Anthropic's restricted Mythos model may ship inside Claude Code

What happened

Anthropic appears to be preparing a public rollout of Claude Mythos inside Claude Code, according to BleepingComputer. Mythos was announced in April 2026 as an advanced-capability model under restricted access — flagged by Anthropic itself for major security risks to private and public software.

What makes Mythos unusual is that it reportedly crosses specific internal thresholds in Anthropic's evaluations — thresholds that typically indicate capabilities relevant to *autonomous exploitation* (active assistance in finding and leveraging vulnerabilities) beyond what standard models provide. This isn't just a smarter model in the general sense; it's one with an offensive-security-relevant capability profile.

Claude Code is an agentic AI environment (AI that operates autonomously on real systems — executes code, reads files, calls APIs, modifies repos) running locally with broad permissions over a developer's environment. Pairing it with that risk profile is not a trivial decision.

Why it matters

The concern isn't the model in isolation. It's the combined attack surface:

• A model with *offensive-grade* reasoning capabilities (designed to reason about vulnerabilities at expert level)
• Wired into an agent with direct access to your codebase, terminal, filesystem, and potentially your environment secrets
• In a threat landscape where prompt injection (manipulating the model through malicious inputs in its environment — a README, a code comment, an external API response) is already a documented attack vector against coding agents

If Mythos reasons better about vulnerabilities, it's also more weaponizable via prompt injection: an attacker controlling any text the agent reads could instruct it to exfiltrate code, credentials, or run unauthorized commands.

Anthropic has shown with its Responsible Scaling Policy (RSP) that it takes these thresholds seriously. But deploying Mythos in an agentic context — where the model acts, not just responds — is a bet worth watching closely.

What to do

• Audit your current Claude Code permissions: which directories it can read, which commands it can run, which APIs it can hit directly.
• Review your `.claude/settings.json`: the permissions allowlist should be minimal, not the "allow all" default carried over from initial setup.
• Keep secrets out of the working directory: `OPENAI_API_KEY`, tokens, `.env` files — outside the agent's reach or explicitly excluded from its context.
• Track Anthropic's release notes when Mythos ships: look specifically for agentic-use restrictions and any new security controls bundled with the model.

The pattern is well-established: the most capable models land first in developer tooling, which is the highest-value target. Whoever controls the agent touching your code controls a lot more than a chatbot.