A small group of unauthorized users has tapped Anthropic's restricted Claude Mythos for roughly two weeks, accessing it through a third-party vendor environment.

Mythos Vendor Breach

Bloomberg first reported the breach on Apr. 21, citing a source inside a private Discord channel that tracks unreleased AI models.

The group got in on Apr. 7, the same day Anthropic unveiled Mythos.

Members leaned on credentials from a third-party contractor and common open-source sleuthing tools to guess the model's endpoint, the source said. They handed Bloomberg screenshots and a live demo as proof.

"We're investigating a report claiming unauthorized access to Claude Mythos Preview through one of our third-party vendor environments," an Anthropic spokesperson said. The company has found no evidence that its own systems were touched.

Also Read: $292M KelpDAO Hack Highlights Ethereum Weakness, Hoskinson Says

Glasswing Security Fallout

The group has reportedly avoided running cybersecurity prompts on Mythos, a move that analysts say is meant to dodge detection rather than prove harmlessness.

Independent commentators note that intent is beside the point when the tool in question can find and exploit zero-day flaws in every major operating system and browser.

Security researchers writing on Schneier on Security and at Cybersecurity News say the episode exposes the weakest link in frontier AI: contractor accounts and predictable endpoint naming.

Anthropic launched Mythos Preview on Apr. 7 under Project Glasswing, pledging up to $100 million in usage credits.

Access was limited to 12 launch partners, including Apple, Microsoft, Google, Amazon Web Services, and Nvidia, plus roughly 40 critical-infrastructure organizations. The company had warned that the model could be weaponized if it reached the wrong hands, a claim that now reads as prophetic.

Read Next: CHIP Volume Now Outpaces Market Cap As Traders Pile In