Anthropic’s Mythos detects 23,000 vulnerabilities in open-source projects, including a 27-year-old OpenBSD flaw

Anthropic’s newest AI model just went hunting for bugs in open-source software. It found a lot of them.

Claude Mythos Preview, the company’s autonomous vulnerability detection model, identified more than 23,000 potential security vulnerabilities across over 1,000 open-source projects drawn from the OSS-Fuzz corpus. Of those, 1,726 have been confirmed through external review. More than 1,000 of the confirmed bugs were rated high or critical severity.

Decades-old bugs, freshly surfaced

Among the vulnerabilities Mythos flagged: a 27-year-old security flaw in OpenBSD and a 16-year-old vulnerability in FFmpeg. Both are widely used, foundational pieces of open-source infrastructure.

More than 99% of the zero-day vulnerabilities discovered by Mythos remained unpatched at the time of disclosure, according to the model’s evaluations.

Project Glasswing and the $100 million commitment

Anthropic launched Project Glasswing, a controlled consortium giving select partners access to Mythos Preview so they can identify and remediate critical vulnerabilities in their own software.

The partner list includes AWS, Apple, Google, Microsoft, NVIDIA, and JPMorgan Chase. Anthropic has pledged up to $100 million in model usage credits to support this effort. On top of that, over $4 million has been earmarked specifically for enhancing the security of open-source projects.

By placing Mythos behind a controlled access program rather than releasing it broadly, Anthropic maintains a proprietary advantage. Discussions are already circulating about whether similar vulnerability detection could be accomplished with publicly available models.

What this means for the cybersecurity landscape

Finding over 23,000 potential vulnerabilities in a single sweep, with more than 1,000 confirmed as high or critical severity, moves the conversation from theoretical to operational.

The 1,726 confirmed vulnerabilities still needed external review to validate. Given that more than 99% of the zero-days Mythos discovered were unpatched at disclosure, patching and remediation has not kept pace with what the AI is finding.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.