NSA Is Using Anthropic's Mythos Model That Found Zero-Days in curl — Despite Pentagon Blacklisting Anthropic
The NSA has been quietly using Anthropic's Mythos model — a vulnerability-detection AI credited with finding zero-days in curl and the Linux kernel — even as the Pentagon formally blacklisted Anthropic from federal contracts. The contradiction between official policy and active operational use is raising questions about how real the DoD blacklist actually is.
Original sourceThe Pentagon officially blacklisted Anthropic from Department of Defense contracts earlier this year, citing disputes over contract terms and data handling requirements. But a leaked internal briefing published by Hacker News today reveals the NSA has been running Anthropic's Mythos model — a specialized AI for code analysis and vulnerability detection — against production codebases as part of its cyber operations division.
Mythos has reportedly identified two previously unknown vulnerabilities: one in curl, the ubiquitous data transfer utility embedded in billions of devices, and one in the Linux kernel. Both findings were disclosed responsibly to maintainers before publication, but the source of the discoveries raises immediate questions about how government intelligence agencies are operating outside official procurement channels.
The NSA's use of Mythos appears to have been arranged through an intermediary contractor, sidestepping the DoD blacklist while maintaining technical access. This pattern — official ban, operational workaround — is familiar to anyone who has watched government technology procurement over the past decade, but the scale and sensitivity of the AI capability involved is new.
Hacker News commenters are split between treating the blacklist as "pure theater" and raising substantive concerns about surveillance applications of vulnerability-hunting AI. If Mythos can find zero-days in widely deployed open-source infrastructure, the question of who controls that capability — and under what oversight — is not academic.
Anthropichas not publicly commented. The NSA declined to confirm or deny the reporting. The Hacker News thread has 233 comments as of publication and is the most-discussed story on the site today.
Panel Takes
The Builder
Developer Perspective
“A model that found real zero-days in curl and the Linux kernel is a genuine advance in automated security research. The government procurement drama is a sideshow — the interesting question is whether this class of vulnerability-hunting AI will be accessible to defenders as well as attackers.”
The Skeptic
Reality Check
“The zero-day claims need independent verification before anyone treats them as established fact. Government capability hype has a long history of exaggerating what AI tools actually do in production. And 'leaked internal briefing' as a source should raise red flags about the information's purpose.”
The Futurist
Big Picture
“This story reveals something important about the future of AI governance: official bans and procurement rules are poor controls when the capability is digitally accessible through intermediaries. The real regulatory challenge for powerful AI is jurisdictional, not contractual.”