Apple Mac M5 System Exploited With Anthropic’s Claude Mythos AI, Researchers Claim

Apple devices have long been considered among the hardest consumer systems to hack because of the company’s tightly integrated hardware and software security. Now, a security startup claims a small team of researchers used a preview version of Anthropic’s Claude Mythos to build a working exploit against Apple’s new M5 chip protections in less than a week.

In a Substack post published Thursday, the Vietnam-based Calif said it developed what it describes as the first public macOS kernel memory corruption exploit capable of surviving Apple’s new Memory Integrity Enforcement, or MIE, protections on M5 hardware. Calif said it shared the findings with Apple in a meeting at the tech giant’s headquarters in California.

“We wanted to report it in person, instead of getting buried in the submission flood that some unfortunate Pwn2Own participants just experienced,” Calif wrote. “Most respected hackers avoid human interaction whenever possible, so this physical strategy may give us a slight edge in the eternal race for five minutes of fame and glory on Twitter.”

According to Calif, the “attack path” was discovered accidentally after researchers found the bugs on April 25, then developed a working exploit by May 1.

The exploit chain targets macOS 26 running on Apple M5 systems. According to the company, the attack starts from an unprivileged local user account and escalates to root access using standard system calls. The exploit reportedly combines two vulnerabilities and additional techniques targeting bare-metal M5 hardware with kernel MIE enabled.

Calif said Mythos Preview helped identify the vulnerabilities and assist throughout exploit development, but added that human expertise was still necessary to bypass Apple’s new MIE protections.

“Part of our motivation was to test what’s possible when the best models are paired with experts,” the company wrote. “Landing a kernel memory corruption exploit against the best protections in a week is noteworthy, and says something strong about this pairing.”

Memory corruption bugs are still one of the most common ways attackers break into operating systems and apps, because they can let an attacker crash the program, steal data, or even take control of it. Apple’s MIE feature uses memory-tagging technology to make those attacks much harder.

Anthropic released the preview version of Mythos in April after internal testing and outside evaluations suggested the model could autonomously identify and exploit software vulnerabilities at a level beyond previous public AI models.

Rather than release it publicly, Anthropic restricted access to select technology companies, banks, and researchers under its Project Glasswing initiative. That same month, it was also revealed that the U.S. National Security Agency was using Mythos despite an ongoing feud between Anthropic and the Donald Trump administration.

Mozilla later said Mythos identified 271 vulnerabilities in Firefox during internal testing, while the U.K.’s AI Security Institute found the model could autonomously complete sophisticated multi-stage cyberattack simulations.

Users on Myriad—a prediction market platform operated by Decrypt‘s parent company, Dastan—do not believe a full release of Claude Mythos is imminent, penciling in just a 10.5% chance of a public launch by June 30, as of this writing.

Calif called the Apple M5 exploit “a glimpse of what is coming.”

“Apple built MIE in a world before Mythos Preview,” Calif wrote. “We’re about to learn how the best mitigation technology on Earth holds up during the first AI bugmageddon.”