Anthropic's Claude Dug Up 27 Years of Cyber Skeletons and Said Nobody Gets to Leave the Table

Anthropic is keeping its latest AI model on a very short leash after it unearthed thousands of critical vulnerabilities scattered across operating systems, web browsers, and software like forgotten burritos in a couch cushion. The company announced it is rolling out Claude Mythos Preview to only a select group of hand-picked companies after the model discovered vulnerabilities in every major operating system and web browser—and apparently had to stop itself from posting a thread about it on social media.

The numbers are absolutely grim, and by grim we mean "your wallet is crying." There has been a 72% year-over-year increase in AI-powered cyberattacks, with 87% of global organizations experiencing AI-enabled cyberattacks in 2025, according to AllAboutAI. So basically, if you haven't been attacked yet, someone's probably just building a really elaborate phishing email with your name on it.

To address this digital apocalypse, Anthropic launched Project Glasswing on Tuesday. The initiative brings together more than 40 companies, including Amazon Web Services, Apple, Cisco, Google, JPMorgan, the Linux Foundation, Microsoft, and Nvidia. Project Glasswing will use Claude Mythos Preview to defensively find bugs, share data with partners, and patch critical vulnerabilities before bad actors can exploit them. It's basically a neighborhood watch, except the neighbors are trillion-dollar corporations and the watchman is an AI that has seen some things.

The vulnerabilities discovered were often subtle or difficult to detect—think of them as the internet's most dedicated hiders. Many were 10 or 20 years old, lurking in codebases like that weird uncle at family gatherings. The oldest found so far was a now-patched 27-year-old bug in OpenBSD—an operating system known primarily for its security, which means even the security nerds got got. Anthropic also uncovered a 16-year-old bug in the FFmpeg media processing library and a 17-year-old remote code execution vulnerability in the open-source FreeBSD operating system, plus numerous vulnerabilities in the Linux kernel. At this point, we should probably just assume everything is broken and act accordingly.

Mythos Preview also identified weaknesses in the world's most popular cryptography libraries, algorithms, and protocols, including TLS, AES-GCM, and SSH. Web applications were found to contain "a myriad of vulnerabilities," ranging from cross-site scripting and SQL injection to cross-site request forgery, often used in phishing attacks. Translation: your encrypted everything isn't quite as encrypted as you thought, but don't worry, nobody panic, just maybe change your passwords.

Anthropic noted that 99% of the vulnerabilities it found have not yet been patched, making disclosure impractical for now. This is what happens when you let an AI do a security audit—it finds out that nobody has actually been doing their homework for the past two decades. The company acknowledged this is likely just the beginning of a trend, and the work of defending the world's cyber infrastructure might take years. However, AI will help harden software and systems—because apparently the same technology creating the chaos will also be the one to clean it up.

"In the long run, we expect that defense capabilities will dominate: that the world will emerge more secure, with software better hardened