Anthropic Mythos security discoveries dominated the cybersecurity news cycle — across two very different but deeply connected stories. Researchers at Palo Alto-based cybersecurity firm Calif used Anthropic‘s Claude Mythos Preview to build a working privilege escalation exploit targeting macOS 26.4.1 on Apple M5 silicon. The exploit bypassed Apple’s most advanced security feature — Memory Integrity Enforcement (MIE) — in approximately five days.
Meanwhile, Anthropic agreed to brief the Financial Stability Board (FSB) — the global body coordinating financial regulation for G20 economies — on vulnerabilities Mythos has identified across the global banking system. Both stories point to the same conclusion. Mythos is not just a cybersecurity tool. It is a fundamental challenge to how digital infrastructure has been built.
What’s Happening & Why It Matters
Five Days to Break Five Years of Work
Calif CEO Thai Dong described the macOS discovery’s significance with precision. “This work is a glimpse of what is coming for hardware and software built in a world before Mythos Preview.” The researchers developed a data-only kernel local privilege escalation chain — a type of exploit that corrupts the Mac’s memory without leaving the kind of footprint traditional malware uses. Notably, it does not rely on a single attack vector. Instead, it chains two distinct macOS bugs together with several additional techniques. Once the memory corruption succeeds, the exploit gains access to parts of the device that should be completely inaccessible.
The specific target is significant. Apple‘s Memory Integrity Enforcement system launched with the iPhone 17 lineup in September 2025. It is built around ARM‘s Memory Tagging Extension technology. Apple engineers spent approximately five years developing MIE to block precisely the class of attacks Mythos helped identify. Calif’s researchers broke through it in five days after receiving access to Mythos in April 2026. Dong confirmed the attack “couldn’t have been pulled off by Mythos alone” — human expertise was required throughout. By contrast, Mythos accelerated bug identification and exploit development in ways no prior tool could match.
What Mythos Actually Did on macOS
The exploit chain starts from an unprivileged local user account. From there, it escalates to a root shell — full administrative access — using only standard macOS system calls, two vulnerabilities, and several exploit techniques. A root shell on a Mac means complete control. Combined with other attacks, this exploit could allow a malicious actor to seize the machine entirely.
Apple has not confirmed whether it has patched the vulnerabilities. The company told The Wall Street Journal: “Security is our top priority, and we take reports of potential vulnerabilities very seriously.” An Apple spokesperson confirmed the company is “reviewing and validating” the findings. The Calif team delivered a 55-page report to Apple’s Cupertino headquarters in person. Dong expects the bugs “will likely be fixed pretty quickly.” Critically, Calif has not published the exploit code or full technical details. Those remain embargoed until Apple addresses the underlying issues.
Why Mythos Found the Bugs So Fast
The speed of the discovery reflects a specific strength. Mythos Preview can identify bugs that “belonged to known classes” — categories of vulnerability that human researchers recognise but struggle to locate manually across millions of lines of code. At scale, pattern recognition of this kind can compress months of human security research into days. That is the core value proposition of Mythos for defensive security — and the core danger if the same capability falls into the hands of malicious actors.
Anthropic launched Project Glasswing in April 2026, specifically to prevent exactly that scenario. The initiative gives select partners controlled access to Mythos for defensive purposes only. Project Glasswing participants include Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks. In practice, Glasswing is a structured attempt to use a dangerous tool safely — allowing partners to find and fix vulnerabilities before adversaries can exploit them.
What Mythos Has Already Found Across Other Systems
The macOS discovery is not an isolated result. Mozilla previously announced that Mythos identified and helped patch 271 vulnerabilities in its latest Firefox release. Anthropic has stated Mythos has already identified thousands of high-severity vulnerabilities across every major operating system and web browser. In internal testing, when directed to develop working exploits against identified flaws, Mythos succeeded on the first attempt in more than 83% of cases. That figure prompted Bank of England Governor Andrew Bailey to act.
Beyond that, OpenAI launched its own cybersecurity initiative in direct response to Project Glasswing — called Daybreak — using multiple AI models, including a specialised security agent called Codex. The competitive dynamic is notable. Mythos’s public demonstrations have prompted the entire frontier AI industry to build equivalent defensive security programmes. By contrast, Mythos remains the only model whose operators explicitly refused to release it publicly because of its offensive capability.
The FSB Briefing: Banking’s Systemic Exposure
The second major story broke on 18 May. Anthropic agreed to brief the Financial Stability Board on cybersecurity vulnerabilities Mythos has identified across the global financial system. The FSB coordinates financial regulations for all G20 economies.
Its members include finance ministries, central banks, and securities regulators from the United States, the United Kingdom, Japan, Germany, China, and others. The briefing was requested directly by the FSB chair and Bank of England Governor Andrew Bailey. Bailey had flagged Mythos by name in a 15 April speech at Columbia University. He described it alongside the Iran conflict as one of two events that had elevated cyber to the top of financial regulators’ risk rankings “faster than any other category in recent years.”
The FSB welcomed the engagement formally. “The FSB welcomes engagement with Anthropic and other firms on emerging and frontier risks to global financial stability,” a spokesperson stated. That institutional response is measured but clear. The global body responsible for preventing another 2008-style systemic financial crisis believes AI-powered vulnerability discovery represents a potential systemic risk.
Why Banks Are Particularly Exposed
The financial sector’s specific vulnerability to Mythos-class tools is structural. Banks operate on legacy technology infrastructure — some of it decades old. Core banking systems at major institutions run on COBOL code written in the 1960s and 1970s. That code has accumulated vulnerabilities that have never been properly audited. Modern AI vulnerability scanning at Mythos’s capability level could identify exploitable weaknesses in these legacy systems faster than any bank’s security team could respond.
At the same time, the Federal Reserve and US Treasury convened the chief executives of major American banks to discuss Mythos’s implications. UK banks received their own Mythos briefing within days of Bailey’s Columbia speech. By contrast, the major Asian financial centres have not yet received equivalent briefings — a gap the FSB session is intended to begin closing. The briefing is not a warning. It is a recognition that systemic risk assessment now requires understanding what AI-powered offensive capability looks like at Mythos’s level.
The Dual-Use Dilemma in Its Sharpest Form
Mythos is not a malicious tool. Anthropic built it to find vulnerabilities before attackers can. Project Glasswing partners use it to strengthen their own systems. In that sense, the macOS discovery is a success story — a sophisticated exploit identified, documented, and handed to Apple before any malicious actor independently discovered it. At the same time, the existence of that capability creates a new category of risk. If Mythos can break Apple’s best-ever security feature in five days, and if comparable capability eventually becomes available to well-resourced adversarial actors, the entire assumption underlying modern cybersecurity — that the attack surface is too large to map comprehensively — no longer holds.
Calif‘s description of its work as “a glimpse of what is coming” is not hyperbole. It is a structural observation. Hardware and software built before Mythos-class tools existed were built under assumptions about the feasibility of exhaustive vulnerability scanning that are no longer valid.
TF Summary: What’s Next
Apple is reviewing the Calif findings. A patch for the macOS MIE exploit is expected quickly — Dong indicated confidence that the fixes would arrive soon. Full technical details and exploit code remain embargoed until that patch ships. WWDC 2026 begins on 8 June — a logical venue for Apple to address the vulnerability publicly. The FSB briefing from Anthropic has no confirmed date. It will be delivered to finance ministries and central banks under the FSB’s umbrella, coordinating awareness across G20 financial systems simultaneously.
MY FORECAST: Anthropic Mythos security discoveries will produce two institutional outcomes within six months. First, Apple will quietly accelerate its Memory Integrity Enforcement architecture to close not just the two specific bugs Calif identified, but the broader class of memory corruption vulnerabilities that Mythos found so quickly. The 55-page Calif report contains more than the public summary reveals. Second, the FSB briefing will produce the first coordinated global financial sector response to AI-powered vulnerability discovery — a framework for how central banks, systemic banks, and financial infrastructure operators should inventory and prioritise legacy code vulnerabilities using AI scanning tools. That framework will take 12 to 18 months to develop. In the meantime, every major financial institution is quietly asking Mythos partners to run the same kind of scan that Calif ran on macOS — before someone less principled does it first.