Anthropic Leaks Claude Code Source and Unveils Vulnerability‑Scanning AI Model “Mythos”
What Happened — Anthropic inadvertently published the full source code for its Claude Code model due to a packaging error. In the same announcement the company revealed “Mythos,” an AI system that can automatically discover and chain software vulnerabilities at a speed far beyond human analysts.
Why It Matters for TPRM —
- Exposed code gives adversaries insight into model architecture, training data pipelines, and potential implementation flaws.
- Mythos could lower the barrier for automated vulnerability discovery, increasing risk to any downstream customers that integrate Anthropic APIs.
- Third‑party risk programs must reassess the security posture of AI‑as‑a‑service providers and verify that code‑level controls are in place.
Who Is Affected — SaaS/AI vendors, enterprises that embed Anthropic APIs, and any downstream software supply chain relying on Claude Code or future Anthropic models.
Recommended Actions —
- Review contracts for code‑security clauses and breach‑notification obligations.
- Request a detailed post‑mortem from Anthropic, including any remediation steps and hardening of their CI/CD pipeline.
- Conduct a rapid risk assessment of any applications that consume Anthropic services; consider temporary mitigation (e.g., input sanitisation, additional code review).
Technical Notes — The leak stemmed from a mis‑packaged distribution artifact that included the entire repository. No CVE is currently associated, but the exposed code may contain undocumented vulnerabilities. Mythos is described as an AI that automates vulnerability discovery and chaining, potentially leveraging large‑language‑model techniques to generate exploit chains. Source: Graham Cluley – Smashing Security Podcast #463