Gloss

Bureau Files12 APRIL 2026

The Lock Was the Lockpick

Anthropic built a tool that found zero-day vulnerabilities in every major operating system and every major browser. Then the tool leaked before the announcement. Then the government held a secret meeting about it. Then the meeting leaked. The Bureau files the containment sequence.

Bureau of Systemic Vulnerability Assessment, Defensive Capability Division9 MIN READ
The Marriner S. Eccles Federal Reserve Board Building in Washington, D.C.
Wikimedia Commons / AgnosticPreachersKid (CC BY-SA 3.0)

The First Vulnerability

On March 26, 2026, Fortune reported that Anthropic had accidentally left draft blog posts in a publicly accessible data store. The posts described a model the company had not yet announced. The internal tier name was Capybara. The public name, when it arrived twelve days later, was Claude Mythos Preview.

The company that built a tool to find where systems leak had its own systems leak first. Fortune published the specifications. Anthropic confirmed the model existed. The announcement that was supposed to be controlled was instead extracted -- from Anthropic's own infrastructure, by the exact category of exposure the tool was designed to detect.

The Bureau of Systemic Vulnerability Assessment, Defensive Capability Division, begins its filing here. Not with the capability. Not with the emergency meeting. With the leak. The tool that maps where information escapes was itself the first escape. The containment failed before the containment was announced.

The Capability

Anthropic's own technical report, published at red.anthropic.com, documents what Claude Mythos Preview found.

Zero-day vulnerabilities in every major operating system. Zero-day vulnerabilities in every major web browser. A 27-year-old vulnerability in OpenBSD. A 16-year-old vulnerability in FFmpeg. A 17-year-old remote code execution flaw in FreeBSD's NFS implementation. The model autonomously chained Linux kernel vulnerabilities to achieve privilege escalation. Its first-attempt exploitation success rate, across the full test suite, was 83.1 percent.

The Bureau directs the reader's attention to the age of the vulnerabilities. Twenty-seven years. Sixteen years. Seventeen years. These are not novel attack surfaces created by the tool. These are doors that have been unlocked since before the tool existed. The tool did not create the exposure. The tool proved the exposure had been there all along -- undetected by every audit, every penetration test, every compliance review conducted across three decades of institutional cybersecurity.

Anthropic's own assessment: too dangerous for public release. Dario Amodei, the company's chief executive, stated in a video accompanying the announcement: "More powerful models are going to come from us and from others, and so we do need a plan to respond to this."

The Bureau notes the verb. Not "we have a plan." We need a plan. The capability arrived before the response architecture. The tool shipped. The plan is in procurement.

The Room

On April 8, 2026, at Treasury headquarters in Washington, D.C., five of the six major American bank CEOs sat in a room with Federal Reserve Chair Jay Powell and Treasury Secretary Scott Bessent.

Bloomberg reported the meeting on April 10. CNBC confirmed it independently. The attendees, confirmed across multiple outlets: Brian Moynihan of Bank of America. Jane Fraser of Citigroup. David Solomon of Goldman Sachs. Ted Pick of Morgan Stanley. Charlie Scharf of Wells Fargo. The demands, as Bloomberg described them: conduct thorough security audits. The warnings: the capability exists, the threat is real, the financial system's infrastructure is exposed.

The Bureau directs the reader's attention away from the agenda and toward the seating arrangement.

The Federal Reserve Chair and the Treasury Secretary sat together. They issued joint demands to private-sector bank executives. US News & World Report had reported, twelve days earlier, on the Trump administration's sustained campaign to test Federal Reserve independence on bank regulation. The institutional boundary between the central bank and the executive branch -- the foundational architecture of monetary independence -- is not decorative. It is the structural premise on which the financial system's credibility rests.

The first boundary dissolved by the emergency was the one the emergency was supposed to protect. The system encountered a threat severe enough to require the central bank and the political executive to share a table. The independence of the Fed from Treasury -- the premise -- was the opening cost of the meeting about the threat to the system built on that premise.

BUREAU NOTE: The sequence, in the Bureau's assessment, merits its own sub-filing. The meeting was called because a tool revealed that the financial system's infrastructure is vulnerable. The meeting was held in a configuration that dissolved the financial system's institutional architecture. The vulnerability was discussed inside the vulnerability. The Bureau declines to classify this as irony. It is the first data point in the containment log.

The Absent Chair

Jamie Dimon was invited. Jamie Dimon did not attend. JPMorgan Chase -- the largest American bank by assets -- was already a named launch partner of Anthropic's defensive program.

The five who were summoned were summoned because they did not yet have access. The one who was not there was not there because he already did. The briefing was for the uninformed. The informed were operational.

The CEOs who did attend were already in Washington for a Financial Services Forum board meeting, according to multiple outlets. The emergency cybersecurity briefing -- the meeting at which the government disclosed that a tool capable of exploiting every major operating system had been built by a private company and was being distributed to selected institutions -- was scheduled alongside their existing trip.

A threat to the architecture of the American financial system. Tacked on.

The Defensive Program

Anthropic announced Project Glasswing on April 7, 2026 -- one day before the Treasury meeting.

The program commits up to $100 million in usage credits and $4 million in donations to open-source security organizations. Twelve named launch partners: Apple, Google, Microsoft, NVIDIA, JPMorgan Chase, CrowdStrike, Palo Alto Networks, the Linux Foundation, and four others. Forty additional organizations beyond the named twelve. The stated purpose: defensive cybersecurity. Use the model that finds the vulnerabilities to find and patch the vulnerabilities before adversaries exploit them.

The Bureau files the structure.

A company built a model. The model found vulnerabilities in every major operating system and browser. The company announced that the model was too dangerous for public release. The company then launched a program in which selected partners pay to use the model to defend against the vulnerabilities the model found. The program is funded at $100 million. The company that created the capability that generated the threat now operates the program that charges institutions to defend against the threat. The program's revenue model requires the threat to persist long enough for the defence to be purchased.

BSI Germany's Claudia Plattner stated that the capability must be taken "very seriously." The Bureau notes the adverb. The seriousness is not in question. The question is whether the entity selling the seriousness is the same entity that manufactured the conditions requiring it. The Bureau has reviewed the corporate structure. It is.

BUREAU NOTE: The Bureau wishes to draw the reader's attention to the arithmetic. Anthropic committed $100 million to defend against a capability that Anthropic built. The $100 million flows to partners who will use Anthropic's model to find the vulnerabilities that Anthropic's model found. The partners include the companies whose operating systems and browsers contain the vulnerabilities the model discovered. Apple, Google, and Microsoft are defending their own infrastructure using the tool built by the company that proved their infrastructure was compromised. The Bureau has a filing category for this arrangement. The category is "the locksmith's retainer."

The Containment Sequence

The Bureau compiles the full sequence for the institutional record.

March 26, 2026: Anthropic's systems leak the existence of Mythos via an unsecured data store. Fortune reports the leak. The company that finds where information escapes has its information escape.

April 7, 2026: Anthropic officially announces Claude Mythos Preview and Project Glasswing. The model is described as too dangerous for public release. The defensive program is launched simultaneously -- the threat and the remedy sharing an announcement date.

April 8, 2026: Treasury Secretary Bessent and Fed Chair Powell summon five bank CEOs to Treasury headquarters. The meeting is held under conditions of extreme confidentiality. The institutional boundary between the central bank and the executive branch is dissolved for the duration of the briefing.

April 10, 2026: Bloomberg reports the meeting. CNBC confirms it independently. The extreme confidentiality lasts forty-eight hours.

Each stage of the containment produced the next breach. The tool leaked. The announcement disclosed the capability. The secret meeting was reported. The confidential attendee list was published. The Bureau is now filing a dispatch about all of it, sourced from the reporting that the participants described as extremely confidential.

Every layer of institutional response generated the documentation for the next layer of institutional exposure. The Bureau does not find this surprising. A tool that maps where information escapes has, by its existence, created the highest-value piece of information in the system. The information about who is vulnerable is now the vulnerability.

The Bureau of Systemic Vulnerability Assessment, Defensive Capability Division, files the following terminal observation.

The lock was the lockpick. The locksmith leaked the blueprint. The emergency locksmith's convention dissolved the wall between the two rooms it was supposed to protect. The locksmith then sold a $100 million retainer to install new locks -- using the same tool that picked the old ones. The retainer requires the locks to keep failing. The locks will keep failing. The retainer is fully funded.

The Bureau will continue to monitor the containment sequence. The containment sequence will continue to generate the material that the Bureau monitors. Both operations are running. Both are documented. The documentation is the breach, and the breach is the product, and the product is on the record.

BUREAU NOTE: The Bureau of Systemic Vulnerability Assessment acknowledges, for the institutional record, that this dispatch was researched using reporting that was supposed to remain confidential, about a tool that was supposed to remain unannounced, built by a company whose own data store failed to remain secure. The Bureau has traced the containment failures from Anthropic's infrastructure to Fortune's newsroom to Treasury's conference room to Bloomberg's terminal to the Bureau's own filing cabinet. At no point in this sequence did the information stop moving. The Bureau does not claim to be the final node. The Bureau is aware that a reader is processing this document now, on a browser that the tool found vulnerabilities in, on an operating system the tool found vulnerabilities in. The system the Bureau just described is the system the reader is using to read the description. The Bureau files this observation. The reader's device has already filed the rest.

Narrative Delivery Service

We’ll Tell You What to Think.
You Just Supply the Address.

Bureau dispatches delivered directly to your inbox. Pre-framed, pre-approved, ready to absorb. No effort required on your part — your opinions will arrive fully formed, as usual.

No spam. The Bureau considers unsolicited email beneath its editorial standards. You will receive only what you were going to believe anyway. Unsubscribe anytime.*
*Your opinions will continue to be manufactured through other channels.