a model too powerful to release
Episode Description
Anthropic's unreleased model found thousands of zero days in every major OS and browser. Plus, Cursor 3.0, a critical Next.js patch, and more.
Show Notes
Anthropic announced an unreleased AI model called Claude Mythos Preview that has found thousands of zero-day vulnerabilities in every major operating system and web browser. They say it's too dangerous to release. Meanwhile, Anthropic lost a key court ruling in its ongoing fight with the Pentagon over military AI guardrails. Also this week: Cursor 3.0 brings parallel agents and design mode, Next.js ships a critical security patch (with some irony attached), TanStack introduces code mode for composable tool execution, Payload 3.82 lands with new hooks and drag-and-drop components, plus updates from shadcn, Figma, Claude Code, and Railway.
Transcript
What's up, everyone? Welcome to Next in Dev, a weekly overview of all the news I could find in the modern web dev industry. This week, Anthropic announced an unreleased AI model that's finding zero-day vulnerabilities in every major operating system and browser, then lost a court ruling in their fight with the Pentagon. We also got Cursor 3.0 and a critical Next.js security patch that's a little ironic given recent events. Let's dive in.
The lead story this week is Project Glasswing, a new cybersecurity initiative from Anthropic built around an unreleased frontier model called Claude Mythos Preview. This model is so good at finding security vulnerabilities that Anthropic assembled a coalition of major tech companies to use it defensively before those same capabilities end up in the wrong hands. How good is it? Anthropic says Mythos Preview has found thousands of vulnerabilities in every major operating system and every major web browser. One example is a 27-year-old vulnerability in OpenBSD, one of the most security-hardened operating systems in existence, that let an attacker remotely crash any machine just by connecting to it. It's interesting that it couldn't catch their own code leak from a couple weeks ago, though.
The partnership list is star-studded. AWS, Google, Microsoft, Apple, Broadcom, Cisco, CrowdStrike, JPMorganChase, NVIDIA, Palo Alto Networks, and the Linux Foundation are all a part. Anthropic is committing up to $100 million in usage credits and $4 million in donations to open-source security.
Anthropic is not making Mythos Preview generally available. They're saying the model's offensive cyber capabilities are too dangerous for broad release and plan to develop safeguards for an upcoming Claude Opus model first. Announcing a model to explain why you're not releasing it is unusual, but the timing is interesting, too. They're launching a national security initiative while fighting the Pentagon in court.
Speaking of the Pentagon fight, Anthropic lost a key ruling this week. A DC appeals court denied their request to temporarily block the Pentagon's designation of the company as a supply chain risk. If you've been living under a rock, here's a recap. The Pentagon wanted unfettered access to Claude for all lawful military purposes. Anthropic drew red lines at fully autonomous weapons and domestic mass surveillance. They were then labeled as a supply chain risk.