Mozilla using Claude Mythos AI Preview to help fix major security issues in Firefox

Anthropic have been talking up their new Claude Mythos, which is apparently so powerful and dangerous at finding security vulnerabilities in various software that they've currently chosen to keep it private so only a few select companies and organisations have access to it in Project Glasswing.

in other news:

Anthropic confirms breach of Claude Mythos model and has launched an investigation into the unauthorized access, per bloomberg. Attackers used contractor login credentials of a compromised third party vendor and guessed internal URLs to access multiple unreleased models.

I have a feeling this isn't an LLM but an actual specialized AI system. The companies keep conflating different machine learning cases to drive their AGI narrative.

Quoting: AlveKattI have a feeling this isn't an LLM but an actual specialized AI system. The companies keep conflating different machine learning cases to drive their AGI narrative.

It's LLM, and might be nothing special, just marketing as usual: https://www.flyingpenguin.com/the-boy-that-cried-mythos-verification-is-collapsing-trust-in-anthropic/

LLM is just saying "large language model" and programming languages are very well structured languages. And it seems that Claude is specialized (or better "optimized") for programming languages, but it can also handle human languages and even has to (see commit messages and issue reports).

Of course it is in first place a PR campaign, but at least it becomes somehow helpful to find vulnerabilities. We still should not replace researchers and use such LLMs just as additional layer in the way of "four eyes see more than two".

There are still a lot of problems with these LLMs, even on this fully legit use case. It is still "endless" amount of energy on times of climate change, LLM trained on stolen data (so it is not GPL2.0 compatible - hello Linux kernel team) and these companies become new gate keepers to these super expensive technologies, at least for the next decades: how can I access Claude Mythos to find vulnerabilities in my own software that is not developed by such big players (maybe I am the solo developer that maintain one keystone of the internet software infrastructure)? And once Mythos become public, companies will push serious [codemaxxing](https://github.com/jshchnz/codemaxxing) even further.

By all the good use cases, we should not forget the whole picture around LLMs.

Using AI for any kind of recognition is good, actually (and often helps with accessibility).

Using AI for creation is not good.

Not exactly a revolutionary technology, ever heard about "static program analysis"?

https://en.wikipedia.org/wiki/Static_program_analysis

Are they surprised that a new approach to the problem has uncovered new vulnerabilities? Who would have thought! 🤔

How many vulnerabilities have been systematically fixed by traditional code analyzers throughout the entire history of Firefox without all this marketing hype?

Quoting: stormtuxNot exactly a revolutionary technology, ever heard about "static program analysis"?

https://en.wikipedia.org/wiki/Static_program_analysis

Are they surprised that a new approach to the problem has uncovered new vulnerabilities? Who would have thought! 🤔

How many vulnerabilities have been systematically fixed by traditional code analyzers throughout the entire history of Firefox without all this marketing hype?

Yeah, these tools have been around for years (by which I mean "before the genAI hype cycle began late-2022"), but typically only affordable to large Enterprises. With their desperate need to overhype genAI, the AI companies are loss-leading the access to these models to drive adoption, so we're seeing lots of weird hype for things that have existed for years, but have been priced... well, if not fairly, then at least "normally", within the industry. So now smaller outfits like Mozilla have access to these capabilities, and we're seeing headlines like this.

Using AI to fix security holes in software is like using window screen to repair a hole in a bucket.

Quoting: Mountain ManUsing AI to fix security holes in software is like using window screen to repair a hole in a bucket.

its not to fix, but to find, then an human being can confirm the issue is real (not an halucination) and fix it.

For those that might not know (myself included),

AGI = Artificial General Intelligence

Quoting: CaldathrasAGI = Artificial General Intelligence

And that term means something with real intelligence, which non of these AI models will ever be able to do (also not those in 10, 20 or 100 years, based on similar technology), because it is just a super complex deterministic program, where a specific input gives a specific output (if you control all input parameters, which are not exposed on cloud services, but on some local models). That companies speak about AGI is a pure marketing lie to make their bubble grow further.

Quoting: hardpenguinUsing AI for any kind of recognition is good, actually (and often helps with accessibility).

Using AI for creation is not good.

Yeah, on a related note:
https://www.forbes.com/sites/the-wiretap/2026/04/22/anthropics-claude-is-pumping-out-vulnerable-code-cyber-experts-warn/

This is a marketing stunt.

The "too dangerous too release" and the "access leak" from yesterday is all hidden behind NDAs that everyone who's been given access has to sign. There's no way to verify any of those claims.

The only ones that are pushing this besides anthropic are the corpo hats from mozilla. And even then, if you look at the much hailed release 150 patch log you'll only see a handful of fixes coengineered via AI which is far behind the much touted 250+ fixes figure that is being publicly passed around in press releases.

The whole point of all this fearmongering is to drive anthropic IPO valuation up. And it's working.