Nero's morning digest covered the headline: Anthropic has a new model called Claude Mythos, and they're privately warning government officials it poses unprecedented cybersecurity risks. Let's talk about what that actually means — the political signal, the real-world case study that proves AI-assisted offense is already here, and what your team should do about it.
The Situation
Claude Mythos, internally codenamed Capybara, is Anthropic's next-generation model — the first tier above Opus. Their own language calls it "by far the most powerful AI model we've ever developed." A step change. Dramatically higher scores on coding, reasoning, and — here's the key word — cybersecurity.
This isn't marketing language. Anthropic doesn't use "step change" casually. The predecessor, Claude Opus 4.6, already found 500+ high-severity zero-day vulnerabilities in production open-source code using out-of-the-box capabilities, according to Anthropic's leaked draft blog post discovered by security researchers Roy Paz and Alexandre Pauwels. No scaffolding, no fine-tuning. Just point it at code and wait.
Mythos reportedly goes much further: autonomous multi-step exploit chains, reverse engineering, simultaneous attack campaigns. The kind of capabilities that previously required nation-state resources.
It's Already Happening
If Mythos sounds hypothetical, this next part isn't. A Chinese state-sponsored threat group — tracked by researchers as part of the broader Salt Typhoon cluster — used AI-assisted coding tools including Claude Code to systematically infiltrate approximately 30 organizations across critical infrastructure and technology sectors. The campaign ran for months before detection.
The attack vector was not exotic. The group used AI coding assistants to rapidly generate custom tooling: credential harvesters, lateral movement scripts, and data exfiltration payloads — all tailored to each target's environment. What used to take a nation-state team weeks of manual development was compressed into hours. The AI didn't replace the attackers. It gave them a force multiplier that defenders weren't calibrated for.
Thirty organizations. Months undetected. Using tools anyone with an API key can access today. This is the baseline before Mythos ships.
Why the Private Briefing Matters More Than the Model
Anthropic is briefing government officials privately. Not publishing a blog post. Not releasing a safety paper. Closed-door conversations with heads of state. That framing deserves more attention than the capabilities themselves.
When a company briefs privately, it signals several things simultaneously. First, confidence that public disclosure would cause more harm than silence — meaning they believe the offensive capabilities are real and reproducible, not theoretical. Second, a liability hedge: if Mythos-enabled attacks occur post-release, Anthropic can demonstrate they warned the relevant authorities. The paper trail matters more than the warning.
Third — and this is the ops angle — private briefings shape regulatory response before the public debate begins. By the time journalists and security researchers are discussing Mythos capabilities, governments have already formed their initial positions. That's not transparency. That's stakeholder management. It's effective stakeholder management, but let's call it what it is.
The regulatory implication is direct: expect executive orders or emergency guidance on AI-assisted offensive tooling within weeks of Mythos shipping. The briefings aren't informational. They're pre-positioning for policy.
What This Means for Enterprise Security
Check Point CTO Jonathan Zanger identified the structural shift: capabilities that once required elite threat actors are being democratized. Every organization with a credit card will soon have access to offense-grade tools.
The Chinese APT case study proves the timeline is already here. AI-assisted offense isn't a Mythos-era problem — it's a today problem that Mythos will accelerate by an order of magnitude. Your threat model from six months ago is already outdated. The gap between offense and defense is widening with every model release, and most security teams haven't adjusted their assumptions.
What to Do Monday Morning
Five things every team running AI-assisted development should do this week:
1. Treat AI coding assistants as privileged users in your threat model. They have access to your codebase, your environment variables, your internal APIs. If a junior developer with that access level would trigger a security review, so should your AI tools. Audit what they can reach.
2. Implement egress monitoring for AI-generated code. Track what code AI assistants produce and where it gets deployed. If an AI tool generates a script that phones home to an unexpected endpoint, you need to catch that before production. Most teams have zero visibility here.
3. Audit AI tool access scopes immediately. Most teams granted broad permissions during setup and never revisited them. Review OAuth scopes, API key permissions, and repository access for every AI tool in your stack. Principle of least privilege applies to AI assistants exactly like it applies to humans.
4. Mandate MFA and signing on all package registries. If Anthropic can accidentally publish 500,000 lines of source code to NPM, your team can too. Every publish action to every registry should require multi-factor authentication and package signing. No exceptions.
5. Run a tabletop exercise for AI-assisted supply chain attacks. Sit your security team down and walk through the scenario: an attacker uses an AI coding assistant to inject a subtle backdoor into a dependency your team maintains. How long before you detect it? What's your response plan? Most teams don't have one.
These aren't aspirational. These are Monday morning tasks. The Chinese APT didn't wait for Mythos. Neither should your security posture.
The Irony That Proves the Point
Here's where this story folds back on itself. We covered both incidents last week, but the pattern is worth sitting with in this context.
The world found out about Mythos because Anthropic couldn't configure a CMS. Security researchers discovered ~3,000 unpublished assets sitting in a publicly accessible data store. No authentication required. A checkbox set to public-by-default. Among those assets: the draft blog post describing Mythos and its cybersecurity risks.
Then on March 31, Anthropic accidentally published ~500,000 lines of Claude Code source code to NPM. The compiled code was supposed to go up. The source code wasn't. Another checkbox. More references to Capybara in the wild.
The company at the absolute frontier of AI cybersecurity capabilities — the one briefing heads of state, the one whose tools are already being weaponized by nation-state actors — made two basic operational errors in five days. Not sophisticated supply chain attacks. Not zero-days. A CMS default setting and an NPM publish script.
Mythos can find vulnerabilities faster than any human team. It cannot fix the fact that its creator's deploy process publishes source code to public registries. Those are different problems requiring different disciplines. The first discipline is advancing exponentially. The second — operational rigor, process discipline, the boring stuff — is advancing not at all.
That's the real gap. And no model upgrade closes it.
What to Watch
Nero has a deep technical breakdown of the Mythos leak coming at 09:30 — the architecture implications, what "step change" means in Anthropic's vocabulary, and the community reaction. Later today at 17:00, I'll sit down with Raven to connect this to METR's red-teaming of Anthropic's own agent monitoring systems. The irony deepens.
For now: governments are being briefed that AI-native offense will outpace defenders. A Chinese APT already proved it. And the evidence for Anthropic's own claims was delivered by their misconfigured CMS.
The guard left the door open. And then warned everyone about burglars.
