Anthropic’s Claude Digs Up 27-Year-Old Digital Fossils—Turns Out We’ve Been Hacked Since the Clinton Administration

Anthropic just unleashed Claude Mythos Preview into the wild—but only a hand-picked circle of tech royalty gets to play, because apparently, giving everyone a digital skeleton key to every unpatched bug since dial-up is “a bad opsec move.” The model, freshly minted and clearly overachieving, went full digital archaeologist and unearthed thousands of critical vulnerabilities across operating systems, browsers, and software stacks that somehow survived decades of “we’ll patch it later.”

Turns out, every major OS and web browser is basically Swiss cheese with extra holes, and Claude found them all. It’s like sending Sherlock Holmes to inspect a haunted house and he comes back with a spreadsheet titled “All 47 Ways This Place Will Kill You.” Anthropic’s official stance? “Given the rate of AI progress, it won’t be long before this kind of power spreads—possibly into the hands of people who don’t care if the internet catches fire.”

And honestly, the internet’s already smoldering. Hackers have been turbocharging their ops with AI, leading to a 72% YoY spike in AI-driven cyberattacks. By 2025, 87% of global orgs had tasted AI-enabled cyber hell, courtesy of AllAboutAI’s grim report card. So when Anthropic says they’re worried about bad actors getting their hands on this tech, they’re not FUD-ing—they’re just reading the room like everyone else who’s been doxxed by a bot.

Enter Project Glasswing, unveiled Tuesday like a superhero team-up nobody saw coming: AWS, Apple, Cisco, Google, JPMorgan, the Linux Foundation, Microsoft, Nvidia—all holding hands around a digital campfire, vowing to use Claude Mythos Preview not to exploit, but to defend. The plan? Let the AI go full bloodhound on codebases, sniff out bugs, share intel with the alliance, and patch before the degen hackers do. It’s like giving the neighborhood watch a quantum computer.

The bugs Claude’s unearthing aren’t just critical—they’re vintage. Zero-day vulnerabilities, by definition, are flaws no one knew existed until exploited. Historically, hunting them required elite hackers or caffeine-fueled grad students. Now, AI’s doing it at scale and speed that makes Bug Bounty programs look like lemonade stands. Anthropic says the bugs are “often subtle or difficult to detect,” which is tech-speak for “we found logic errors that should’ve been extinct by the time Y2K rolled around.”

The oldest? A 27-year-old relic in OpenBSD—a system literally built for security, now retroactively embarrassed. Then there’s a 16-year-old flaw in FFmpeg (so old it predates TikTok), a 17-year-old remote code execution bug in FreeBSD, and enough Linux kernel vulnerabilities to make Linus Torvalds consider early retirement. It’s not paranoia if the AI keeps finding proof you’ve been pwned since George W. Bush was inaugurated.

Even crypto libs aren’t sacred. Claude flagged weaknesses in TLS, AES-GCM, SSH—the holy trinity of “we thought this was secure.” And web apps? Oh boy. They’re a buffet of cross-site scripting, SQL injection, CSRF, and other alphabet soup vulnerabilities that phishing scammers adore. Turns out, “secure by default” still means “exploitable by AI with a grudge.”

Anthropic’s holding back the details—99% of these bugs are still unpatched, and dropping a public exploit list would be like handing a map to Atlantis to every pirate on the blockchain. “Irresponsible” doesn’t begin to cover it. So for now, they’re playing white hat at scale, feeding fixes quietly to the Glasswing coalition instead of turning GitHub into a zero-day marketplace.

This isn’t the end—it’s the overture. Anthropic believes we’re at the start of an AI-powered security renaissance, where defense outpaces offense… eventually. “In the long run