Anthropic's Claude Mythos Accidentally Proves Every Security Researcher's Worst Nightmare—Then Clams Up About It

Anthropic just dropped Claude Mythos Preview on an unsuspecting world, and spoiler alert: the new AI model found thousands of critical vulnerabilities across operating systems, web browsers, and basically any software that wasn't actively maintained by a paranoid hermit in a bunker. The model is currently being handed out like VIP wristbands at a crypto conference—but only to a select group of companies who promise to play nice. Turns out, when you give a superintelligent AI a magnifying glass and unlimited coffee, it finds stuff that makes zero-day researchers weep into their keyboards.

"We're speedrunning the apocalypse here, folks," Anthropic essentially said in their announcement, noting that AI capabilities are improving faster than devs patch their codebases. "It's only a matter of time before this tech falls into the wrong hands—probably someone's Telegram channel by next week."

The stats aren't helping anyone sleep at night. AI-powered cyberattacks have surged 72% year-over-year, because apparently hackers also read the same productivity newsletters. Meanwhile, 87% of global organizations got hit with AI-enabled attacks in 2025—meaning your corporate VPN is basically a suggestion at this point.

So Anthropic launched Project Glasswing, a defensive initiative that's basically an Avengers squad for cybersecurity, except the Avengers are 40+ companies including AWS, Apple, Cisco, Google, JPMorgan, the Linux Foundation, Microsoft, and Nvidia. The goal? Use Claude Mythos Preview to find bugs, share intel with the squad, and patch critical vulnerabilities before some anonymous actor on a dark web forum gets there first. Think of it as coordinated degen hygiene.

The absolute best part? Many of these vulnerabilities are older than most devs currently employed. The crown jewel is a now-patched 27-year-old bug hiding in OpenBSD—the operating system that neckbeards swear is unhackable. There's also a 16-year-old gremlin in FFmpeg, a 17-year-old remote code execution vulnerability in FreeBSD, and enough Linux kernel flaws to make Linus Torvalds reconsider his life choices.

Mythos Preview also decided to kick the hornet's nest of cryptography, poking around in TLS, AES-GCM, and SSH implementations like they were just sitting there waiting to be embarrassed. Web apps, predictably, are a complete disaster—cross-site scripting, SQL injection, cross-site request forgery, all the classics that developers swear they fixed in 2019 but absolutely did not.

Here's where things get spicy: Anthropic claims 99% of these vulnerabilities remain unpatched, which means their responsible disclosure strategy is essentially "we know where the bodies are buried, but we're not telling