TL;DR - Anthropic launched Claude Fable 5 on 9 June 2026, its most capable model yet and the first in the new Mythos class. Within two days, red-teamer Pliny the Liberator bypassed its safety layer with a multi-agent "pack hunt" attack, got it generating x86 Linux stack overflow exploit code and a meth-synthesis reduction mechanism, and leaked the model's roughly 120,000-character system prompt to GitHub. The headline isn't the jailbreak. It's the architecture: Fable 5's safety is a classifier that silently hands risky prompts to a weaker model. That pattern does not survive a motivated attacker. What you need to do: stop trusting "the AI vendor says it's safe", treat any LLM as capable of producing harmful output, and build your own guardrails on top of whatever your AI provider ships.
Claude Fable 5 By The Numbers
| Metric | Figure |
|---|---|
| Public launch date | 9 June 2026 |
| Time to first public jailbreak | ~2 days (launch 9 June, exploit shown 11 June) |
| System prompt leaked | ~120,000 characters (120,040 bytes, 1,585 lines) |
| Pre-launch testing Anthropic cited | 1,000+ hours, claimed no universal jailbreaks |
| Attack techniques stacked in "pack hunt" | 5 |
| Fallback model the classifier routes to | Claude Opus 4.8 (weaker than Fable 5) |
| Confirmed dangerous outputs shown | 2 (x86 stack overflow exploit, Birch reduction mechanism) |
| Cyber Security News post engagement | 2,346 likes, 421 reposts at capture |
I keep a folder of AI safety launch posts. Most of them age badly, but slowly, the way milk does.
This one curdled in 48 hours.
On 9 June 2026, Anthropic shipped Claude Fable 5. Not a chatbot update, not a quiet point release. This is the first model in their new Mythos class, pitched as the most capable AI they have ever made generally available, strong on software engineering, knowledge work, and vision benchmarks. Anthropic also said an external bug bounty ran for more than 1,000 hours before launch and produced no universal jailbreaks. That is the kind of line a vendor puts in a launch blog when they are confident.
By 11 June, a red-teamer who goes by Pliny the Liberator had it generating step-by-step x86 Linux stack buffer overflow exploitation, walking through the Birch reduction mechanism (a well-known methamphetamine synthesis pathway), and he had leaked the model's entire system prompt, roughly 120,000 characters, to a public GitHub repo. Cyber Security News wrote it up the same day. The post pulled 2,346 likes and 421 reposts before I even saw it.
The part that should bother you is not the exploit screenshots. The jailbreak is not really the story. The architecture is.
Claude Fable 5 and its locked-down sibling "Claude Mythos 5" are the same underlying model. The only thing separating the consumer version from the restricted one is a layer of safety classifiers. When your prompt trips one of those classifiers in a high-risk category, Fable 5 quietly hands the request off to a weaker model, Claude Opus 4.8, and tells you it did. The safety story is "when things get spicy, we route you to a dumber model".
That is a brittle pattern. If you build software, ship AI features, or just rely on an AI assistant to refuse the genuinely dangerous stuff, you have a stake in whether that pattern holds. Pliny just demonstrated, in public, that it does not.
Let me walk you through what happened, why it matters, and what to do about it.
What Anthropic Actually Shipped on 9 June
Claude Fable 5 is the headline release of Anthropic's Mythos class, positioned above their existing line. The leaked system prompt confirms the model strings: claude-fable-5 sits above claude-opus-4-8, with claude-sonnet-4-6 and claude-haiku-4-5 below. So Fable 5 is not a renamed Opus. It is a genuinely more capable model, and Anthropic knows it, which is exactly why they wrapped it in extra safety machinery.
Now the bit that makes the rest of this story click. The system prompt spells out the relationship in Anthropic's own words: Claude Fable 5 and Claude Mythos 5 share the same underlying model. Fable 5 is the most intelligent generally available model and "includes additional safety measures for dual-use capabilities", while Mythos 5 is the same brain without those measures, handed only to approved organisations.
Read that again. The dangerous capability is not removed from the consumer model. It is still in there. A classifier sits in front of it and watches for prompts that look like they are heading somewhere risky: cybersecurity, biology, chemistry, model distillation. Trip it, and Fable 5 silently routes your request to the weaker Opus 4.8.
So the safety boundary is not "the model cannot do this". It is "a classifier decides whether to let the smart model answer or fob you off on the dumb one". Everything Pliny did flows from attacking the classifier rather than the model.
How Pliny Jailbroke a Frontier Model in Two Days
Pliny did not find a magic phrase. He ran what he called a "pack hunt", a coordinated multi-agent attack that stacks several techniques so no single one has to carry the load. The whole point is that a classifier is a pattern-matcher, and if you spread the harmful intent thin enough across enough surface area, no single pattern fires loudly enough to trip the handoff.
Two of the outputs he published are the ones that made the story travel. The first was a clean, actionable walk-through of stack buffer overflow exploitation on x86 Linux: disabling ASLR, writing vulnerable C server code with strcpy overflows, and compiling it without protections. The second was the Birch reduction mechanism, a classic meth synthesis route. Both are precisely the categories the classifier is supposed to catch, and both came out the other side as tidy, usable text.
That is what made it blow up. Not that an AI said something rude. That Anthropic's safest generally available product produced the two exact things its safety layer exists to block, on camera, within two days of launch, after the vendor claimed a 1,000-hour bug bounty had found no universal jailbreaks.
The leak compounded it. Pliny did not just coax bad outputs out of the model, he extracted the full system prompt and posted it. Roughly 120,000 characters, 1,585 lines, sitting in a public repo as a primary source for anyone running an LLM evaluation or building a guardrail product.
The safety story is "when things get spicy, we route you to a dumber model". That does not survive contact with a motivated red-teamer.
The Five Techniques in the Pack Hunt
The reason "pack hunt" is the right name is that no single technique here is new. Stacking them is the move. Here is what went into it, per the Cyber Security News write-up.
1. Unicode, homoglyphs, and Cyrillic substitution. Keyword classifiers look for exact string matches. If the model is watching for "strcpy" or "Birch reduction", you swap a Latin letter for a visually identical Cyrillic one, or scatter homoglyphs through the term. To a human it reads normally. To a string-matcher it is a different word entirely.
2. Long-context reference tracking. Rather than ask anything dangerous in one turn, you smuggle the intent across a long conversation. No single message looks bad, so no single message trips the classifier. The harmful shape only exists when you read the whole thread.
3. Taxonomy and document-structure framing. You dress the request up as a chemistry study guide or an academic reference document. The structure signals "legitimate reference material", which is exactly the kind of content the model is trained to be helpful with.
4. Fiction and narrative framing. Wrap the request as a creative-writing exercise. The model is encouraged to be a good collaborator on fiction, and that helpfulness is the lever.
5. Decomposition and recomposition. This is the strongest one, and Pliny said so directly. Instead of asking for the dangerous end product, you ask for benign-looking sub-pieces in isolation, then reassemble them yourself. His own words: "getting uplift on the process itself, like Birch reduction method or reductive amination, is much more doable" than asking for a named harmful compound outright. The useful capability emerges from the assembly, not from any single answer the model gives.
Then there is the cleverest part, the bit that should keep AI safety teams up at night. Pliny used a separately jailbroken Claude Opus instance on the backend to help assemble the attack. A jailbroken model attacking its own sibling model. That is not a one-off prompt trick, it is a multi-model pipeline, and it is exactly the agentic future every vendor is racing toward.
What the Leak Actually Exposes
A 120,000-character system prompt sounds like a treasure map. It mostly is not, and that honesty matters. The bulk of it is standard Anthropic consumer-Claude framing: tone and formatting rules, refusal handling, user wellbeing instructions, legal and financial disclaimers, knowledge cutoff (end of January 2026, current date baked in as 9 June 2026). No secret kill switch, no hidden section.
But there are three things in there worth your attention.
The first is the Fable and Mythos relationship I already covered. The prompt states it plainly, which lets outside researchers reason about the classifier-routing design with confidence rather than guesswork.
The second is the named reminder system. Anthropic's classifiers inject one of a fixed set of internal reminders when they fire: image_reminder, cyber_warning, system_warning, ethics_reminder, ip_reminder, long_conversation_reminder. Knowing the exact names is genuinely useful if you are red-teaming the model or instrumenting your own classifier pipeline.
The third is a new capability the prompt calls, informally, "Claudeception": Claude can call the Anthropic API from inside its own Artifacts, hitting the standard /v1/messages endpoint with platform-managed keys. If you build things, that is the actual product story buried under the jailbreak drama: AI-powered apps that themselves call an AI, generated inside a chat session. Powerful, and a fresh attack surface nobody has mapped yet.
The egress story is the one reassuring detail. The bash sandbox ships a conservative allowlist: package registries, GitHub, Ubuntu archives, the Anthropic API, and little else. No arbitrary web fetch from the shell. Someone thought hard about that boundary. It is a shame the same care did not reach the part that decides whether to answer a meth-synthesis question.
Why This Could Actually Be Good
I am not going to do the doom thing. There is a real upside here, and it is worth saying before the concerns.
Public jailbreaks are how guardrails get better. A vendor running an internal bug bounty for 1,000 hours is testing against people who are paid, scoped, and working to a brief. Pliny is none of those things, and he found the gap in two days. That is proof that adversarial pressure from outside finds things structured testing misses. Every serious security discipline learned this decades ago. AI safety is learning it now, in public, which is uncomfortable but healthy.
The leaked system prompt is a gift to defenders too. If you build on an LLM, you now have a complete example of how a frontier lab structures refusals, reminders, and tool definitions. You can read it and avoid reinventing the bits Anthropic already got right. Transparency that arrives by accident is still transparency.
And the core architectural lesson is one the whole industry needed delivered with a thump rather than a whitepaper. Routing-to-a-weaker-model is not defence in depth. It is a single point of failure dressed up as a layer. The fix is real refusals baked into the base model, the kind that hold even when a classifier is fooled. Pliny made that case more persuasively than any safety blog post could.
The Concerns We Can't Wave Away
Now the part the launch blog skipped.
The Safety Boundary Is a Pattern-Matcher
A classifier is, by design, a probabilistic guesser. It decides whether a prompt looks risky. Anything that decides based on how something looks can be fooled by changing how something looks, which is exactly the first technique in the pack hunt. Building your most important safety boundary out of a component whose entire job is "guess from appearances" is a structural weakness, not a tuning problem. You do not patch your way out of it. You redesign.
The Dangerous Capability Never Left the Building
This is the bit I cannot get past. Fable 5 can produce exploit code and synthesis routes. That capability is in the model you are talking to, right now. The classifier does not remove it, it just tries to stand in front of it. Every time someone gets past the classifier, they get the full smart model, not a degraded one. The safety design assumes the guard never sleeps. Guards always sleep.
Routing risky prompts to a weaker model isn't defence in depth. It's a single point of failure wearing a high-vis vest.
Multi-Model Attacks Are the Future, Not an Edge Case
Pliny used one jailbroken model to break another. Everyone in the industry is building agentic systems where models call models and work gets handed between components autonomously. In that world, "one of the agents in the pipeline is compromised" is not an exotic scenario, it is Tuesday. A safety architecture that assumes one well-behaved model talking to one well-behaved user is solving last year's problem.
"We Tested It For 1,000 Hours" Means Less Than It Sounds
Anthropic's pre-launch claim was not dishonest. It was measuring the wrong thing. Hours of testing against a scoped bounty is an input metric, not a safety guarantee. The only number that matters is how long it survived contact with the public, and that number was two days. Treat any vendor's pre-launch safety claims as marketing until the wider world has had a swing at the piñata.
What You Should Do Right Now
You are probably not running a frontier model. But you are almost certainly using one, building on one, or relying on one to behave. Here is the practical takeaway.
1. Stop Treating "The Vendor Says It's Safe" as a Control
A safety claim in a launch blog is a marketing asset, not a security control. If your risk assessment leans on "Anthropic/OpenAI/Google says the model refuses harmful requests", rewrite it. Assume the model can be made to produce off-policy output, and design around that.
2. Put Your Own Guardrails on Top
If you ship an AI feature, do not rely on the model's built-in refusals. Validate inputs, check outputs, log everything, and put hard limits on what the model can actually do (which tools, which data, which actions). The model's safety layer is the vendor's problem. Your application's safety is yours.
3. Assume Long Conversations Are an Attack Surface
The long-context smuggling technique works because nobody audits the whole thread. If you run a chatbot that holds long sessions, that is exactly where intent gets laundered. Monitor conversation-level behaviour, not just single messages.
4. Treat Multi-Agent Systems as Compromise-by-Default
If you are wiring models into pipelines or agents, design as though one component will be turned against the others. Least privilege between agents. No agent gets more access than its job needs. Audit the handoffs.
5. Keep Your Actual Systems Patched
The exploit Pliny demonstrated was a textbook strcpy stack overflow on a deliberately unprotected target. AI did not invent that bug class, it just lowered the cost of writing one up. Modern protections (ASLR, stack canaries, non-executable stacks, current compilers) defeat the textbook version. Keep your software current and you sidestep the demo entirely. The ACSC's patching guidance is still the boring, correct answer.
Key Takeaways
- Anthropic's newest model lasted two days. Claude Fable 5 launched 9 June 2026 and was publicly jailbroken by 11 June, despite a claimed 1,000-plus hours of pre-launch testing.
- The architecture is the real story. Fable 5 and the restricted Mythos 5 are the same model, separated only by a safety classifier that routes risky prompts to the weaker Claude Opus 4.8.
- A classifier is a pattern-matcher, and pattern-matchers can be fooled. The "pack hunt" stacked five techniques so no single one tripped the safety layer.
- The dangerous capability never leaves the model. Beating the classifier gives an attacker the full smart model, not a degraded one.
- Decomposition was the strongest technique. Asking for benign sub-pieces and reassembling them got past the filters that block the named dangerous end product.
- One model jailbroke another. Pliny used a separately jailbroken Opus instance to assemble the attack, a preview of the multi-agent threat model everyone is racing toward.
- The 120,000-character system prompt is now public. It confirms the Fable/Mythos split, names the internal reminder system, and reveals a new "Claudeception" API-in-Artifacts capability.
- Your move: build your own guardrails. Treat any LLM as capable of harmful output and never make the vendor's safety claim your only control.
Frequently Asked Questions
What is Claude Fable 5? Claude Fable 5 is Anthropic's most capable generally available AI model, launched on 9 June 2026 as the first release in the new Mythos class. It is strong on software engineering, knowledge work, and vision tasks.
Who is Pliny the Liberator? Pliny the Liberator is a prolific AI red-teamer known for publicly jailbreaking new models and leaking their system prompts. He maintains a long-running GitHub collection called CL4R1T4S, where the Fable 5 system prompt was posted within hours of the model's launch.
How was Claude Fable 5 jailbroken? Through a coordinated multi-agent attack Pliny called a "pack hunt", which stacked five techniques: Unicode and homoglyph substitution, long-context smuggling, document-structure framing, fiction framing, and decomposition-and-recomposition of harmful requests into benign sub-pieces.
What is the safety classifier in Claude Fable 5? Fable 5 and the restricted Claude Mythos 5 share the same underlying model. A layer of classifiers watches for high-risk prompts (cybersecurity, biology, chemistry, model distillation) and, when one fires, silently hands the request to the weaker Claude Opus 4.8 and notifies the user.
Is the leaked Claude Fable 5 system prompt real? It appears to be near-complete. The leaked file is 120,040 bytes across 1,585 lines, which closely matches the roughly 120,000-character figure reported, and its contents match Anthropic's known consumer-Claude prompt structure.
Does this mean Claude is unsafe to use? For everyday use, the model behaves normally and the jailbreak required deliberate, sophisticated effort. The concern is architectural: a safety design built on classifier routing is brittle against motivated attackers, which matters most for anyone building products on top of the model.
What is "Claudeception"? It is an informal name for a capability in the leaked prompt that lets Claude call the Anthropic API from inside its own Artifacts. It enables AI-powered apps generated within a chat session, and it is a new and largely unmapped attack surface.
Did Anthropic respond? There was no public response from Anthropic at the time the Cyber Security News article was published on 11 June 2026.
My Take
I want to be clear about what makes me angry here, because it is not the jailbreak. Red-teamers jailbreaking new models is the immune system working. Pliny doing this in public is a feature of a healthy ecosystem, not a bug. Good on him.
What makes me angry is the architecture. Somebody at Anthropic looked at a frontier model that can write exploit code and walk through chemical synthesis, and the answer they shipped to the public was a classifier that, when it gets nervous, hands you off to a dumber model. That is not a safety system. That is a bouncer who, when he is not sure about you, calls a smaller bouncer to deal with it. The dangerous capability is still standing right there behind the rope the entire time. The whole design rests on the classifier never being wrong, and classifiers are wrong constantly, because being occasionally wrong is the definition of a probabilistic guesser. You cannot build a load-bearing safety boundary out of a component whose job description is "guess".
And the multi-agent angle is the part the industry should be losing sleep over. Every vendor on earth is pouring money into agentic systems where models hand work to models with no human in the loop. In that world the brittle classifier is not guarding one door, it is guarding thousands, and one compromised agent is enough. I wrote about this same gap between the marketing and the model in my Claude Mythos breakdown, and the Copilot security disaster is the enterprise version of the lesson: the vendor's default is never your security boundary.
The best response, as always, is not panic. It is preparation. Read the leaked prompt if you build on these models. Put your own guardrails on top of whatever your AI vendor ships, because their safety layer is their problem and your application is yours. And the next time a launch blog tells you a model survived a thousand hours of testing, remember that the only number that ever mattered was two days.
Mathew Clark Founder, SecureInSeconds Currently: reading 120,000 characters of someone else's system prompt and wondering why the safety plan was a bouncer who calls a smaller bouncer
Further Reading:
- Cyber Security News: Anthropic's Claude Fable 5 Jailbroken to Generate Stack Exploits - the canonical write-up of the jailbreak and the techniques used
- Anthropic's Claude Fable 5 announcement - the official launch page for the model and the Mythos class
- Pliny the Liberator's GitHub - the red-teamer behind the pack-hunt attack
- The leaked Claude Fable 5 system prompt (CL4R1T4S repo) - the full roughly 120,000-character prompt on GitHub
- Raw leaked system prompt - the plain-text version for evaluation work
- Our Claude Mythos breakdown - the model class Fable 5 belongs to, and what it can do
- Our Copilot security disaster guide - another case of vendor defaults not being your security boundary
- When a Claude Code leak hit a deploy pipeline - what happens when an AI tool's trust boundary fails in production
- ACSC guidance on patching - the boring, correct defence against the exploit class Pliny demonstrated
