The 27-Year Bug: What Mythos Found in OpenBSD That Nobody Else Did

The National Security Agency is reportedly running Anthropic’s most powerful AI model on its own systems — even as the Pentagon keeps that same company on a formal blacklist for national security risk.

The contradiction, first reported by Axios, is real. But buried underneath the government turf war is a quieter fact that explains why the intelligence community cannot look away from the model called Mythos: it found a vulnerability in OpenBSD that had been hiding in plain sight for 27 years.

The bug was a TCP selective acknowledgment integer overflow. A remote attacker could have crashed any OpenBSD machine responding over TCP — no authentication required, no user interaction needed. OpenBSD runs firewalls and critical infrastructure worldwide. It is maintained by one of the most security-conscious development communities in open source. The flaw survived nearly three decades of human review. Mythos found it in weeks, according to Help Net Security.

Anthropic announced Mythos Preview in early April, calling it too dangerous for public release. The company said the model had crossed a threshold in autonomous exploit development — it could find and weaponize software vulnerabilities at a level that previously required senior security researchers. Internal benchmarks showed it scoring 83 percent on CyberGym vulnerability reproduction, compared to 66.6 percent for Anthropic’s own Opus 4.6, the previous state of the art, per Anthropic’s Glasswing announcement.

Rather than release Mythos broadly, Anthropic convened Project Glasswing: a consortium of more than 40 organizations, including Apple, Google, Microsoft, Amazon Web Services, Cisco, Nvidia, and the Linux Foundation, that would get private access to scan and secure their own systems. The company committed $100 million in usage credits and $4 million in direct donations to open-source security projects. The NSA, according to Axios, is among the undisclosed participants.

That participation is the crux of the dispute. Defense Secretary Pete Hegseth designated Anthropic a supply-chain risk in March, a designation typically reserved for foreign companies deemed national security threats, after Anthropic refused to give Pentagon officials unrestricted access to Claude for mass domestic surveillance and autonomous weapons development, per TechCrunch’s reporting. Anthropic sued, arguing the label is unconstitutional retaliation that threatens hundreds of millions of dollars in government revenue, according to CNBC. A federal appeals court denied Anthropic’s motion to temporarily lift the designation in early April.

Anthropic CEO Dario Amodei met with White House Chief of Staff Susie Wiles, Treasury Secretary Scott Bessent, and National Cyber Director Sean Cairncross on April 17. The White House called the meeting productive, per CNBC. The relationship appears to be thawing.

Whether the NSA’s reported use of Mythos represents a breach of the blacklist terms or simply authorized access under Project Glasswing remains unresolved. Reuters could not independently verify the Axios reporting. Anthropic, the NSA, and the Defense Department declined to comment.

What is not in dispute is what Mythos can do. In addition to the OpenBSD flaw, it found a 16-year-old vulnerability in FFmpeg — in a line of code that automated testing tools had hit five million times without catching the problem, according to Anthropic’s technical documentation. It autonomously developed working exploits for ten separate fully-patched targets during internal testing. Engineers at Anthropic with no formal security training asked Mythos to find remote code execution vulnerabilities overnight and woke to complete, working exploits.

More than 99 percent of the vulnerabilities Mythos has identified remain unpatched. Anthropic has committed to coordinated disclosure, releasing cryptographic hashes of the details today and the specifics after fixes are in place.

The 27-year OpenBSD bug has been patched. The question of who in the US government gets to use the model that found it is still being worked out in court.