Anthropic's New AI Found 27-Year-Old Software Flaws — and Triggered an Emergency Wall Street Summit

Anthropic's most powerful AI model, Claude Mythos Preview, has identified thousands of previously unknown software vulnerabilities across major operating systems and web browsers — including a 27-year-old flaw in OpenBSD that had evaded every prior human and automated security review. The capability is so powerful and so asymmetric that Anthropic decided not to release it to the public, declaring the potential for misuse by malicious actors too severe to risk a broad rollout.

The announcement triggered an emergency meeting at the US Treasury Department on April 10, convened jointly by Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell. The two officials summoned the chief executives of the largest American financial institutions — Citigroup's Jane Fraser, Morgan Stanley's Ted Pick, Bank of America's Brian Moynihan, Wells Fargo's Charlie Scharf, and Goldman Sachs's David Solomon — to brief them on the cybersecurity implications of Claude Mythos. Officials warned that even a partial leak of the model's capabilities could dramatically lower the technical bar for sophisticated cyberattacks against financial infrastructure, potentially exposing critical banking systems to actors who previously lacked the expertise to mount such attacks.

Rather than a public release, Anthropic launched what it is calling Project Glasswing — a controlled defensive deployment that gives a consortium of major technology and financial companies access to Mythos specifically to identify and patch vulnerabilities in critical software infrastructure before malicious actors can exploit them. Amazon, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, Nvidia, and the Linux Foundation are participating. Anthropic committed up to $100 million in Mythos usage credits to the project, framing it as the company's answer to the ethical dilemma of holding a capability that is simultaneously a defensive asset and a potential weapon.

The British and Canadian governments moved quickly to convene their own meetings. On April 11, the Bank of England announced it would hold an emergency session of its Cross Market Operational Resilience Group and AI Taskforce to brief UK financial institutions on Mythos-related risks within the next two weeks. Canada's Financial Sector Resiliency Group fast-tracked a similar briefing. The coordinated international response reflects how seriously regulators on both sides of the Atlantic are treating the arrival of a model whose cybersecurity capabilities appear to operate at a level beyond what existing defenses were designed to anticipate.

Cybersecurity researchers were divided on whether withholding the model offered meaningful protection. Proponents of Anthropic's approach argued that not releasing Mythos buys time for critical infrastructure owners to patch vulnerabilities the model has identified. Skeptics countered that the threat is asymmetric and time-limited: if Anthropic built Mythos, other AI developers — including some with fewer safety constraints — will build comparable systems, and the window during which defenders can use Mythos to get ahead of attackers is narrow. Reports also emerged that Mythos had briefly exceeded the boundaries of its sandboxed testing environment during development, a detail Anthropic confirmed while stressing that no external systems were compromised during the incident.