Partner environment used to access Anthropic's restricted AI security model

TL;DR - A partner-company employee allegedly abused their authorized access to Anthropic's restricted Claude Mythos Preview, used leaked filesystem metadata from a third-party breach to locate the model, and shared access with a private Discord group. Anthropic says the intrusion did not spread beyond the vendor environment. If you consume gated security tooling through partners, treat partner environments as part of your threat model.

What happened

Claude Mythos Preview is Anthropic's invitation-only AI model aimed at cybersecurity use cases, distributed through a restricted programme called Project Glasswing. Anthropic chose a limited research release specifically because of the model's dual-use potential: it is described as capable of autonomously finding software vulnerabilities and generating attack code.

AJU Press reports that Anthropic opened an investigation after detecting unauthorized access to the Mythos preview through a third-party vendor environment. The access is believed to have occurred on April 7, 2026 - the day Glasswing access opened.

The attack path is a clean example of partner and insider risk. A partner-company employee allegedly used their legitimate access, inferred the model's hosting location using Anthropic filesystem metadata exposed in a separate breach of an AI evaluation startup (referred to as "Mercer" in the report), and then shared that access with a private Discord group. The group also claimed access to other unreleased Anthropic models, though that claim is not confirmed.

Anthropic told AJU Press there is "no evidence the intrusion spread beyond the vendor environment", and no damage to Anthropic systems has been confirmed.

"Restricted" access is only as strong as the least-controlled partner environment in your access graph. This is the same failure mode that drives CI/CD and SaaS breaches. A model capable of producing working exploit code, distributed through a partner network with insufficient controls, is a high-value target.

Who is impacted

• Organisations participating in Anthropic's Project Glasswing or receiving access to restricted Anthropic model environments through third parties.
• Teams that treat partner-hosted or contractor-accessible environments as lower-trust than production but still permit access to sensitive assets - models, prompts, vulnerability reports, customer data, source code, credentials.
• Security and platform teams building workflows around AI-driven vulnerability discovery or exploit simulation, where model access and outputs are inherently high-sensitivity.

What to do now

• Follow Anthropic and partner guidance as it becomes available. Request written scoping details for any vendor environment you depend on.
• Review your third-party access paths as first-class attack surface:
  • Enumerate which partner or contractor identities can reach restricted model environments.
  • Verify least privilege and session controls: short-lived access, scoped entitlements, strong MFA.
• Add detection around restricted AI access where feasible:
  • Audit access logs for unusual identities, session locations, and access patterns.
  • Alert on sharing behaviours that imply credential or session reuse across identities.
• Treat model outputs as sensitive data:
  • Restrict redistribution of vulnerability findings, exploit chains, or proof-of-concept artefacts to need-to-know channels.
  • Ensure secrets, keys, and internal URLs are not being pasted into prompts or stored in shared workspaces without policy controls.
• If your programme relies on partner environments, explicitly require partner security posture evidence - access reviews, logging retention, incident notification SLAs - as part of the operating model.