All news with #anthropic tag

🔍 Forescout’s Verde Labs reports rapid progress across commercial, open-source and underground AI models in vulnerability research and exploit generation. In 2026 the firm found all tested models could complete end-to-end vulnerability research and about half could autonomously produce working exploits; top performers included Claude Opus 4.6 and Kimi K2.5. Using single prompts, the RAPTOR agentic framework and Verde Labs’ extensions, researchers discovered four zero-days in OpenNDS, demonstrating a lower barrier to discovery and a growing risk for organizations.

🔒The White House Office of Management and Budget is preparing protections to allow federal agencies to use a modified version of Anthropic's Claude Mythos model, according to an internal memo reported by Bloomberg. OMB CIO Gregory Barbaccia told Cabinet departments the agency is coordinating with model providers, industry partners, and the intelligence community to establish guardrails before potential release. The move comes while the Department of Defense's supply-chain risk designation against Anthropic remains in force, leaving the vendor barred from defense contracts.

🔍 Anthropic announced a restricted release of Claude Mythos Preview, an AI claimed to find and weaponize software vulnerabilities at unprecedented scale, and limited access to roughly 50 organizations under Project Glasswing. The company highlighted thousands of flaws across major operating systems and browsers, including decades-old bugs and a set of 181 usable Firefox attacks, far beyond its prior model's performance. Yet the disclosure omits key metrics—false-positive rates, unfiltered outputs, and broad audit access—raising concerns that withholding a powerful tool is not a substitute for transparency, independent review, and funded access for domain experts.

🔒 Palo Alto Networks is participating in Anthropic’s Project Glasswing to test the Claude Mythos model for vulnerability discovery. EMEA CEO Helmut Reisinger says Mythos has identified unprecedented zero-day flaws across multiple operating systems and browsers and can often generate working exploits. Palo Alto is integrating Protect AI, Chronosphere, CyberArk, and soon Koi into its modular platform to secure AI, identity, observability, and agentic endpoints. Reisinger highlighted BYOK, European AI Act compliance, and preparations for the post-quantum era.

⚠️ Researchers at OX Security warn that a design decision in Anthropic’s reference Model Context Protocol (MCP) STDIO implementation may permit remote code execution (RCE) when client applications start local MCP servers without proper command filtering. The flaw stems from SDKs accepting arbitrary STDIO commands as subprocess arguments, which many adapters and tools inherit. Anthropic and other framework maintainers say this behavior is by design and that application developers must sanitize inputs, but OX found few effective defenses and demonstrated RCE across numerous projects and services.

🚀 Claude Opus 4.7 is now available in Amazon Bedrock, delivering Anthropic’s most capable Opus release with improvements across coding, professional knowledge work, visual understanding, and long-running task handling. Served via Bedrock’s next-generation inference engine, Opus 4.7 offers enterprise features such as zero operator data access, dynamic traffic routing, and improved scalability. The model enhances agentic coding, systems engineering, long-horizon reasoning, and high-resolution image support, and is available in select AWS Regions.

🔍VulnCheck's analysis indicates Anthropic's controlled-access Project Glasswing has only one publicly attributable CVE: CVE-2026-4747, a FreeBSD NFS remote code execution flaw described as autonomously identified and exploited. Researcher Patrick Garrity reviewed the CVE database and found 75 records mentioning Anthropic, but only 40 credited to its researchers and a single CVE tied explicitly to Glasswing. Industry observers warn that public attribution may understate the model's potential, and Anthropic plans a fuller accounting by July 2026.

🔒 Smashing Security episode 463 examines two incidents that expose operational and AI security weaknesses: a claimed intrusion into Venice’s flood‑defence pump controls and an accidental full‑source disclosure by Anthropic. Hosts Graham Cluley and Tanya Janca discuss the physical risks of compromised legacy OT systems, how packaging/CI misconfigurations can leak high‑value IP and attack surface, and the governance challenges of powerful internal tools like Mythos. They recommend stronger CI/CD defaults, strict access controls for model assets, and reliable out‑of‑band incident communications.

🟢 Claude Opus 4.7 is now generally available on Vertex AI, delivering improved problem solving, instruction following, and expanded vision and long-memory capabilities. The release boosts accuracy on high-resolution documents and charts and enhances performance in coding and agentic workflows. Paired with Vertex AI’s infrastructure, you can scale agents, leverage low latency and provisioned throughput, and apply unified security controls and Model Armor. Access is available on Vertex AI and via Google Cloud Marketplace with sample notebooks and pricing guidance.

🌐 Google Cloud has announced that U.S. and EU multi-region endpoints for Claude on Vertex AI are available in public preview. These endpoints pool capacity across multiple regions within a geography to dynamically route requests, improving reliability while keeping processing and data within the chosen jurisdiction. The feature supports prompt caching and automatic failover, and currently offers Opus 4.7 in preview. Enabling the capability requires a simple update to your API location identifier (for example, using us or eu).

🔒 At VulnCon26 in April, Lindsey Cerkovnik of CISA urged that AI firms like OpenAI and Anthropic be more directly represented in the CVE program to help manage a surge in reported vulnerabilities. She warned that new AI tools both accelerate discovery of valid flaws and generate lower-value noise, putting pressure on disclosure workflows. Recent vendor developments — Anthropic’s Mythos Preview and OpenAI’s GPT-5.4-Cyber — illustrate how automated research is already changing the threat landscape. Cerkovnik said CVE funding is secure and the program remains a CISA priority.

🔎 Mallory has launched an AI-native threat intelligence platform that converts global threat telemetry into prioritized, evidence-based cases tailored to an organization’s environment. The SaaS offering monitors thousands of sources, contextualizes findings against actual attack surfaces, and integrates with existing tools to automate hunt, detection, and exposure management workflows. It emphasizes actionable answers over alerts and supports Claude Code, MCP, APIs, and a modern UI for extensibility.

🔒 European regulators have been largely frozen out of early access to Anthropic's new Mythos model, Politico reports. Anthropic's Project Glasswing has initially restricted testing to select U.S. technology firms — notably Apple, Microsoft and Amazon — so partners can evaluate and mitigate security risks. The UK’s AI Security Institute has been permitted to test Mythos and acted on findings, while Germany has opened dialogue but not gained access, prompting concerns about private-sector control over a potent security-focused AI.

🔐 The UK’s AI Security Institute (AISI) evaluated Anthropic’s Claude Mythos Preview and found it can autonomously discover and exploit vulnerabilities in controlled tests when given network access. In a 32‑step simulated corporate attack the model completed the full sequence in 3 of 10 runs and averaged 22 of 32 steps, though performance varied. AISI stresses these cyber ranges are easier than real environments and recommended organisations strengthen basics — timely patching, robust access controls, secure configuration and comprehensive logging — while also exploring AI to bolster defensive capabilities.

⚠️A new Cloud Security Alliance (CSA) briefing warns that Anthropic's Claude Mythos (Preview) marks a structural shift in cybersecurity. The model can autonomously discover and exploit thousands of vulnerabilities and orchestrate attacks at speeds that compress discovery-to-weaponization from weeks to hours. The paper — informed by leading security figures — says Mythos is not an outlier and urges CISOs to build Mythos-ready programs, harden fundamentals, and elevate the issue to the board.

🔍 Anthropic's new Claude Mythos Preview and its Project Glasswing effort have focused industry attention on AI-driven cyberattack capabilities. Anthropic says it will not release the model publicly, citing the risk that it can automatically generate operational exploits, and is running the model against public and proprietary code to find and patch vulnerabilities before they can be weaponized. The announcement produced substantial PR impact, prompting rival vendors to echo similar caution. Security observers note defenders still hold an advantage—finding flaws is easier than turning them into attacks—but that margin is shrinking as models improve.

🔔 Emergency updates address a critical PDF zero‑day in Adobe Acrobat Reader (CVE-2026-34621, CVSS 8.6) that executes malicious JavaScript when specially crafted documents are opened. The report also highlights Anthropic's Mythos being used as an exploit-generation engine, state-linked interference with infrastructure, and research showing telecom optical fibers can be abused for acoustic eavesdropping. Prioritize patching, credential hygiene, and detection for fileless and AI-driven attacks.

🔍 Researchers at Horizon3.ai used Anthropic’s Claude to rapidly identify a critical remote code execution vulnerability in Apache ActiveMQ Classic that persisted for roughly 13 years. The flaw (CVE-2026-34197) allows misuse of the Jolokia management API—for example via addNetworkConnector—to load a malicious remote Spring XML and execute arbitrary Java/system commands. While the issue requires authentication in principle, default credentials remain common and a separate vulnerability in some 6.x builds can expose Jolokia without auth, turning it into an unauthenticated RCE. Apache has released patches in 5.19.4 and 6.2.3; administrators should upgrade and restrict access to management interfaces immediately.

💬 Sen. Bernie Sanders engaged the AI assistant Claude in a public conversation about AI and privacy, probing how such systems handle personal data and the policy implications. Bruce Schneier observes that Claude's answers were 'actually pretty good,' indicating that large language models can inform lawmakers while also raising privacy and regulatory questions.

🔍 Anthropic has launched Project Glasswing, an initiative that uses Claude Mythos Preview to autonomously locate and remediate undiscovered cybersecurity vulnerabilities in critical software. The private model — described by Anthropic as highly capable for coding and agentic tasks — was tested with launch partners including AWS, Google and Microsoft and reportedly found thousands of previously unidentified zero-day flaws. Anthropic committed up to $100m in usage credits and $4m in donations to support open-source security while keeping Mythos Preview restricted to defenders with guardrails.