Anthropic's Claude Mythos AI Finds 10,000 Software Flaws

Anthropic says its Project Glasswing initiative used the Claude Mythos AI model to uncover more than 10,000 high- and critical-severity software vulnerabilities since launching about a month ago.

Anthropic's Claude Mythos AI Finds 10,000 Software Flaws

Anthropic Project Glasswing and Claude Mythos AI vulnerability discovery

Anthropic has revealed that its Project Glasswing security initiative has surfaced more than 10,000 high- or critical-severity software vulnerabilities since the effort launched roughly a month ago, putting fresh pressure on developers to patch faster. The disclosure, made on Friday, underscores how quickly AI-assisted vulnerability discovery is reshaping the economics of cyber defense.

What Project Glasswing is

Project Glasswing gives a small group of about 50 partners early access to Claude Mythos Preview, a frontier model built to autonomously hunt for flaws in widely used software before attackers can weaponize them. Anthropic frames the program as a defensive push aimed at hardening the most "systemically important" software that underpins global infrastructure.

Of the flaws flagged so far, 6,202 were initially classed as high- or critical-severity across more than 1,000 open-source projects. Follow-up analysis confirmed 1,726 as valid true positives, with as many as 1,094 rated high- or critical-severity. The work has so far led to 97 fixes landing upstream and 88 advisories being issued.

A critical WolfSSL flaw and a blocked $1.5M fraud

Among the most serious discoveries is a critical weakness in WolfSSL, tracked as CVE-2026-5194 with a CVSS score of 9.1, that could let an attacker forge certificates and impersonate a legitimate service. Anthropic also said the model proved useful beyond bug hunting: one Glasswing partner bank reportedly used it to detect and stop a fraudulent $1.5 million wire transfer after an intruder compromised a customer's email and placed spoofed phone calls.

Why defenders are being told to move faster

The findings arrive as vendors ship more patches than ever, a trend that mirrors other AI-driven security efforts. Anthropic is urging organizations to compress patch testing and deployment timelines, harden default configurations, enforce multi-factor authentication, and keep thorough logs for detection and response. The company also launched a Cyber Verification Program letting vetted security professionals use its models without guardrails for legitimate tasks such as penetration testing and red teaming, echoing OpenAI's comparable Daybreak program for GPT-5.5-Cyber.

An asymmetric advantage, for now

Models like Claude Mythos Preview remain unreleased to the public over fears that adequate safeguards do not yet exist to prevent large-scale misuse. Anthropic argues that Glasswing hands the most important defenders an "asymmetric advantage," but warns that comparable capabilities could soon be widely available. The move continues a busy stretch for the company, which recently expanded its research leadership. It also lands amid a wave of attacks on software ecosystems, from the Megalodon GitHub Actions campaign to Microsoft's takedown of a malware-signing service.

Reporting based on coverage from The Hacker News and Anthropic.

Category: Cyber Security

Tags: Open Source AI Security Cybersecurity AI innovation artificial intelligence

Related Articles