Apple Spent Five Years Building Its Best Mac Security. Mythos Cracked It in Five Days.

Apple Spent Five Years Building Its Best Mac Security. Mythos Cracked It in Five Days.

A five-person security firm used Anthropic's frontier AI model to find and exploit two critical vulnerabilities in macOS — bypassing a protection Apple spent five years and billions of dollars building and called the most robust security architecture it had ever shipped. Apple confirmed Thursday it is investigating.

The exploit, described in a blog post published Tuesday by the firm, Calif, was built in five days. It starts from an unprivileged local user account on a Mac running macOS 26.4.1 with kernel Memory Integrity Enforcement — MIE — switched on Calif Blog. Using two separate vulnerabilities chained with several advanced memory manipulation techniques, it corrupts protected kernel memory and escalates to root without crashing the system. Bruce Dang found the underlying bugs on April 25th. Dion Blazakis joined on the 27th. Josh Maine built the tooling. By May 1st — five days after the bugs were identified — the team had a working exploit running on bare-metal M5 hardware Calif Blog.

Early this week, the team drove to Apple Park in Cupertino and handed a 55-page technical report directly to Apple's security team. "They spent five years building it. Probably billions of dollars too," Calif wrote Calif Blog. The Wall Street Journal's Robert McMillan reported the findings Wednesday; 9to5Mac, MacObserver, Decrypt, TechRadar, and AppleInsider have since confirmed the broad outlines independently. Apple confirmed it is investigating but declined to say whether the specific vulnerabilities have been patched or assigned CVE identifiers, or when a fix might ship.

The Target Apple Called Unbreakable

MIE — Memory Integrity Enforcement — is the result of roughly five years of engineering work embedded in the M5 chip's hardware and layered into macOS 26. It draws on Arm's Extended Memory Tagging technology, which tags where in memory different pieces of data are allowed to live, making it harder for attackers to corrupt one region to gain access to another. Apple's own research documentation said it was designed to disrupt every public exploit chain that had previously worked against modern iOS, including the Coruna and Darksword exploit kits — two of the most sophisticated offensive tools known to exist Apple Security Research Blog. The claim was credible because MIE was expensive to build and because Apple had published detailed technical justification for why it worked.

Calif's blog post does not publish the full technical details of the vulnerabilities — they are following coordinated disclosure practices, standard in the security research community when a finding could affect live systems. What they published is enough to establish that MIE was not unbreakable against a motivated team with access to the right AI tooling. The 55-page technical report delivered to Apple remains private.

The AI Behind the Finding

The AI model Calif used is Mythos Preview, Anthropic's unreleased frontier system. Anthropic has spent months building the case — through its own research publications and the formal launch of Project Glasswing this week — that Mythos represents a genuine leap in AI's ability to find and exploit software vulnerabilities Anthropic Glasswing. The model has found zero-day vulnerabilities in every major operating system and every major web browser, according to Anthropic's own reporting Anthropic Frontier Red Team. It found a vulnerability in OpenBSD that had survived 27 years of human audit Anthropic Frontier Red Team. In controlled benchmark tests against Firefox bugs that Anthropic's previous best model, Opus 4.6, could turn into working exploits only twice in several hundred attempts, Mythos Preview succeeded 181 times Anthropic Frontier Red Team.

Glasswing — formally announced this week alongside the Calif findings — is a consortium that includes Apple, Amazon, Google, Microsoft, NVIDIA, CrowdStrike, Palo Alto Networks, and more than 40 additional organizations Anthropic Glasswing. Anthropic is committing up to $100 million in usage credits and $4 million in donations to open-source security groups through the program Anthropic Glasswing. The stated goal is to put the model into defensive hands before the capability proliferates. The five-day MIE exploit, published the same week as the formal announcement, is also a demonstration: this is what it looks like when the model is pointed at the hardest target in consumer computing.

Whether Glasswing is best understood as a security philanthropy initiative or a capability demonstration with a philanthropy wrapper is a question worth carrying through the reporting.

What Remains Unknown

Apple's investigation is active. Whether the specific vulnerabilities Calif identified have been patched in macOS 26.5 — which was in beta during the Calif team's research — is not publicly known. CVEs have not been assigned. The additional engineering required to turn the Calif proof-of-concept into a weaponized tool deployable against real targets is also undisclosed; that gap matters for assessing real-world risk versus theoretical risk.

The broader question — whether Apple's MIE, in any form, can be patched to close this specific gap without redesigning the underlying hardware — is unanswered. Apple has not said.

What is established: a small team with access to a frontier AI found a way around a feature that Apple spent five years building, documented it to a credible standard, and delivered it to Apple in person. The velocity asymmetry — five days versus five years — is real, independently confirmed, and has no obvious rebuttal.

Calif researchers did not respond to a request for comment. Apple declined to comment beyond confirming the investigation.