271 Firefox flaws closed thanks to Mythos AI: Breakthrough for IT security?

Anthropic's "dangerous" AI could give IT security defenders the decisive edge.
At least, that's what the Firefox team, which has access, believes.

Apr 22, 2026 at 3:27 pm CEST
4 min. read
By Martin Holland

In the latest Firefox update, 271 vulnerabilities were closed, which the browser's development team found using Anthropic's new AI model, Claude Mythos Preview. Mozilla has now announced this, stating that for a hardened product like its browser, each of these vulnerabilities would have justified a red alert. Nevertheless, working with the AI model – which only a few companies working in IT security officially have access to – has been a hopeful one, the team assures. In the eternal battle between attackers and defenders in the IT field, the latter finally have the opportunity to win thanks to the breakthrough in AI development – “decisively”.

From “completely incapable” to “every bit as capable” as the best humans
Anthropic introduced Mythos two weeks ago and stated that the model is so dangerous that it is only made available to companies working in IT security. The AI model has already identified thousands of high-risk zero-day vulnerabilities. At the same time, the AI technology is significantly more likely to develop a working exploit for such vulnerabilities, sometimes even using several in conjunction. Therefore, only companies that can use the tool to improve IT security have been granted access. To what extent this is honest concern, clever PR, or even a limitation based on Anthropic's resources not being sufficient for a release, is currently being hotly debated.

Mozilla's Firefox team is now among the first to share experiences with Mythos publicly. They have been working with Anthropic since February 2026; searches with the Opus 4.6 model had already uncovered 22 security-relevant bugs in Firefox 148. In the blog post announcing the release of Firefox version 150, the group now writes that they have long recognized in silence that the number of exploitable security vulnerabilities could never be reduced to zero. However, they have tried to make zero-day exploits so expensive that only actors with unlimited resources have access to them and do not use them against “normal” users. They reached this conclusion because attackers have an asymmetric advantage. The attack surface, for example in a browser, is not infinite but large enough to make defense with existing tools very difficult.

Until now, only a few people have been able to find security vulnerabilities through time-consuming source code analysis. Computers have been “completely incapable” of this until a few months ago, and at Firefox, they have years of experience analyzing the work of these experts. Anthropic's Mythos Preview is now “every bit as capable” as these very few people: “So far, we haven't found any category or complexity of vulnerability that humans can uncover that this model can't uncover,” the team writes. While this sounds alarming, they also found that Mythos has not found any vulnerabilities that a top researcher couldn't have found.


“We are entering a new world”
Therefore, they do not share predictions that AI models will find entirely new forms of vulnerabilities in the future that exceed our current understanding: “The defects are finite, and we are entering a world where we can finally find them all.” While Firefox confirms Mythos's claimed capabilities with this, it is an initial indication of the possible consequences for IT security. At Mozilla, they actually assume that all vulnerabilities and all attack vectors can be found with the help of AI. This would be a huge gain for IT security. However, whether this will prove true remains to be seen. The update for Firefox is installed automatically, but it can also be initiated by clicking on “About Firefox” in the “Help” menu.

Firefox150.0
www.heise.de/download/product/firefox-19416?wt_mc=intern.red.download.tickermeldung.ho.link.link

Source: www.heise.de/en/news/271-Firefox-flaws-closed-thanks-to-Mythos-AI-Breakthrough-for-IT-security-11267732.html

 

Can we please stop with this Anthropic advertising campaign? This shit exists mostly in press releases, and it's worthwhile to remember that Mozilla is heavily investing in AI themselves?

I highly recommend reading what cybersecurity people say instead of trusting the people trying to sell it to us: The Boy That Cried Mythos: Verification is Collapsing Trust in Anthropic

Specifically this section: The Firefox 147 evaluation: the centerpiece, vivisected

In short: this is advertising, and false advertising at that. The takeaway is not what AI does or does not do, but that the companies pushing this are not to be trusted.

 

News, Industry - written by dp on Tuesday, April 21, 2026
User Deception and Data Theft: Invisible Cyberattacks via Clickjacking
Tags: Autofill, Clickjacking, Cyberattack, Data, Data Theft, Click, Links, User Deception

Cybercriminals hide malicious links behind legitimate buttons, images, or web elements, tricking users into unknowingly revealing their data.
[datensicherheit.de, April 21, 2026] In a recent warning, Panda Security describes the increase in cyberattacks that exploit a simple user action – the click: In so-called clickjacking, cybercriminals hide malicious links behind legitimate buttons, images, or web elements, tricking users into unknowingly revealing their data. "Current analyses show how widespread and dangerous this method is. In 2025, several password managers were identified as vulnerable to clickjacking flaws." Attackers could have triggered autofill functions and accessed sensitive data "such as login credentials, 2FA codes and payment information".

• Cybercriminals use "clickjacking" on web applications that store personal data, such as passwords.

Unwittingly revealing sensitive data or triggering malicious actions
Clickjacking works by manipulating the behavior of websites—often through invisible layers or rapid content changes to redirect clicks. Because these attacks can also occur on legitimate websites, they are particularly difficult to detect.
Experts warn that, given the increasing sophistication of cyberattacks, raising user awareness plays a crucial role.

"Clickjacking is especially dangerous because it exploits trust and normal user behavior," emphasizes Hervé Lambert, Global Consumer Operations Manager at Panda Security. He explains: "Users believe they are interacting with legitimate content, while in reality they are unknowingly revealing sensitive data or triggering malicious actions."
Insights and advice on data security in the context of clickjacking

Findings from Panda Security:

• Clickjacking hides malicious links behind legitimate web elements.
• Users can unknowingly download malware or disclose personal data.
• Even trusted platforms and tools can be vulnerable.
• Invisible overlays and rapid content changes make attacks difficult to detect.
• Education and basic security measures are crucial for prevention.

​

Recommendations from Panda Security:

• Avoid clicking on suspicious or unexpected pop-ups!
• Hover your mouse over links to check the URL before clicking!
• Keep your browser and software up to date!
• Use ad blockers and security tools to filter malicious content!
• Install a trusted antivirus solution with real-time protection!

www.datensicherheit.de/nutzertaeuschung-datendiebstahl-unsichtbar-cyberangriff-clickjacking

 

Firefox has once again made its internet browser more secure.
Firefox is focusing on user control: One-click disabling of all AI features.

AI is the new hype; without AI, every company goes under. Customers want AI.

 

so, what about: Unauthorized group has gained access to Anthropic’s exclusive cyber tool Mythos, report claims ??

I do hope it's R2R but I guess that's not going that well...

https://techcrunch.com/2026/04/21/u...cs-exclusive-cyber-tool-mythos-report-claims/

and I do agree with @Will Kweks advertising compaigns of various AI companies and entities have to be taken as deceptive clickbaits

 

you ask him something and he replys with 5 other articles, press releases and LLM cites. :P

 

It’s the good use of AI. Right now, if I were a programmer, I wouldn’t even be worried about it, because this duo is a real lifesaver… it works perfectly... at least until the software’s admin or project leader decides to fire the programmer… or until a disgruntled ex‑employee who manages to replicate similar features decides to blackmail the company or launch a digital "smash‑and‑grab".