive Agency): Autonomous exploit generation without human-in-the-loop controls exemplifies excessive agency risk at scale.
  • LLM09 (Overreliance): Defenders relying on AI-assisted patching programmes may develop blind spots if models hallucinate false positives or miss novel vulnerability classes.

Impact Assessment

The affected population is effectively the entire software ecosystem. Organisations running legacy software, open-source projects with limited maintainer bandwidth, and critical infrastructure operators face the greatest near-term risk. The commoditisation of zero-day discovery would disproportionately empower mid-tier threat actors — criminal groups and hacktivist organisations that currently lack the expertise to discover complex vulnerabilities independently.

Mitigation & Recommendations

  1. Accelerate patch cadence: Assume AI-assisted vulnerability discovery by adversaries is already occurring; treat unpatched software as actively targeted.
  2. Adopt memory-safe languages: Reduce the attack surface for memory corruption chaining, which is explicitly cited as an AI-exploitable vulnerability class.
  3. Invest in AI-assisted defence now: Defender-side AI tooling (e.g., Project Glasswing-style scanning) should be deployed before adversarial capability parity is reached.
  4. Do not overrely on AI patching: Validate AI-generated vulnerability reports and patches rigorously; hallucinated vulnerabilities waste resources and may introduce new weaknesses.
  5. Monitor model release timelines: Track public availability of frontier models as a proxy for shifts in the threat landscape.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.