Unauthorized Discord Group Accesses Anthropic’s Claude Mythos Preview Model
What Happened — A private Discord community of AI enthusiasts gained unauthorized access to Anthropic’s Claude Mythos preview model. The group leveraged credentials from a third‑party contractor and clues from a recent Mercor breach to locate the model’s endpoint. Anthropic is investigating but has not confirmed any malicious exploitation of the model.
Why It Matters for TPRM —
- Exposure of a “dangerous” AI model can accelerate vulnerability discovery for downstream vendors.
- Third‑party contractor access highlights the need for strict supply‑chain credential hygiene.
- Uncontrolled model distribution creates a new attack surface for AI‑driven exploits.
Who Is Affected — AI/ML SaaS providers, enterprises participating in Anthropic’s “Project Glasswing” (e.g., Nvidia, Apple, Amazon, Cisco), and any downstream customers that may integrate Mythos‑derived findings.
Recommended Actions —
- Review and tighten third‑party contractor access controls for AI model APIs.
- Enforce least‑privilege and just‑in‑time access for preview models.
- Conduct a risk assessment of any internal projects that rely on Mythos outputs.
- Monitor for anomalous usage patterns of Anthropic APIs and related cloud assets.
Technical Notes — The attackers used a combination of credential theft (via a contractor) and educated guessing of the model’s URL, possibly aided by data leaked in the Mercor breach. No CVE is associated; the vector is a supply‑chain credential compromise. Data types at risk include model weights, prompts, and any vulnerability‑finding results generated by Mythos. Source: https://www.databreachtoday.com/report-discord-group-uses-claudes-supposedly-secret-mythos-a-31484