How the Leak Happened

In one of the most ironic data exposures in recent AI history, Anthropic — a company whose entire identity is built on AI safety — accidentally leaked details of its most powerful and potentially dangerous model to date. The model, internally codenamed "Capybara" and set for public release as "Claude Mythos," was exposed via a misconfigured content management system that left roughly 3,000 unpublished internal assets publicly accessible.

Security researchers Roy Paz of LayerX Security and Alexandre Pauwels of the University of Cambridge discovered an unsecured data cache containing, among other assets, a full draft blog post describing the unreleased model. The exposure was attributed to human error in the configuration of Anthropic's CMS — a painfully mundane origin story for what has become one of the most talked-about AI disclosures of 2026.

Anthropic has since confirmed the model's existence. A spokesperson acknowledged that Mythos is currently being tested with a limited group of early-access customers, noting it is expensive to run and not yet ready for general release.

What Is Claude Mythos?

Based on the leaked draft, Mythos represents an entirely new tier above Claude Opus — Anthropic's previous flagship family. The document described it plainly:

"A new tier of model: larger and more intelligent than our Opus models — which were, until now, our most powerful."

On benchmarks covering software engineering, academic reasoning, and — most controversially — cybersecurity, Mythos reportedly scores dramatically higher than Claude Opus 4.6. The leaked materials described the model as "a step change and the most capable we've built to date," with Anthropic signaling deliberate caution about how and when it releases publicly.

The Cybersecurity Alarm

What sent shockwaves through both the AI and security industries was not just the existence of a more powerful model — it was the company's own internal warning. The leaked documents explicitly flagged that Mythos poses "unprecedented cybersecurity risks" due to its ability to rapidly identify and exploit software vulnerabilities at a level no prior model has demonstrated.

The implications are stark: a model capable of autonomously hunting for and weaponizing software flaws could lower the barrier for sophisticated cyberattacks to near zero. It would not require nation-state resources or elite hacker expertise to launch previously complex offensive operations — just API access.

Markets responded swiftly. Cybersecurity stocks plunged in the hours following the story breaking, as investors grappled with the prospect that AI could rapidly erode the defensive moats that security vendors have spent years building. Bitcoin and broader crypto markets also dipped in the immediate aftermath.

The Irony Is the Story

Anthropic was founded in 2021 by former OpenAI researchers explicitly concerned about AI safety. It has positioned itself as the responsible alternative in the frontier model race — publishing alignment research, pioneering Constitutional AI, and being unusually candid about the risks of its own systems.

That a safety-first company would accidentally expose its most safety-concerning model through a basic misconfiguration is a moment critics have not let pass quietly. Futurism captured the sentiment in their headline: "Anthropic Just Leaked Upcoming Model With 'Unprecedented Cybersecurity Risks' in the Most Ironic Way Possible."

A Sprint to the Frontier

The Mythos leak lands at a remarkable moment in AI development. Just days earlier, on March 23rd, Nvidia CEO Jensen Huang told Lex Fridman, "I think we've achieved AGI" — a statement that generated days of debate. OpenAI's next major model, internally codenamed "Spud," reportedly finished pretraining on March 25th. The pace of frontier development in Q1 2026 has been extraordinary, and Mythos is the latest evidence that the capability curve has not flattened.

The question is no longer whether AI will reach capabilities that demand serious regulatory and security frameworks — it is whether those frameworks can be built fast enough to keep pace.

What Happens Next

Anthropic has not announced a public release date for Mythos. The company is expected to issue a more formal statement about both the data exposure and its plans for controlled deployment. Policy discussions have already begun in Washington and Brussels about whether AI models with demonstrated offensive security capabilities should face mandatory pre-deployment evaluations — similar to the red-teaming requirements outlined in the EU AI Act.

For now, Claude Mythos remains in limited testing. But thanks to a misconfigured CMS, the world already knows it exists — and what it can do.

Photo: Nguyen Duy Hung / Unsplash