Monday, June 15, 2026
The US pulls two Anthropic models worldwide over a disputed code-review jailbreak, the first export-control takedown of a deployed model, as AI-found zero-days pile up in FFmpeg and the Pixel 9.
Washington pulls Fable 5 and Mythos 5
The US government ordered Anthropic to suspend its newest frontier models, Fable 5 and Mythos 5, for all foreign nationals worldwide. Unable to filter by citizenship at the model layer, Anthropic disabled both for every customer globally. The Commerce Department directive landed at 5:21pm ET on June 12; Simon Willison’s polling script caught the cutoff about four hours later, with API calls returning 404s and Claude products falling back to Opus 4.8. AWS was separately told to revoke access for all users in all regions.
The stated basis is a jailbreak: prompting the model to read a codebase and identify software flaws, which the government frames as a national-security uplift for cyberattacks. Anthropic disputes the severity, saying it got only verbal evidence of a “narrow, non-universal jailbreak,” that the bugs surfaced were minor and already public, and that GPT-5.5 and other public models do the same, work security defenders run daily. An unnamed official told Axios the jailbreak bypasses classifier safeguards across cyber, chemistry, and biology; The Next Web reports the UK’s AI Safety Institute produced a partial single-turn jailbreak within hours, which Anthropic distinguishes from a universal one. The government has published no technical evidence.
It appears to be the first use of US export-control authority against a deployed commercial model rather than chips or weights. Anthropic, which red-teamed Fable 5 for thousands of hours with the US government and UK AISI before launch, warns that applying this threshold industry-wide would halt all new frontier deployments. The Guardian notes the Pentagon recently blacklisted Anthropic over its refusal of surveillance and autonomous-weapons work, even as the NSA runs its models on classified networks; the company filed confidentially for an IPO last month. The Wall Street Journal reports Amazon CEO Andy Jassy’s talks with officials triggered the crackdown; Amazon is Anthropic’s largest investor.
Security: bugs, keys, and supply chains
The capability at the center of that fight is getting cheaper. The security firm Depthfirst says its autonomous agent found 21 zero-day vulnerabilities in FFmpeg, including a zero-click remote-code-execution chain in the AV1 RTP depacketizer triggered by one 183-byte RTSP packet, with eight CVEs assigned and all bugs fixed upstream. Depthfirst puts the run at about $1,000 against the $10,000 it attributes to Anthropic’s Mythos on the same target, though it shares no common methodology, so the comparison is loose.
New attack surface opens the same way. Google Project Zero published a working zero-click chain against the Pixel 9, rooted in an integer overflow in Dolby’s audio decoder (CVE-2025-54957). The path exists because Google Messages auto-decodes incoming RCS and SMS audio for transcription before the user opens anything; the Dolby blob ships statically linked into most Android media stacks. Patched January 5.
- Trail of Bits and Hanno Böck recovered 677 private keys by factoring “short-sleeve” RSA and DSA moduli, whose limbs carry regular zero-bit blocks from a CompleteFTP RNG bug. Rewriting the modulus as a polynomial turns hard integer factorization into easy polynomial factorization. A second pattern in expired Yahoo and Verizon certificates is unattributed.
- A systematization of the constant-time model confirms a timing leak in private-key loading in OpenSSL and BoringSSL, with BoringSSL’s per-observation signal orders of magnitude stronger despite its stricter threat model.
- Arch Linux’s AUR was hit by a malware campaign reaching 1,579 packages, up from about 400 at disclosure; maintainers removed the commits they could find but say the list is incomplete.
Also notable
- Andrej Karpathy proposes a “ghosts vs. animals” frame: today’s LLMs are ghosts, statistical distillations of human text, against Sutton’s animal that learns from its environment by reinforcement. Pretraining, he argues, is “our crappy evolution,” a cold-start substitute rather than a mistake.
- The Commerce Department ordered the Census Bureau to ban “noise infusion,” effectively outlawing differential privacy for coarsening and suppression; the author, a DP researcher, argues that reopens the record-reconstruction attacks DP was adopted to block.
- WIRED reports Meta moved about 6,500 engineers into an “Applied AI” unit writing synthetic training data on a join-or-leave basis, with 1,600-plus employees separately petitioning against keystroke harvesting for training. Meta declined to comment.
What to watch today
- Anthropic promised fuller technical detail on the jailbreak within 24 hours of its June 13 statement; watch whether it names the capability and the bugs.
- Whether OpenAI or Google get similar directives, given Anthropic’s GPT-5.5 parity claim.
- Project Zero’s Part 2 (kernel escalation via CVE-2025-36934) and Part 3 of the Pixel 9 chain.