Sign in Subscribe
4 min read Threat Intelligence & Security News

Claude Mythos Preview: Project Glasswing Solves One Problem. Here Are the Other Two

A glasswing butterfly resting on a green leaf, its transparent wings revealing the leaf surface beneath
The glasswing butterfly is named for wings that show exactly what lies behind them. Anthropic chose the name deliberately. The question is what Glasswing the project is designed to reveal, and what sits outside its field of view. - Photo by Ben Berwers / Unsplash

April 2026

On 7 April 2026, Anthropic announced that Claude Mythos Preview had autonomously found thousands of zero-day vulnerabilities across every major operating system and web browser. The response was extraordinary. Federal Reserve Chair Jerome Powell and Treasury Secretary Scott Bessent called an emergency meeting with the CEOs of America's largest banks. The heads of Goldman Sachs, Citigroup, Morgan Stanley, Bank of America, and Wells Fargo attended. JPMorgan's Jamie Dimon, himself a Project Glasswing launch partner, could not make it, though he had already written in his annual letter that cybersecurity "remains one of our biggest risks" and that "AI will almost surely make this risk worse."

When regulators convene Wall Street at short notice over a single AI model, it is not a routine product release.

Project Glasswing addresses what AI can find. It does not address the attack surface that AI is simultaneously building.

Project Glasswing, the coordinated defensive initiative Anthropic built around Mythos Preview, brings together AWS, Apple, Google, Microsoft, NVIDIA, CrowdStrike, and over 40 additional organisations. They have early access to the model to scan and harden their own systems before the vulnerabilities Mythos finds can be weaponised. Anthropic is backing it with $100 million in usage credits and $4 million in donations to open source security organisations. The scale and intent are genuine.

It addresses one attack path.

The Dominant Threat Has Always Been the Human Layer

Not everyone in the security community is treating this as a watershed moment. David Sacks wrote that it is "hard to ignore that Anthropic has a history of scare tactics." Marcus Hutchins, the researcher who stopped WannaCry and now principal threat researcher at Expel, made a more substantive point: attackers have long relied on social engineering and phishing to gain access without ever needing a novel vulnerability. Defenders, he argued, hold the resource advantage when it comes to building AI systems at this scale.

Both observations are worth sitting with. They do not, however, account for what is already happening below the vulnerability discovery layer.

Most breaches do not start with a zero-day. They start with a phishing email, a misconfigured service account, an MFA prompt approved at the wrong moment, or a helpdesk agent socially engineered into a password reset. AI accelerates all of those paths too. Spear phishing that previously required skilled manual targeting can now be produced at volume with accurate contextual detail drawn from automated OSINT. Automated reconnaissance maps misconfigured assets faster than any human red team. The human and configuration layer of the attack surface does not get harder to exploit because Glasswing exists.

A Mythos-ready programme that focuses on vulnerability management is better than what most organisations had six months ago. It still leaves this layer largely unaddressed.

The Attack Surface Is Growing Faster Than the Response

There is a second problem the Glasswing conversation has not fully absorbed. The attack surface itself is in active expansion, and it is happening before Mythos-class capability is widely available.

The agentic ecosystem is already producing observable incidents with no established security baseline. Antiy CERT documented 1,184 malicious skills across ClawHub before coordinated disclosure. Trend Micro found 492 MCP servers exposed to the internet with zero authentication controls. Check Point Research disclosed remote code execution in Claude Code through poisoned repository configuration files. The CyberDesserts investigation into OpenClaw documented this pattern in detail: security was not a design consideration in the early agentic marketplace, and attackers found it before defenders had finished mapping the surface.

OpenClaw: When AI Agent Marketplaces Become a Supply Chain Risk

Anthropic's own Glasswing announcement is unambiguous on the compounding factor: open source software constitutes the vast majority of code in modern systems, including the systems AI agents use to write new software. Developer teams shipping production code through coding agents, often without security review and often without awareness of what those agents are introducing, are adding to a vulnerability population that grows faster than any audit cycle can cover.

The Glasswing partner programme covers around 50 organisations. Anthropic's own head of frontier red teaming told Axios that other labs are six to eighteen months from producing models with comparable capabilities. The curl project maintainer noted that significant critical internet infrastructure projects were not included. The window is time-limited and the surface keeps expanding.

What the Response Needs to Cover

Glasswing is a meaningful step. Treating it as a complete answer is the risk.

The response needs to work across all three layers simultaneously: the vulnerability management problem Glasswing was built for, the agentic attack surface already generating incidents, and the human and configuration layer that remains the dominant breach path regardless of what AI can now do with zero-days.

The fundamentals compound. Phishing-resistant MFA, access review cadence, dependency hygiene, and detection engineering for agentic tooling are not alternatives to the Glasswing response. They are the rest of it.

Auditing the npm Supply Chain

The CSA and SANS community response to Mythos, co-authored by 250 CISOs with contributors from Google, NSA, and CISA, is available as a working draft at the Cloud Security Alliance. Follow CyberDesserts for ongoing coverage as this story develops.

Subscribe for Updates

References

  • Anthropic. (2026, April 7). Project Glasswing: Securing critical software for the AI era. https://www.anthropic.com/glasswing
  • Evron, G. et al. (2026, April 12). The "AI Vulnerability Storm": Building a "Mythos-ready" Security Program [Draft]. Cloud Security Alliance / SANS Institute.
  • Antiy CERT. (2026). OpenClaw malicious skill analysis. [Via CyberDesserts primary research — https://blog.cyberdesserts.com/openclaw-malicious-skills-security/]
  • Check Point Research. (2026). Remote code execution in Claude Code via poisoned repository configs.
  • Trend Micro. (2026). MCP server exposure analysis.
  • Hutchins, M. (2026, April). Comments on Claude Mythos economics. Via Cybernews. https://cybernews.com/ai-news/hutchins-questions-anthropic-mythos-bug-hunting-ai/
  • CNBC / Bloomberg. (2026, April 10). Powell, Bessent discussed Anthropic's Mythos AI cyber threat with major US banks.
  • Dimon, J. (2026). JPMorgan Chase Annual Letter to Shareholders.
  • Logan Graham, Anthropic head of frontier red teaming. Via Axios, April 2026.
LinkedIn Post
Copy Link

Published by:

Shakel Ahmed

You might also like...

08
Apr
Scattered Spider: The Attack Chain, Hard Lessons, and What Comes Next

Scattered Spider: The Attack Chain, Hard Lessons, and What Comes Next

April 2026 Scattered Spider is a financially motivated cybercrime collective responsible for some of the most disruptive attacks in recent
17 min read
07
Apr
Developer desk with a "No Bad Days" sign, keyboard, coffee mug and monitor taken before the axios npm supply chain attack made March 31 2026 a very bad day

Axios NPM Supply Chain Attack (2026): What Happened and What to Do

On March 31, 2026, two malicious versions of the axios npm package were published using a compromised maintainer account. The
8 min read
04
Apr
Laptop displaying code in a dark environment with blue and pink lighting, illustrating the developer tooling decisions at the centre of Anthropic's OpenClaw subscription change.

Anthropic Cuts OpenClaw Off Claude Subscriptions And It's Just the Start

Last updated: 5 April 2026 | What's changed: Initial publication covering April 4 enforcement. Get updates like this delivered
3 min read
31
Mar
A ginger cat viewed from behind, sitting in front of a blurred monitor displaying code

What Censys's OpenClaw Count Reveals That February's Headlines Did Not

31st March 2026 OpenClaw's internet-facing exposure has fallen sharply since the February 2026 peak. Public scrutiny, repeated security
9 min read
18
Mar
Targeting Firewalls And VPN Appliances

Why Ransomware Groups Are Targeting Firewalls and VPN Appliances

Updated March 2026: Analysis of the Interlock ransomware campaign exploiting a zero-day in Cisco Secure Firewall Management Center, based on
9 min read

Member discussion