Researchers at Calif., a cybersecurity firm based in Palo Alto, leveraged technology from an early version of Anthropic's secretly developed Mythos AI to discover two previously undocumented vulnerabilities in macOS. These two flaws were chained together into a privilege escalation attack chain, capable of bypassing Apple's most advanced memory integrity protections to access system memory regions that should be completely off-limits.
Apple is currently reviewing the 55-page technical report submitted by Calif., and a patch is expected to be issued after validation.
Technical Details of the Attack Chain
Discovered during testing in April, the vulnerability combination exploits two macOS flaws alongside several advanced techniques to corrupt Mac memory, ultimately breaking into restricted system areas inaccessible to ordinary processes. According to a report by The Wall Street Journal, if this privilege escalation vulnerability were combined with other attack methods, an attacker could gain full control of a targeted Mac device.
Calif. researchers wrote custom software to link the two vulnerabilities, forming a novel attack vector previously unseen on macOS systems. It's important to note that this is not a worm that can propagate remotely. The attack still requires significant human expertise layered on top of the content generated by Mythos. Thai Dong, CEO of Calif., acknowledged, "Mythos alone cannot complete the attack; it requires the analytical skills of Calif.'s security experts."
The Unique Positioning of Mythos AI
Due to the potential risks posed by its exceptional ability to identify software vulnerabilities, Anthropic's Mythos (formerly known as Claude Mythos Preview) is deliberately restricted from public access. The model is part of Anthropic's "Glasswing" project and is currently only available to a select group of about 40 organizations, including Apple, Google, and Microsoft, for defensive security research. Anthropic has committed $100 million in usage credits to support this partnership program.
Prior to discovering the macOS vulnerabilities, Mythos successfully identified a 27-year-old vulnerability in OpenBSD and found bugs that could hijack Linux devices. Anthropic engineers have explicitly warned that the model's capability to unearth security flaws is too powerful and requires strict guardrails for use.
The Vulnerability Disclosure Process
Confident in their findings, Calif. researchers made a trip to Apple's Cupertino headquarters to deliver the technical report in person. An Apple spokesperson told The Wall Street Journal, "Security is our top priority, and we take reports of potential vulnerabilities very seriously." While Apple has not yet confirmed whether it has begun patching the flaws, Calif.'s CEO anticipates that "the vulnerabilities will likely be fixed soon." Calif. will not release full technical details until Apple resolves the underlying issues.
Reference Source:
Anthropic's Mythos AI Reportedly Found macOS Vulnerabilities that Could Bypass Apple Security