- Calif researchers used Anthropic’s Claude Mythos Preview to build a working exploit against Apple’s M5 Memory Integrity Enforcement in under a week.
- The attack chains two bugs and advanced techniques to trigger macOS kernel memory corruption and gain access to restricted system areas.
- Experts describe this as the first public exploit that successfully survives Apple’s new hardware-assisted MIE protections on M5 chips.
- The case fuels debate over controlled access to powerful AI models that can both strengthen and undermine cybersecurity.
In recent days, a low-profile cybersecurity experiment has turned into a major talking point across the security community: a preview version of Anthropic’s advanced AI model, Claude Mythos, has been credited with helping break through one of Apple’s newest hardware defenses on its M5 chips. The episode is being viewed as a concrete example of how cutting-edge AI can both uncover critical flaws and potentially reshape the balance between attackers and defenders.
According to researchers at the Palo Alto-based startup Calif, the Mythos Preview model played a crucial supporting role in crafting a working exploit that compromises Apple’s latest Memory Integrity Enforcement (MIE) protection on M5-based Macs. While the attack still required deep human expertise, the team says AI drastically accelerated the discovery of exploitable bugs, raising fresh questions about who should be allowed to wield such systems and under what conditions.
How Claude Mythos helped breach Apple’s M5 protections
The core of the story centers on Calif, a cybersecurity firm based in California’s tech hub of Palo Alto, which set out to evaluate how well Apple’s new MIE mechanism on M5 chips could withstand modern exploit techniques. In the course of that research, the team used Anthropic’s Claude Mythos Preview as a kind of AI co-pilot to analyze code paths, reason about potential weaknesses, and prioritize promising attack surfaces.
Calif’s researchers report that they ultimately managed to combine two distinct software bugs with several specialized hacking techniques to achieve kernel-level memory corruption on macOS running on M5 hardware. This corruption then allowed them to reach parts of the system that are normally off-limits, effectively bypassing some of Apple’s most advanced hardware-assisted protections.
What makes this case stand out is that the resulting exploit appears to be, in the words cited by multiple reports, the first publicly known macOS kernel memory corruption attack that survives Apple’s MIE protections on M5 chips. For a defense mechanism that Apple has been touting as a major advance after years of investment, seeing a public exploit materialize so quickly has caught the industry’s attention.
Sources including The Wall Street Journal and Mac-focused outlets have highlighted that the exploit does not rely on exotic hardware failures or physical access tricks. Instead, it chains logical flaws that, once identified, can be turned into a consistent attack path capable of neutralizing MIE’s safeguards on affected systems.
Calif itself described the project as a test of what happens when high-end AI tooling is paired with seasoned exploit developers, rather than a one-click automated hacking scenario. Nonetheless, the speed and sophistication of the outcome have raised alarms about how quickly such capabilities could spread if not tightly controlled.
What is Memory Integrity Enforcement on the M5 chip?
Apple introduced Memory Integrity Enforcement as a flagship security feature for its M5 chip line, designed to harden devices against entire categories of memory corruption attacks. The idea is straightforward but ambitious: use dedicated hardware support to monitor and constrain how memory is used, making it far harder for attackers to hijack low-level code execution.
According to Calif’s analysis, Apple spent roughly five years bringing MIE from concept to shipping product, with an investment that likely reached into the billions of dollars. The company positioned MIE as a step change for hardware-assisted memory safety, aiming to wipe out long-standing exploit techniques that had been leveraged against previous generations of iOS and macOS devices.
Before Calif’s research, MIE had reportedly been very successful in practice. The startup claims that every publicly known exploit chain targeting current iOS systems had been disrupted by MIE, including high-profile kits such as the recently leaked Coruna and Darksword packages. In other words, MIE was seen as a major roadblock for attackers relying on classic memory corruption patterns.
Against this backdrop, the emergence of a public kernel memory corruption exploit that can operate in spite of MIE’s protections on M5 hardware is being viewed as a significant technical and symbolic development. It does not mean MIE has failed overall, but it does show that determined researchers can still carve out viable attack paths, especially when supported by powerful analytical tools like Claude Mythos.
Technical details remain closely held; Calif and Anthropic have not yet released full documentation of the exploit chain, stressing that they’re waiting until Apple has fully addressed the issue. However, their comments suggest that while MIE raises the bar substantially, it is not an unbreakable shield, and future mitigations will need to assume that AI-accelerated vulnerability discovery is part of the threat landscape.
A timeline: from bug discovery to working exploit in under a week
One of the most striking elements in Calif’s account is the pace of development. The firm has laid out a fairly precise timeline showing that the entire exploit—from initial bug identification to a reliable working proof-of-concept—came together in less than seven days, a speed that even hardened security professionals find noteworthy.
As described by the team, the process began when researcher Bruce Dang spotted the first relevant bugs on April 25. Within a couple of days, security specialist Dion Blazakis joined the effort on April 27, bringing additional expertise to shape the evolving attack strategy and better understand how MIE responded to early attempts at exploitation.
Shortly after, engineer Josh Maine focused on building the necessary tooling to explore, test, and refine the exploit paths suggested by both the human researchers and the Mythos model. By May 1, just days after the initial discovery, Calif says it had a fully functioning kernel exploit capable of bypassing MIE on targeted M5-based systems.
The researchers stress that this rapid turnaround was not purely the result of automation. Instead, they describe a back-and-forth workflow in which Mythos Preview surfaced promising vulnerability patterns, which human experts then validated, refined, and chained into a coherent exploit. The tight loop between AI-generated hypotheses and expert analysis appears to have compressed what might otherwise have taken weeks or months into a matter of days.
Calif characterized the achievement as an early but telling demonstration of “what happens when machine intelligence and human expertise converge” in the offensive security domain. Landing a kernel exploit against what they regard as Apple’s most robust protections “in a week” is, in their words, a sign that this pairing is likely to become a powerful force—one that defenders will have to account for going forward.
The role of Claude Mythos: powerful, but not fully autonomous
Central to this story is Anthropic’s Claude Mythos Preview, a model that has not been released to the general public precisely because of its advanced capabilities in software vulnerability analysis and exploitation. Instead, access is restricted to a closed group of large technology firms, financial institutions, and vetted research organizations under Anthropic’s Project Glasswing initiative.
Calif repeatedly emphasized that the AI system contributed meaningfully to each stage of the exploit’s development. According to the startup, Mythos demonstrated an ability to quickly recognize when newly surfaced bugs fit into well-understood exploit classes, and to suggest ways in which those weaknesses might be chained together or manipulated. This pattern-recognition strength allowed the team to skip large swaths of manual trial-and-error.
The company described Mythos with language that highlights both its power and its generality: once the model has learned to attack a particular category of security problems, it can generalize that knowledge to a wide variety of similar targets. That means the same conceptual techniques that work on one piece of software could potentially be transferred, with adjustments, to entirely different systems.
Even so, Calif’s researchers are careful to underscore that human judgment remained central. MIE on M5 chips is a relatively new mitigation layer, and parts of its behavior under active attack were not yet fully mapped out, even internally at Apple. As a result, understanding how to bypass or work around those protections required experienced exploit developers to interpret AI suggestions, test them against real hardware, and iterate based on subtle feedback from crashes, logs, and system behavior.
The team has gone out of its way to push back against the notion that Mythos is a “push-button exploit generator.” Instead, they portray it as an extremely capable assistant that amplifies human abilities—especially by shortening the time required to move from bug discovery to practical exploitation. Still, the fact that such a tool even exists, and can be this effective in expert hands, is fueling a wide-ranging debate about access controls and responsible deployment.
Industry reaction and Apple’s response
The discovery has drawn significant interest from across the tech world, both because of the exploit’s technical sophistication and because of the way it was built. Media outlets such as The Wall Street Journal have framed the case as a notable shift in offensive cybersecurity capabilities, with AI moving from a theoretical concern to a concrete enabler of high-end attacks.
On Apple’s side, public commentary has remained cautious. In a statement quoted by the WSJ, an Apple representative leaned on the company’s standard line that user security is a top priority and that any reported vulnerabilities are thoroughly investigated. Beyond that, the company has not provided detailed remarks on the specific Calif exploit or how it might reshape future iterations of MIE.
There are hints, however, that Apple has already started taking the findings seriously. Observers have noted references to both Calif and Anthropic Research in the release notes for macOS Tahoe 26.5, an update issued on a recent Monday. This has been interpreted as a sign that at least some mitigation work is underway, though neither Calif nor Apple has confirmed exactly which aspects of the exploit, if any, have been fully patched.
Calif, for its part, has stressed that it is holding back complete technical documentation until Apple has “finally eliminated the attack vector.” The firm chose to disclose the vulnerability in person at Apple’s California headquarters instead of relying on standard bug submission channels, citing a desire to avoid getting lost in the flood of reports that large vendors receive—especially around events like Pwn2Own, where coordinated disclosure can easily become chaotic.
This relatively direct, face-to-face disclosure approach suggests that all sides recognize the sensitivity of an exploit that not only targets Apple’s newest chip architecture but also showcases the growing role of AI in uncovering such flaws. Until more details emerge, much of the broader community is left reading between the lines of brief public statements and sparse technical hints.
Why Anthropic restricted access to Claude Mythos
Anthropic’s decision to keep Claude Mythos out of the hands of the general public predates the Calif-Apple episode, but this incident is being seen as a validation of those cautious instincts. During internal tests and external evaluations, the company reportedly observed that Mythos could autonomously identify and, in some scenarios, help exploit software vulnerabilities at a level beyond any previously public AI system.
In light of those findings, Anthropic opted for a tightly controlled release. Under the initiative sometimes referred to as Project Glasswing, Mythos is available only to select partners—large technology companies, banks, and a short list of research organizations—who agree to operate under strict usage guidelines. The aim is to harness the model’s strengths for defensive security and research, while reducing the risk that it might be misused by opportunistic attackers.
This strategy has not entirely quelled concerns. Some industry observers argue that even limited access to such a tool could accelerate an “arms race” dynamic, where organizations with privileged access can rapidly develop cutting-edge offensive capabilities, potentially destabilizing the broader ecosystem. Others counter that it is better for capable defenders to explore and understand these techniques now, rather than wait for less scrupulous actors to catch up.
Adding complexity to the debate, there have been reports that Mythos has already delivered impressive results in purely defensive contexts. Mozilla, for example, is said to have observed the model identifying hundreds of potential vulnerabilities in Firefox during internal tests—271 issues in one cited instance. Findings like these suggest that the same characteristics which make Mythos potent for exploit development also make it an unusually powerful ally for hardening software.
Anthropic has not publicly committed to any timeline for broader access to Mythos, and events like the M5 exploit are likely to strengthen arguments for maintaining or even tightening current restrictions. For now, the model remains a kind of specialized instrument, used in a handful of high-stakes security environments where its dual-use nature is explicitly acknowledged.
AI in cybersecurity: a growing double-edged sword
The Calif exploit case has quickly become a reference point in the broader conversation about AI’s role in cybersecurity. On one hand, the ability of tools like Mythos to rapidly analyze code, spot subtle bug patterns, and suggest attack or defense strategies could dramatically improve how quickly defenders find and patch flaws. On the other, the same capabilities can shorten the development cycle for sophisticated exploits, especially when wielded by highly skilled teams.
Security professionals have long worried about a future where AI systems might take over large parts of the offensive workflow, from reconnaissance to exploit development and lateral movement. The M5 episode doesn’t yet represent full automation, but it offers a glimpse of what it looks like when AI becomes an integral, high-leverage component of a real-world attack chain, even in the hands of responsible researchers.
Many in the field now expect that AI-assisted exploitation will increasingly become the norm at the top end of the threat spectrum. Well-funded attackers, whether criminal groups or state-backed actors, are likely to explore or build their own analogues to models like Mythos, using them to sift through massive codebases and uncover weak points that would be impractical for humans to find alone.
At the same time, defenders are looking at this incident as a wake-up call. If offense can be accelerated to this degree, then patching pipelines, code review practices, and vulnerability management processes may need to be reimagined to keep pace. Some organizations are already experimenting with AI-assisted auditing tools, hoping to use similar techniques to preempt attacks by discovering and fixing vulnerabilities first.
The Calif-Apple story thus lands in the middle of an evolving landscape, where AI is no longer an abstract future concern but an active player in the security arena. How companies choose to deploy, restrict, or regulate such models in the coming years will likely shape not just individual incidents, but the overall trajectory of digital risk.
Put together, the exploit against Apple’s M5 Memory Integrity Enforcement, the central role played by Claude Mythos Preview, and the controlled yet controversial way Anthropic is handling access to the model all point in the same direction: advanced AI is becoming tightly interwoven with the mechanics of modern cybersecurity. This particular case shows that when state-of-the-art language models collaborate with experienced human researchers, they can uncover and operationalize serious hardware-level flaws in astonishingly short timeframes—an emerging reality that both vendors and defenders will have to reckon with as they design the next generation of protections.
