Apple spent years securing Mac, researchers broke it with Mythos in days

Researchers reportedly used Anthropic's Mythos and human expertise to bypass Apple Mac security protections that took nearly five years to develop

Security researchers have reportedly discovered a new method to bypass some of Apple’s advanced Mac security protections by combining AI-assisted vulnerability research with traditional hacking techniques. According to a report by The Wall Street Journal, researchers at Palo Alto-based security company Calif said they developed a working exploit while testing an early version of Anthropic’s Mythos AI software in April.

 

The report said the researchers linked together two separate bugs along with multiple attack techniques to corrupt system memory and gain access to protected parts of macOS that are normally inaccessible. The exploit is described as a privilege escalation attack, meaning it could potentially allow hackers to gain deeper control over a computer if combined with other security exploits.

According to the report, the findings are significant because Apple has spent years strengthening macOS security against memory-based attacks. Michał Zalewski, a former Google security researcher who reviewed Calif’s work but was not involved in the testing, reportedly told The Wall Street Journal that Apple has invested heavily in locking down macOS, making such attacks increasingly difficult.

Apple is reviewing the findings

Researchers at Calif were reportedly confident enough in their findings to travel to Apple’s Cupertino headquarters earlier this week to present a detailed 55-page report explaining the vulnerabilities and attack methods involved. Calif said the company plans to publicly release technical details of the exploit after Apple patches the underlying issues.

 

Apple confirmed to the publication that it is reviewing Calif’s report. A company spokesperson reportedly said that security remains Apple’s top priority and that the company takes vulnerability reports seriously.

 

The Wall Street Journal noted that Apple introduced a security technology called Memory Integrity Enforcement (MIE) last year, describing it at the time as the result of nearly five years of engineering work focused on protecting system memory from attacks. According to Calif, building the exploit code using Anthropic’s Claude AI tools took roughly five days.

Researchers say AI still needed human expertise

Despite the role AI played in the discovery process, Calif chief executive Thai Duong reportedly said the attack was not created by Mythos alone. He told the publication that the exploit still required significant input from experienced human security researchers because the AI system mainly performs well at reproducing previously documented attack patterns rather than inventing entirely new techniques.

 

“This is kind of a new thing,” Duong reportedly said while discussing how the exploit was developed.

 

Zalewski also reportedly cautioned against overstating the capabilities of current AI systems, although he acknowledged that newer models are now capable of contributing to meaningful vulnerability research and code auditing work.

AI-driven vulnerability discoveries raise cybersecurity concerns

The report also highlighted growing concerns within the cybersecurity industry over how quickly modern AI systems are improving at identifying software vulnerabilities. Some experts have reportedly begun warning of a potential “Bugmageddon,” referring to a possible surge in newly discovered security flaws that could overwhelm software companies and IT teams responsible for patching them.

 

The Wall Street Journal cited an earlier example where Anthropic’s AI reportedly identified more than 100 high-severity vulnerabilities in the Firefox browser within two weeks, a figure the report said would normally take the broader security community around two months to uncover. 

What is Anthropic’s Mythos

Anthropic’s Mythos is a frontier AI model that has not yet been released publicly. It is capable of analysing software behaviour, identifying vulnerabilities, and in some cases autonomously discovering exploit paths inside complex systems. Anthropic has described Mythos as a tightly restricted and carefully monitored system due to the advanced nature of its capabilities.

 

The company is currently providing limited access to some of its cybersecurity-focused capabilities through an initiative called Project Glasswing, where select organisations are testing and integrating specific features under controlled conditions.