Anthropic's Claude Unearths Decades-Old Bug Graveyards, Now Locked Behind 'Please Don't Be Evil' Agreement

Anthropic is dropping its newest AI model, Claude Mythos Preview, on a carefully curated group of companies after it spent some quality time auditing codebases and found thousands of critical vulnerabilities hiding in operating systems, web browsers, and basically everything else your laptop is running right now.

The general-purpose model found high-security vulnerabilities in every major operating system and web browser. Many of these bugs are 10 to 20 years old, with the oldest being a patched 27-year-old vulnerability in OpenBSD—an operating system renowned for its security focus.

Other notable discoveries include a 16-year-old bug in the FFmpeg media processing library, a 17-year-old remote code execution vulnerability in FreeBSD, and numerous vulnerabilities in the Linux kernel.

Claude Mythos Preview also identified weaknesses in widely-used cryptography libraries, algorithms, and protocols, including TLS, AES-GCM, and SSH. Web applications were found to contain a range of vulnerabilities, from cross-site scripting and SQL injection to domain-specific flaws like cross-site request forgery, frequently exploited in phishing attacks.

"Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely," Anthropic noted.

AI-powered cyberattacks have increased 72% year-over-year, with 87% of global organizations experiencing AI-enabled attacks in 2025, according to AllAboutAI.

Anthropic has launched Project Glasswing, an initiative bringing together over 40 companies, including Amazon Web Services, Apple, Cisco, Google, JPMorgan, the Linux Foundation, Microsoft, and Nvidia. The project leverages Claude Mythos Preview's capabilities to defensively identify bugs, share findings with partners, and patch critical vulnerabilities before malicious actors can exploit them.

Anthropic stated that 99% of the discovered vulnerabilities remain unpatched, making responsible disclosure challenging. The company acknowledged that securing the world's cyber infrastructure will take years, though AI should accelerate the timeline.

"In the long run, we expect that defense capabilities will dominate: that the world will emerge more secure, with software better hardened—in large part by code written by these models. But the transitional period will be fraught."