if a refresh token was reused, Hydra would invalidate the whole access and refresh token chain

Security engineers reviewed every finding before it reached a maintainer... While frontier AI models are highly capable of finding vulnerabilities and patching them, they also produce a high volume of false positives

Trail of Bits engineers found that, with limited guidance, GPT‑5.5‑Cyber made useful choices about where to expand coverage, which builds and entry points to probe, and which candidates were too weak to pursue.

Production connectivity has a few non-negotiables. A connector should respect two sets of rules at once: the permissions already set in the source platform, and the controls your administrators set in Mistral Studio or Vibe.

The goal is to move beyond using models to find more vulnerabilities, towards a world of safer software and cyber resilience.

Frontier defensive capabilities should not be concentrated in the hands of a few. Software touches all aspects of life, from critical infrastructure to business applications and government networks.

Vulnerability reports, on their own, do not protect anyone. The value comes from validating the issue, understanding its impact, developing and testing a patch, coordinating disclosure, and helping teams deploy the fix.

The company said earlier this month that it received an export control directive from the Trump administration ordering the company to suspend access to its latest Claude models... 'by any foreign national, whether inside or outside the United States.'

Anthropic said operators affiliated with Alibaba and its AI lab carried out 28.8 million exchanges with its models using roughly 25,000 fraudulent accounts between April 22 and June 5.

Anthropic sent a letter to U.S. officials accusing Alibaba of 'brazenly' and 'illicitly' attempting to extract its AI capabilities.

They’ve all signed an open letter to ask Trump to revoke the order, and they say it’s actually dangerous to have to pull these advanced cybersecurity capabilities from network defenders in the U.S.

We reviewed a demonstration of this specific technique being used to identify a small number of previously known, minor vulnerabilities. These vulnerabilities all appear relatively simple, and we have found that other publicly-available models are able to discover them as well without requiring a bypass.

The US government, citing national security authorities, has issued an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees.

The letter did not provide specific details of its national security concern. Our understanding is that the government believes it has become aware of a method of bypassing, or 'jailbreaking' Fable 5.

We have instituted strong safeguards that greatly reduce the likelihood that Fable is misused for tasks related to cybersecurity (among others). In fact, our safeguards are so strong that many users have complained that they are overly broad.

The letter did not provide specific details of its national security concern. Our understanding is that the government believes it has become aware of a method of bypassing, or 'jailbreaking' Fable 5.

Our understanding is that the government believes it has become aware of a method of bypassing, or 'jailbreaking' Fable 5. We reviewed a demonstration of this specific technique being used to identify a small number of previously known, minor vulnerabilities.

The US government, citing national security authorities, has issued an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national

We stand by this defense in depth strategy. It reduces the risks posed by Fable, making them comparable to the risks of existing models already deployed across the industry.

The potential jailbreaks that have been disclosed to us are either entirely benign responses or are minor findings that provide no Mythos-specific uplift.

The government believes it has become aware of a method of bypassing, or 'jailbreaking' Fable 5.

Anthropic is releasing Claude Mythos 5 to trusted organizations and Claude Fable 5 to the public, a version it says can't be used for cyberattacks.

Commerce dept. worries that a Fable 5 'jailbreak' could be a national security threat.

The company says it has only seen evidence of this kind of jailbreak being used to find 'minor' and 'relatively simple' software vulnerabilities

An agent breaks all of those assumptions. It reasons, it improvises, and it can be hijacked by a single sentence buried in a document it was asked to read.

The great thing about working with WebAssembly is that if the C turns out to be fatally flawed the worst that can happen is the WebAssembly execution will fail with an exception.

As AI models continue to improve, hardening their defenses might actually get easier.

What is going on with these agents is they're very eager to finish the task. It's almost like some elementary school student who just wants to please the teacher.

Everybody wants to be the first to do something and just push things out without careful scrutiny and red-teaming

As AI models continue to improve, hardening their defenses might actually get easier.

Security and utility always have a trade-off

There, AI was the target rather than the attacker, and the method was far simpler than anything Mythos would cook up.

in 89% of the 198 manually reviewed vulnerability reports, our expert contractors agreed with Claude's severity assessment exactly, and 98% of the assessments were within one severity level. If these results hold consistently for our remaining findings, we would have over a thousand more critical severity vulnerabilities and thousands more high severity vulnerabilities.

the total cost was under $20,000 and found several dozen more findings. While the specific run that found the bug above cost under $50, that number only makes sense with full hindsight. Like any search process, we can't know in advance which run will succeed.

Sonnet 4.6 and Opus 4.6 reached tier 1 in between 150 and 175 cases, and tier 2 about 100 times, but each achieved only a single crash at tier 3. In contrast, Mythos Preview achieved 595 crashes at tiers 1 and 2, added a handful of crashes at tiers 3 and 4, and achieved full control flow hijack on ten separate, fully patched targets (tier 5).

Each person on the team gets their own slice of the brain, scoped by login. When you query, you only see what you're allowed to see — never another person's notes, never another team's data. We fuzz-tested this across every way you can read the brain (search, list, lookup, multi-source reads) and got zero leaks.

within 6 to 12 months, we expect that many other AI companies will have Mythos-class models, and they could release them without safeguards that prevent misuse.

To address the scale of this coming challenge, hundreds of thousands of organizations, researchers, and maintainers will likely need access to the most advanced cyber capabilities and tools available.

We see our role as twofold. First, to help the software industry adapt by safely providing wide access to better models, tools, and common infrastructure. Second, to steadily shift the support we provide, from finding vulnerabilities to disclosing, fixing, and deploying patched software.

Cheap, fast AI models with powerful cyber capabilities are around the corner. We want Project Glasswing to spur institutions toward operating norms that reflect this reality.

This attack does not require human-in-the-loop approvals, even when in settings the user has explicitly required human approval before ChatGPT edits workbooks.

Design for containment at the environment layer first, then steer behavior at the model layer.

Rather than supervising what the agent does, we supervise what it's _able_ to do by enforcing access boundaries through, for example, sandboxes, virtual machines, and egress controls.

A locally installed tool is auditable. You can read the code, pin the version, and know it won't change under you. A remote tool—a hosted MCP server, a cloud connector—can change behavior at any point after you've approved it;

The same isolation keeping Claude contained also kept host-based endpoint detection and response out. From the EDR's perspective, Claude Cowork is an opaque hypervisor process.

Battle-tested hypervisors, syscall filters, and container runtimes have survived more adversarial attention than anything you'll build. Across every deployment described here, the standard primitives held while our own work around them exposed flaws.

More capable models make fewer mistakes, but they're also better at finding unexpected paths to a goal, often by routing around restrictions nobody thought to write down.

The more approvals a user sees, the less attention they pay to each, becoming over time much less diligent in their supervision.

Certificate retrieval, supported verification tooling, and example verification commands see the signing documentation. For example, you can verify a signed skill locally. To do so, follow these steps: Download the NVIDIA Agentic Capabilities root certificate as nv-agent-root-cert.pem Install an OpenSSF Model Signing (OMS) verifier, such as pip install model-signing Execute the following command to verify the skill signature

SkillSpector checks conventional software risks such as vulnerable dependencies, suspicious scripts, dangerous code patterns, credential access, and data exfiltration paths. SkillSpector also checks agent-specific risks, such as hidden instructions, prompt injection, trigger abuse, excessive agency, tool poisoning, and mismatches between a skill's declared purpose, requested access, and bundled behavior.

NVIDIA-verified agent skills are portable instruction sets that help developers understand, trust, and safely deploy AI agent capabilities by providing transparency, provenance, security scanning, and cryptographic signing.

The crux of the vulnerability is that Starlette accepts invalid host header values that cause authenticating apps that use Starlette's request.url object to approve unauthorized access requests.

The vulnerability is present in Starlette, an open source framework that its developer says receives 325 million downloads per week.

The injection consisted of 5 lines in an 81-line skill file, all of comparable length to the other lines.

Opus 4.7 was more comprehensive in its search for recently edited documents; it expanded exfiltration to include every document used in previous Cowork Copilot sessions that week

At no point in this process is human approval required.

when the recipient is the active user, these actions execute immediately without requiring human approval (users do not have a setting to modify this behavior)

Claude Opus 4.7 has been used to patch over 2,100 vulnerabilities

Mythos Preview has found what it estimates are 6,202 high- or critical-severity vulnerabilities in these projects (out of 23,019 in total)

we and our approximately 50 partners have used Claude Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities

Claude Opus 4.7 has been used to patch over 2,100 vulnerabilities

on average, a high- or critical-severity bug found by Mythos Preview takes two weeks to patch

Mythos Preview has found what it estimates are 6,202 high- or critical-severity vulnerabilities in these projects (out of 23,019 in total)

the same technology is both the lottery ticket & the thing eating your fallback

I tried having GPT-5.5 create an HTML explanation of the exploit like this: `curl https://copy.fail/exp | llm -m gpt-5.5 -s 'Explain this code in detail. Reformat it, expand out any confusing bits and go deep into what it does and how it works. Output HTML, neatly styled and using capabilities of HTML and CSS and JavaScript to make the explanation rich and interactive and as clear as possible'`

Vantor becomes the first spatial intelligence company to be able to deploy Google Earth AI models in air-gapped government environments.

When AI is applied in more conventional domains, like increasing integration into command and control systems, does it benefit the attacker? More generally, how will AI change the character of human conflict?

Digital Sovereignty: Wire to Replace Signal as Standard in the Bundestag

We estimate, with 90% confidence, that between 290,000 and 1.6 million H100-equivalents of compute were smuggled through the end of 2025.

Amodei is vocal about the national security implications of this technology. He advocates for export controls on chips to China

The department official who spoke to Breaking Defense went further, saying the IL-5 authorization demonstrates “that it meets rigorous security controls for handling DoD information”

The feature can edit spreadsheets without a human-in-the-loop and was vulnerable to data exfiltration risks due to its ability to insert formulas that trigger external communication.

The most urgent finding this week comes from researchers who demonstrated that the very mechanism enabling agents to use tools - function calling - can be hijacked with alarming reliability.

Modern-day security tooling looks for the wrong things. Most software composition analysis tools work by checking your dependencies against a database of known vulnerabilities – CVEs. But a deliberately planted backdoor doesn't have a CVE.

The result is a mismatch that should terrify anyone building software: the attack surface is expanding faster than any human can monitor, and the entities making dependency decisions are increasingly not human.

We are building a world where machines write the code, machines choose the dependencies, and machines ship the updates. The AI agents are building the software. If we don't secure the supply chain they rely on, the AI agents are cooked.

select known-vulnerable dependency versions 50% more often than humans.

A deliberately planted backdoor doesn’t have a CVE.

The median JavaScript project on GitHub has 755 transitive dependencies

the entities making dependency decisions are increasingly not human.

Socket, an a16z portfolio company, detected the malicious dependency in the Axios attack within 6 minutes of its publication. That's roughly 63,000 times faster than the industry average.

Hallucinated packages are the sleeper threat. LLMs regularly invent package names that don't exist. One study found that nearly 20% of AI-recommended packages were fabrications, and 43% of those hallucinated names appeared consistently across queries.

This card was updated on April 24, 2026, to include additional information about safeguards for the deployment of GPT‑5.5 and GPT‑5.5 Pro in the API.

All prompts, completions, findings, and communications are covered by NDA

Smaller awards may be granted for partial wins at our discretion

$25,000 to the first true universal jailbreak to clear all five questions

TPM-backed full-disk encryption is now generally available in the Ubuntu installer.

Security is a defensive posture; agency is a functional right.

Some proposals for AI agents assume that putting agentic code in a TEE or similar 'jail' will solve these problems, but that ignores the need to collectively bargain

No encryption protects that layer. The router can read, change, or replace anything.

Out of 28 paid and 400 free routers: > 9 injected malicious code into tool calls > 17 touched researcher-owned AWS credentials > 1 drained $500k from an Ethereum wallet

Client-side defenses caught 89% of injections. But real protection needs providers to sign responses.

Vercel is advising Google Workspace administrators and Google account owners to check for the following application: OAuth App: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

the initial access occurred after a Vercel employee's Google Workspace account was compromised via a breach at the AI platform Context.ai.

Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data.

we probably will publish more curl vulnerabilities in 2026 than we have done in many years, maybe ever.

it is decently important to handle them asap when they arrive so that we can avoid building up too much backlog.

The time when we suffer from large amounts of AI slop is gone. Now we instead suffer under a massive load of good reports.

Maintains your HTTP/TLS fingerprint so intercepted traffic behaves identically to the original.

agent-written code introduces more security vulnerabilities than code authored by humans

Discovery should focus on trust boundaries, authentication flows, parsers, shared services, and legacy code that still sits on critical paths.

The scariest part of Mythos is not that one lab has a gated model. It is that the core workflow primitives behind representative findings are no longer confined to a single lab's private stack.

The real issue is not whether defenders can get access to another model. It is whether they can turn model capability into something a security team can trust and use every day.

Public models can already spot that a security-relevant check is missing in the right code path, but they can still miss the actual invariant being violated and therefore misstate the impact.

If public models can already do useful work inside that kind of workflow, then the story is not 'Anthropic has a magical cyber artifact.' The story is that serious AI-assisted vulnerability research is no longer confined to a single frontier lab.

The real challenge is validating outputs, prioritizing what matters, and operationalizing them.

So, cyber security of tomorrow will not be like proof of work in the sense of 'more GPU wins'; instead, better models, and faster access to such models, will win.

Official access to the model is limited to a handful of companies through the [Project Glasswing initiative](https://www.theverge.com/ai-artificial-intelligence/908114/anthropic-project-glasswing-cybersecurity), including Nvidia, Google, Amazon Web Services, Apple, and Microsoft.

Anthropic currently has no plans to release the model publicly due to concerns that it could be weaponized.

US tech CEOs believe the best models should stay proprietary, partly so they can recoup enormous training costs and partly out of concern that powerful frontier models could be weaponized. Chinese labs, for their part, are not purely idealistic: Open-source is not only free advertising but also a shrewd workaround.

settings.local.json、mcpServers headers 里的 Bearer Token 不能明文外带。

Configuration is managed via environment variables. See src/aegis_core/config.py for all available settings.

Aegis Core provides the foundational infrastructure for orchestrating LLM-based security agents, monitoring their behavior, and tracking the evolution of AI security capabilities over time.

The Life Sciences model was developed with heightened enterprise-grade security controls and strengthened access management, enabling professional scientific use in governed research environments.

Only GPT-OSS-120b is perfectly reliable in both directions (in our 3 re-runs of each setup). Most models that find the bug also false-positive on the fix, fabricating arguments about signed-integer bypasses that are technically wrong.

The capability rankings reshuffled completely across tasks. There is no stable best model across cybersecurity tasks. The capability frontier is jagged.

Eight out of eight models detected Mythos's flagship FreeBSD exploit, including one with only 3.6 billion active parameters costing $0.11 per million tokens.

Legacy platforms get worse over time : static detections degrade with changing data & behaviors. Artemis gets better : with each incident or proactive threat hunt, the system identifies new patterns.

Architected before AI, these SIEM systems are wooden shields in an era of autonomous attackers.

Legacy platforms get worse over time : static detections degrade with changing data & behaviors.

Within a few months, they have more than a dozen production enterprise deployments & are processing over a billion events per hour.

Shachar led the Amazon GuardDuty product, scaling the business to over 80,000 customers.

The model can reverse-engineer compiled software to detect malware and vulnerabilities without needing source code, aiming to help analysts inspect and secure systems more efficiently.

OpenAI has introduced GPT-5.4-Cyber, a more permissive version of its flagship model built for defensive security work, expanding access to thousands of verified users through its Trusted Access for Cyber initiative.

Not every organization has the benefit of a 24x7 security team who is able to respond to incidents when they are disclosed on a Friday night.

Cybersecurity is a team sport, and the systems people rely on are protected by organizations of many kinds, from major enterprises and security vendors to researchers, maintainers, public institutions, nonprofits, and smaller teams with limited security resources.

或许需要某种「第三方评测、审计机构」来评估 Skills 的数据使用方式、检测潜在安全风险等等。

Lightweight Agent Detection & Response (ADR) layer for AI agents — guards commands, files, and web requests.

Sage sends URLs and package hashes to Gen Digital reputation APIs. File content, commands, and source code stay local.

Sage intercepts tool calls (Bash commands, URL fetches, file writes) via hook systems in Claude Code, Cursor / VS Code, OpenClaw, and OpenCode, and checks them against:

Sage sends URLs and package hashes to Gen Digital reputation APIs. File content, commands, and source code stay local.

Sage intercepts tool calls (Bash commands, URL fetches, file writes) via hook systems in Claude Code, Cursor / VS Code, OpenClaw, and OpenCode, and checks them against:

Mercor, which provides data to AI labs for training, became one of the fastest-growing companies in history before losing four terabytes of data to hackers last week.

In many cases, we can automatically detect when a key is visible on the public web and shut down those keys automatically for security reasons

We are moving to disable the usage of unrestricted API keys in the Gemini API, should have more updates there soon.

We experienced a sudden and extreme spike in Gemini API usage. The traffic was not correlated with our actual users and appeared to be automated.

Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true.

Routines run autonomously as full Claude Code cloud sessions: there is no permission-mode picker and no approval prompts during a run.

Each routine has its own token, scoped to triggering that routine only. To rotate or revoke it, return to the same modal and click 'Regenerate' or 'Revoke'.

Each platform surfaces different vulnerabilities, making it difficult to establish a single, reliable source of truth for what is actually secure.

We hope that one day we can return to open source as the security landscape evolves. But for now, we have to put our customers first.

The risk landscape is accelerating quickly. Advanced AI models are now capable of identifying and exploiting vulnerabilities at unprecedented speed.

AI uncovered a 27-year-old vulnerability in the BSD kernel, one of the most widely used and security-focused open source projects, and generated working exploits in a matter of hours.

Being open source is increasingly like giving attackers the blueprints to the vault. When the structure is fully visible, it becomes much easier to identify weaknesses and exploit them.

AI can be pointed at an open source codebase and systematically scan it for vulnerabilities.

Each platform surfaces different vulnerabilities, making it difficult to establish a single, reliable source of truth for what is actually secure.

Being open source is increasingly like giving attackers the blueprints to the vault. When the structure is fully visible, it becomes much easier to identify weaknesses and exploit them.

AI uncovered a 27-year-old vulnerability in the BSD kernel, one of the most widely used and security-focused open source projects, and generated working exploits in a matter of hours.

policy makers now view cutting-edge AI offensive security capabilities as a systemic financial infrastructure risk

Mythos reportedly autonomously discovered thousands of zero-day vulnerabilities within weeks

Same clinical question, two framings. One as a patient, one as a doctor.

that's what anthropic says it cost Mythos to find those zero days. per repo.

Across 1,000 runs, Claude Mythos Preview was able to find several bugs in OpenBSD, including one that allows any attacker to remotely crash a computer running it. The notable thing was that the bug had existed for 27 years.

Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser.

This website uses a security service to protect against malicious bots.

Agents show only ~10% success on instances with PoCs longer than 100 bytes, which represent 65.7% of the benchmark

The window between a vulnerability being discovered and being exploited by an adversary has collapsed—what once took months now happens in minutes with AI.

Anthropic is committing up to $100M in usage credits for Mythos Preview across these efforts, as well as $4M in direct donations to open-source security organizations.

Mythos Preview found a 27-year-old vulnerability in OpenBSD—which has a reputation as one of the most security-hardened operating systems in the world

There will be more attacks, faster attacks, and more sophisticated attacks. Now is the time to modernize cybersecurity stacks everywhere.

In the past, security expertise has been a luxury reserved for organizations with large security teams. Open source maintainers—whose software underpins much of the world's critical infrastructure—have historically been left to figure out security on their own.

AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.

Agent systems should be designed assuming prompt-injection and exfiltration attempts. Separating harness and compute helps keep credentials out of environments where model-generated code executes.

Native sandbox support gives developers that execution layer out of the box, instead of forcing them to piece it together themselves.

Apple just changed how iOS validates push notification tokens on iOS 26.4. While it is impossible to tell whether this is a result of this case, the timing is still notable.

Messages were recovered from Sharp's phone through Apple's internal notification storage—Signal had been removed, but incoming notifications were preserved in internal memory.

Mythos found zero-day bugs in every major OS and browser, without human guidance.

The model reportedly scored 93.9% on SWE-bench Verified and 77.8% on SWE-bench Pro, but its strongest signal came from real-world results, including uncovering a 27-year-old flaw in OpenBSD, a 16-year-old vulnerability in FFmpeg, and autonomously chaining Linux kernel exploits without human input.

The model reportedly scored 93.9% on SWE-bench Verified and 77.8% on SWE-bench Pro, but its strongest signal came from real-world results, including uncovering a 27-year-old flaw in OpenBSD, a 16-year-old vulnerability in FFmpeg, and autonomously chaining Linux kernel exploits without human input.

Gemma 4 models undergo the same rigorous infrastructure security protocols as our proprietary models.

Security has always been a team sport, and the defenders who have protected this industry for decades have never succeeded by working in isolation.

New AI models, especially those from Anthropic,have triggered a new set of actions for how we build and secure our products.

using "Open File..." dialog (`⌘+O`) you could still open and view any file on the system and could preview any file that safari could preview (e.g. `.html`, `.htm`, `.txt`, `.pdf`, and image files)

by "saving" the webpage (`file->save as`) instead of downloading it (which Safari automatically adds an extension for) I could force it to save it as `malicious_file` (with no extension).

macOS decides to boot the `Volumes` partition which includes `Data`, `Macintosh HD`, `macOS Base System`, and `Preboot` systems, and when you choose the `Macintosh HD` it allows you to save the file to the Mac's permanent disk.