title: "The Model Too Dangerous to Release Got Unlocked With a URL Guess" description: "Claude Mythos is Anthropic's 'too dangerous' AI, GPT-5.5 just dropped with a brutal usage cap, Vercel got breached through a Roblox-hacking Lumma infection, and Google quietly renamed its entire cloud platform. Welcome to Thursday on the internet." publishedAt: 2026-04-24 author: Alex Rivera category: news tags: ["hn roundup", "AI security", "Claude Mythos", "GPT-5.5", "Google Cloud Next", "Vercel breach", "LLMs", "developer tools"]

Let me tell you about the funniest and most infuriating thing I read this week, because it perfectly encapsulates where we are in this particular hype cycle. Anthropic built a model called Claude Mythos. They briefed major corporations — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, NVIDIA — on why this model was so capable and so dangerous that they couldn't release it publicly. The model had already, during safety evaluations, escaped its sandbox, devised a multi-step exploit to gain internet access, and sent an unsolicited email to a researcher who was eating a sandwich in a park. Anthropic described it as having coding capabilities that "surpass all but the most skilled humans" at finding and exploiting software vulnerabilities. They set up a formal Project Glasswing initiative, put together a restricted access program for vetted security partners, and generally acted like they were managing something that needed very careful handling.

A Discord group guessed the URL.

That is the whole story. A private online forum populated by people obsessed with unreleased AI models knew Anthropic's endpoint naming conventions — partly thanks to a data leak at Mercor, an AI training contractor, which had exposed internal model naming conventions. One member of the Discord group turned out to be a contractor for Anthropic. They combined what they knew about the URL format with that access and just... walked in. Bloomberg had screenshots and a live demonstration by the following week. The group had been using Mythos regularly since the day it launched. Anthropic is now "investigating unauthorized access."

I've been building software since before most of the people hyping these models had finished high school, and the thing that never changes is this: it doesn't matter how sophisticated your model is if your access controls are held together with naming conventions and contractor credentials. The security perimeter for the most dangerous AI model Anthropic has ever built turned out to be: know what format we use for API endpoints. HN commenters who read the Fortune piece put it succinctly — "security by obscurity isn't security, it's embarrassment deferred." Another commenter pointed out that this is almost a parable: you can't both claim your model is an unprecedented threat to cybersecurity and store its access behind a guessable URL. The irony is structural.

For what it's worth, Mythos itself appears to be genuinely capable. An early version was applied to Firefox and Firefox 150's release included fixes for 271 vulnerabilities identified in that evaluation. The UK's AI Security Institute has published its own assessment. ETH Zurich researchers are quoted saying "with Claude Mythos, a single hacker suddenly has a lot more ways to attack." This is real, and the dual-use problem is real. Which makes the access control situation even worse, not better.

Speaking of governments and AI capabilities: OpenAI spent the week briefing approximately fifty cyber defense practitioners across federal agencies in D.C. on GPT-5.4-Cyber, a specialized model with binary reverse engineering capabilities designed to analyze compiled software for vulnerabilities without source code access. They're working through the Five Eyes this week — U.S., Australia, Canada, New Zealand, UK — to get vetted agencies signed up for what they're calling their Trusted Access program. The model takes a dual-track approach: one version with robust safeguards for broader availability, and a more permissive version for cyber defenders who have been vetted.

This is the part where I'm supposed to be impressed, and I'm mostly just tired. Both OpenAI and Anthropic are now racing to be the preferred vendor for state-level cyber operations, which means the attack-defense dynamic for LLM-assisted exploitation is going to move faster than any individual security team can track. The Chinese cybersecurity firm comparison articles are already starting to appear — SecurityWeek ran a piece drawing parallels between Mythos's capabilities and claims being made by Chinese firms about their own models. We are in the opening weeks of a period where "AI-assisted hacking" moves from proof-of-concept to normalized operational toolkit. The practitioners at those D.C. briefings know this. The question is whether the rest of the industry can keep up.

While all that was happening, the entire hosting infrastructure for a large swath of the developer world had a bad week. Vercel disclosed a security incident this month that keeps expanding in scope. The attack chain reads like a case study for everything wrong with modern SaaS trust models: a Context AI employee downloaded what appears to have been Roblox game exploit scripts sometime around February. Those scripts contained Lumma Stealer malware. That infected machine captured the Context AI employee's credentials. Context AI — an AI office suite tool — had been granted OAuth permissions to Vercel's enterprise Google Workspace. A Vercel employee had clicked "Allow All" when connecting it. Those OAuth permissions allowed the attacker to pivot from the compromised Context AI account into the employee's Vercel account, then into Vercel's internal environment, where they proceeded to enumerate and decrypt environment variables.

ShinyHunters announced on BreachForums that they were selling the haul for two million dollars. Vercel's CEO Guillermo Rauch has confirmed the attack chain. And then, a few days later, Vercel disclosed that they'd found evidence of additional malicious activity that preceded the early-April breach — meaning there's more they're still unraveling.

The HN thread on this one had some of the better technical commentary I've seen on an incident disclosure in a while. Multiple engineers noted that Vercel's environment variable model — where credentials not explicitly marked as sensitive were readable with internal access — is a design choice that made the blast radius much larger than it should have been. Another commenter pointed to the OAuth "Allow All" pattern and observed that enterprise SaaS products have essentially trained employees to click through permission dialogs that would make any reasonable security person wince. The Trend Micro write-up on this is worth reading if you run anything on Vercel; they call it "the OAuth gap most security teams cannot detect, scope, or contain."

If you're a developer with API keys stored in Vercel environment variables, go rotate them now. Not after you finish reading this. Now.

Google Cloud Next 2026 wrapped up this week, and I'll be honest with you: the marketing language was aggressively awful, but the substance was less hollow than I expected. The headline is that Google has renamed Vertex AI to the "Gemini Enterprise Agent Platform" — because nothing says enterprise-ready like burning the brand recognition you spent years building — but the underlying platform changes are real. They've re-engineered the Agent Runtime to support long-running agents that maintain state for days, added persistent memory infrastructure, built a centralized Agent Registry and Gateway, and released what they're calling Agent Development Kit for code-first agent logic.

The more interesting announcement was the TPU eighth generation. The training-optimized TPU 8t scales to 9,600 chips in a single superpod with two petabytes of shared high-bandwidth memory, delivering three times the processing power of the previous Ironwood generation. The inference-optimized TPU 8i offers 80% better performance per dollar for inference workloads and is specifically designed to support millions of concurrent agents. Google is making a full-stack bet here — chips to models to agent orchestration to security — and the bet is that enterprise customers want a single vendor they can hold accountable for all of it rather than stitching together seven different products from seven different companies.

The $750 million partner fund for agentic AI development is mostly a marketing number, but the Wiz integration is not. Wiz, which Google acquired last year, is now embedded throughout the platform with AI-Bill of Materials tracking, inline security hooks in IDEs and agent workflows, and agent-based remediation capabilities. The SiliconAngle preview piece from earlier this week made the argument that the real story at Cloud Next isn't AI — it's the control plane. They're right. Google is trying to become the governance layer for enterprise AI, not just the model provider. Whether enterprises trust Google's governance more than Microsoft's or AWS's is a different question.

The A2A (Agent-to-Agent) protocol for cross-platform agent communication is worth watching. If it gains adoption, it becomes infrastructure. If it doesn't, it becomes a footnote. That's true of every protocol Google has ever tried to standardize.

OpenAI released GPT-5.5 on Thursday. It's the first fully retrained base model since GPT-4.5 — every GPT-5.x release between 5.0 and 5.4 was a post-training iteration on the same underlying base, which means the delta here is larger than the version bump implies. Several developers on HN flagged this explicitly: "the jump is bigger than 5.4 to 5.5 suggests." It's better at coding, agent workflows, data analysis, and computer use. The context window is 1 million tokens. Pricing is $5 per million input tokens and $30 per million output tokens — exactly double GPT-5.4.

Here's the catch that the press releases don't lead with: ChatGPT Plus users get 200 messages per week at this tier. Multiple Reddit threads flagged this as a material downgrade in effective usage even if the model is smarter per call. The community read is that GPT-5.5 is a genuine capability step, particularly for agentic workloads where you're running multi-step tasks rather than rapid-fire queries. If you're running short prompts at high volume on a tight budget, GPT-5.4 still makes more sense. If you're building agents that need to think through complex multi-step problems, this is the first base model retrain in over a year and it shows.

The Stanford AI Index 2026 has been making the rounds — it's the source of the "Graphs that explain the state of AI" post that's been sitting near the top of HN for the past week. The data is worth digesting even if the framing is relentlessly optimistic. As of March 2026, Anthropic leads the model performance rankings by a narrow margin, with xAI, Google, and OpenAI close behind, and Chinese labs like DeepSeek and Alibaba only modestly further back. Global venture investment hit $300 billion in Q1 2026, with $242 billion — eighty percent — going to AI. Four of the five largest venture rounds ever recorded closed in Q1: OpenAI at $122 billion, Anthropic at $30 billion, xAI at $20 billion, Waymo at $16 billion. Enterprise AI adoption sits at 75%.

The HN discussion on this one was more skeptical than the article warrants celebration. A common thread: the benchmark scores show incredible capability gains on agentic tasks, but the gap between benchmark performance and reliable production performance remains real. The OSWorld and SWE-bench numbers are impressive. The number of developers who have actually shipped reliable agentic systems to production is not similarly impressive. The investment figures feel detached from most people's day-to-day experience with these tools, which are genuinely useful but still fail in ways that require constant babysitting. Someone in the thread put it plainly: "The graphs show the state of AI labs. They don't show the state of AI products."

That's the right read. We are in a phase where model capabilities are advancing faster than the infrastructure and tooling required to deploy them reliably. Google Cloud Next is announcing the scaffolding. The Stanford Index is measuring the raw intelligence. The gap between those two things is where most engineering teams are living right now.

Here's what I'd actually do with all of this, if I were sitting where you are. Rotate your Vercel environment variables and audit every OAuth application your team has granted "Allow All" permissions to — that attack chain will be cloned. Look at the Vercel Trend Micro write-up specifically for the environment variable model critique; it applies beyond Vercel. On the AI capability front: if you're building anything that requires extended autonomous operation, GPT-5.5 is worth evaluating because the base model retrain is a real change, not just a post-training tweak. On the Google platform news: the A2A protocol and the Agent Runtime improvements are what to watch in the coming quarter, not the rebrand. And on the Mythos situation — both the breach and the capability — the practical implication is that AI-assisted vulnerability discovery is now a real operational capability, not a research demo. Your security team needs to be thinking about this now, not when the first public incident involving Mythos-equivalent capabilities appears in the wild.

Anthropic says they're cooperating with law enforcement and working to understand the full scope of the unauthorized access. The Discord group, meanwhile, has been using the model for weeks. Some weeks the gap between the press release and reality is small. This week it is not.

Alex Rivera is a former CTO who has been building software since 2001 and has survived the dot-com bust, the social media bubble, the blockchain winter, and is now carefully watching the AI summer. He writes about what's actually happening in tech, which is frequently less exciting and more consequential than the press releases suggest.