Anthropic's Claude Mythos Sparks Emergency Review of India's Telecom Network Security

India's cybersecurity establishment has shifted to high alert after an AI model developed by US-based Anthropic demonstrated the ability to uncover software vulnerabilities that evaded human developers for decades. The Indian Computer Emergency Response Team (CERT-In) issued a high-severity advisory on April 26, directly citing Claude Mythos Preview—a model released on April 7—after it autonomously identified and exploited flaws in telecom infrastructure code. The advisory signals a fundamental recalibration of how organizations must approach vulnerability management, warning that newly disclosed flaws should now be treated as actively exploitable within hours, not the weeks traditionally allocated for patching cycles.

Major Indian carriers Airtel and Vodafone Idea (Vi) have begun reviewing the security practices of their network software vendors following the revelations. The telcos' core infrastructure relies on systems built and maintained by third-party vendors including Nokia, Ericsson, and Samsung, meaning the operators themselves lack direct access to patch critical vulnerabilities. This structural dependency amplifies the risk: Airtel and Vi collectively hold the call records, location data, and payment information of hundreds of millions of Indian subscribers. The discovery that an AI model could surface long-undetected flaws in vendor-maintained code has exposed a systemic vulnerability chain that the telcos cannot resolve independently.

The incident raises pressure across multiple layers of India's digital ecosystem. Regulators face questions about oversight mechanisms for vendor-supplied infrastructure, while financial institutions and government agencies that depend on telecom networks must reassess their own exposure. Security researchers note that the episode illustrates a widening gap between the pace at which AI systems can discover flaws and the speed at which traditional vendor disclosure and patching processes operate. For ordinary users, the advisory underscores that the protection of their personal data now depends not only on the security posture of their service providers, but also on the practices of an entire supply chain of foreign vendors whose code has now been revealed as more fragile than previously assumed.