< ciso
brief />
Tag Banner

All news with #anthropic tag

220 articles · page 6 of 11

AISI Urges Cybersecurity Basics After Mythos Test Guidance

🔐 The UK’s AI Security Institute (AISI) evaluated Anthropic’s Claude Mythos Preview and found it can autonomously discover and exploit vulnerabilities in controlled tests when given network access. In a 32‑step simulated corporate attack the model completed the full sequence in 3 of 10 runs and averaged 22 of 32 steps, though performance varied. AISI stresses these cyber ranges are easier than real environments and recommended organisations strengthen basics — timely patching, robust access controls, secure configuration and comprehensive logging — while also exploring AI to bolster defensive capabilities.
read more →

Anthropic's Mythos Spurs Structural Cybersecurity Shift

⚠️A new Cloud Security Alliance (CSA) briefing warns that Anthropic's Claude Mythos (Preview) marks a structural shift in cybersecurity. The model can autonomously discover and exploit thousands of vulnerabilities and orchestrate attacks at speeds that compress discovery-to-weaponization from weeks to hours. The paper — informed by leading security figures — says Mythos is not an outlier and urges CISOs to build Mythos-ready programs, harden fundamentals, and elevate the issue to the board.
read more →

Anthropic’s Mythos Preview and Project Glasswing Risks

🔍 Anthropic's new Claude Mythos Preview and its Project Glasswing effort have focused industry attention on AI-driven cyberattack capabilities. Anthropic says it will not release the model publicly, citing the risk that it can automatically generate operational exploits, and is running the model against public and proprietary code to find and patch vulnerabilities before they can be weaponized. The announcement produced substantial PR impact, prompting rival vendors to echo similar caution. Security observers note defenders still hold an advantage—finding flaws is easier than turning them into attacks—but that margin is shrinking as models improve.
read more →

Weekly Recap: PDF Zero-Day, AI Exploits, Fiber Spying

🔔 Emergency updates address a critical PDF zero‑day in Adobe Acrobat Reader (CVE-2026-34621, CVSS 8.6) that executes malicious JavaScript when specially crafted documents are opened. The report also highlights Anthropic's Mythos being used as an exploit-generation engine, state-linked interference with infrastructure, and research showing telecom optical fibers can be abused for acoustic eavesdropping. Prioritize patching, credential hygiene, and detection for fileless and AI-driven attacks.
read more →

AI Claude Rapidly Finds 13-Year ActiveMQ RCE Bug Exploit

🔍 Researchers at Horizon3.ai used Anthropic’s Claude to rapidly identify a critical remote code execution vulnerability in Apache ActiveMQ Classic that persisted for roughly 13 years. The flaw (CVE-2026-34197) allows misuse of the Jolokia management API—for example via addNetworkConnector—to load a malicious remote Spring XML and execute arbitrary Java/system commands. While the issue requires authentication in principle, default credentials remain common and a separate vulnerability in some 6.x builds can expose Jolokia without auth, turning it into an unauthenticated RCE. Apache has released patches in 5.19.4 and 6.2.3; administrators should upgrade and restrict access to management interfaces immediately.
read more →

Sen. Sanders Discusses AI and Privacy: Claude Exchange

💬 Sen. Bernie Sanders engaged the AI assistant Claude in a public conversation about AI and privacy, probing how such systems handle personal data and the policy implications. Bruce Schneier observes that Claude's answers were 'actually pretty good,' indicating that large language models can inform lawmakers while also raising privacy and regulatory questions.
read more →

Anthropic unveils Project Glasswing to find critical bugs

🔍 Anthropic has launched Project Glasswing, an initiative that uses Claude Mythos Preview to autonomously locate and remediate undiscovered cybersecurity vulnerabilities in critical software. The private model — described by Anthropic as highly capable for coding and agentic tasks — was tested with launch partners including AWS, Google and Microsoft and reportedly found thousands of previously unidentified zero-day flaws. Anthropic committed up to $100m in usage credits and $4m in donations to support open-source security while keeping Mythos Preview restricted to defenders with guardrails.
read more →

Anthropic's Claude Mythos Identifies Thousands of Zero‑Days

🔐 Anthropic launched Project Glasswing to apply a preview of its frontier model, Claude Mythos, to find and help remediate security vulnerabilities in critical software. The company says Mythos Preview has already identified thousands of high‑severity zero‑day flaws and autonomously developed complex exploits in testing. Access is restricted to a small set of vendors and foundations due to abuse risks. Anthropic committed significant usage credits and donations to support coordinated defensive patching while acknowledging prior operational leaks and the risk that the same capabilities could be misused.
read more →

Claude-assisted discovery of long-hidden ActiveMQ RCE

🔎 Horizon3.ai researchers used Anthropic's Claude to help uncover a remote code execution vulnerability, CVE-2026-34197, in Apache ActiveMQ Classic that reportedly persisted for about 13 years. The flaw allows an attacker to invoke Jolokia management operations to fetch a remote configuration file and execute arbitrary OS commands; default admin:admin credentials or prior exposure via CVE-2024-32114 can make exploitation trivial. Patches are available in versions 5.19.4 and 6.2.3, and administrators are advised to update, remove default credentials, and inspect broker logs for signs of compromise.
read more →

Anthropic's Project Glasswing and the AI Bug-Hunting Shift

🔎 Anthropic's Project Glasswing uses Claude Mythos Preview to autonomously hunt software vulnerabilities and is being offered to a closed consortium of more than 40 organizations, including Amazon, Microsoft, Apple, Google and the Linux Foundation. Anthropic says early tests found thousands of high-severity flaws across operating systems, browsers, and other widely used software, including an allegedly 27-year-old OpenBSD bug. Security leaders warn the development could upend bug-bounty economics, push security upstream, shorten exposure windows, and raise dual-use control questions.
read more →

Building AI Defenses at Scale Before Threats Emerge

🛡️ At AWS, decades of scaled security operations combine with new AI collaborations to proactively harden critical systems. Through Project Glasswing and Anthropic’s Claude Mythos Preview, AWS runs continuous AI-driven code reviews and provides gated research previews via Amazon Bedrock. Complementary offerings include AWS Security Agent for autonomous penetration testing and Bedrock guardrails and Automated Reasoning to enforce enterprise controls and reduce risk.
read more →

Anthropic's Claude Mythos Preview Now on Vertex AI

🔒 Anthropic’s newest and most capable model, Claude Mythos Preview, is available in Private Preview to a select group of Google Cloud customers through Project Glasswing. Its placement on Vertex AI provides enterprises access to a frontier model integrated with Google Cloud’s tools to build, scale, and govern AI applications and agents. The announcement emphasizes high performance across use cases and a renewed focus on reducing cybersecurity risk in enterprise deployments.
read more →

CrowdStrike Joins Anthropic to Secure Frontier AI Globally

🔒 CrowdStrike announced it is a founding member of Project Glasswing, partnering with Anthropic to secure execution of frontier models like Mythos Preview where they run inside enterprises. CrowdStrike emphasizes its sensor-level visibility across endpoints, real-time AI Detection and Response, and Falcon Data Security to govern data and agent behavior at runtime. The company frames deployment governance as distinct from model safety and highlights regulatory and operational requirements for enterprise adoption.
read more →

Claude Code flaw allows bypass after 50 subcommands

🔒 A leaked copy of Claude Code has revealed a documented vulnerability that can be triggered when the tool receives more than 50 subcommands. Researchers at Adversa found that subcommands beyond the 50th bypass compute-intensive security analysis and instead elicit a simple user confirmation, creating a risky blind spot. Anthropic has developed a fix — a tree-sitter parser — but it is present only in internal code and not enabled in public builds that customers use.
read more →

Claude Code leak used to push infostealer malware on GitHub

⚠️ Threat actors are exploiting the recent Claude Code source-code leak to distribute the Vidar infostealer via fake GitHub repositories. Anthropic accidentally exposed a 59.8 MB JavaScript source map on March 31 that revealed 513,000 lines of TypeScript across 1,906 files, and copies rapidly proliferated on GitHub. Zscaler found a malicious repo optimized for search that lures users to download a 7‑Zip archive containing a Rust dropper, ClaudeCode_x64.exe, which deploys Vidar and the GhostSocks proxy. The archive is updated frequently and may carry additional payloads.
read more →

Claude/Mythos Leak: AI Accelerates Vulnerability Discovery

⚠️ Last week a leaked build of Anthropic's new model, Claude Capybara (also called Mythos), revealed substantially improved capabilities for automated vulnerability discovery, exploit development, and multi-step attack reasoning. The incident marks a turning point: frontier AI can compress attack lifecycles and enable scalable, novel exploitation techniques that were once the domain of advanced state actors. Security teams should treat this as a warning and accelerate risk assessments, patching, detection, and governance measures.
read more →

Claude Code Finds Zero-Day RCEs in Vim and GNU Emacs

🔎 Researcher Hung Nguyen used simple prompts with Anthropic’s Claude Code to rapidly discover zero-day remote code execution flaws in Vim and GNU Emacs, showing that legacy codebases can be probed far faster by advanced LLMs than by conventional fuzzing. Within minutes Claude Code located missing security checks and generated proof-of-concept exploit ideas, prompting a quick patch for Vim (CVE-2026-34714). Emacs' maintainers declined to treat the finding as an Emacs bug, pointing to Git and leaving suggested manual mitigations for affected releases. The episode highlights both the power of AI-assisted research and the attendant risks of simpler exploit development.
read more →

Anthropic's Claude Code Source Leaked via npm Packaging

🔓Anthropic confirmed that internal source code for its coding assistant Claude Code was inadvertently published after a packaging error when version 2.1.88 was released to npm. The package included a source map exposing nearly 2,000 TypeScript files and over 512,000 lines of code; the release has since been removed. Anthropic says no customer data or credentials were exposed and is implementing measures to prevent recurrence.
read more →

Anthropic Map File Error Exposes Claude Code Source

🔓 An Anthropic employee accidentally published a source map in a public npm package, which allowed the proprietary source for Claude Code to be reconstructed. Anthropic says this was a release packaging error and that no sensitive customer data or credentials were exposed, and that it is rolling out measures to prevent recurrence. Security experts warn that source maps reveal original code, comments, internal constants and prompts, making vulnerabilities and secrets easier to find; the same mistake reportedly occurred previously.
read more →

Anthropic accidentally publishes Claude Code source on NPM

🚨 Anthropic says it accidentally published the closed-source Claude Code source when an NPM release (v2.1.88) included a 60MB cli.js.map file that embedded original sources. The reconstructed tree contains roughly 1,900 files and 500,000 lines of code, and the leak has spread across GitHub and other platforms. Anthropic confirmed no customer data or credentials were exposed, called the incident a packaging error caused by human mistake, and is issuing DMCA takedowns while rolling out measures to prevent recurrence.
read more →