Anthropic\u2019s latest Project Glasswing update carries a warning for the software world.<\/p>\n
Claude Mythos Preview flagged 23,019 potential vulnerabilities in open-source projects, with 6,202 estimated as high- or critical-severity. Anthropic said the volume of AI-found flaws is turning verification, disclosure, and patching into the new bottleneck.<\/p>\n
AI-powered vulnerability hunting could soon test whether defenders can move as quickly as the models scanning their code.<\/p>\n
The AI model<\/a>\u2019s open-source scan covered more than 1,000 projects. A subset went through additional checks by independent security firms or Anthropic<\/a> itself, and the early validation numbers were substantial:<\/p>\n 1,752:<\/strong> High- or critical-rated findings reviewed by outside security firms or internal researchers.<\/p>\n 90.6%:<\/strong> Reviewed findings judged to be valid true positives.<\/p>\n 62.4%:<\/strong> Reviewed findings confirmed as high- or critical-severity.<\/p>\n Nearly 3,900:<\/strong> Projected high- or critical-severity open-source vulnerabilities<\/a> if current post-triage rates hold.<\/p>\n One example came from wolfSSL, an open-source cryptography library used in billions of devices. Mythos<\/a> Preview found a now-patched flaw that could have allowed an attacker to forge certificates, potentially making a fake banking or email site appear legitimate to an end user.<\/p>\n Discovery itself is becoming the easier part. \u201cFinding them in the first place has become vastly more straightforward with Mythos Preview,\u201d the AI company said<\/a>.<\/p>\n Coordinated disclosure is intended to give software teams time to verify flaws, prepare fixes, and allow users to update before details become public. Mythos Preview is testing how well that process works when findings arrive in bulk.<\/p>\n Each report still needs human review. Researchers have to reproduce the issue, rate its severity, check whether a fix already exists, and give maintainers enough detail to repair the code safely. Some maintainers asked Anthropic to slow the pace of disclosures because they needed more time to respond.<\/p>\n Anthropic said it has disclosed 530 high- or critical-severity bugs to maintainers so far, but only 75 have been patched. On average, a bug at that severity level takes about two weeks to fix.<\/p>\n The low patch count partly reflects the early stage of the standard 90-day disclosure window, and some fixes may not yet be visible because not every patch gets a public advisory.<\/p>\n Anthropic has kept Mythos-class models out of general release<\/a> while using the technology with Project Glasswing<\/a> partners. Models as capable as Mythos Preview will soon be developed by many AI companies, the Claude-maker warned, making access controls and safeguards more urgent.<\/p>\n Access remains limited because safeguards have not kept pace with capabilities. \u201cNo company \u2014 including Anthropic \u2014 has developed safeguards strong enough to prevent such models from being misused,\u201d the company said.<\/p>\n Near-term access is moving through Project Glasswing instead. The program will expand to more critical partners, including the US and allied governments, while qualifying security teams get defensive tools such as Claude Security, scanning workflows, a codebase-mapping harness, and a threat model builder.<\/p>\n Google\u2019s latest Search headache shows how <\/strong>generative AI can make old spam tactics<\/strong><\/a> feel newly dangerous.<\/strong><\/p>\n The post Anthropic\u2019s Claude Mythos Flags 23K Potential Open-Source Security Flaws<\/a> appeared first on eWEEK<\/a>.<\/p>","protected":false},"excerpt":{"rendered":" Anthropic\u2019s latest Project Glasswing update carries a warning for the software world. Claude Mythos Preview flagged 23,019 potential vulnerabilities in open-source projects, with 6,202 estimated as high- or critical-severity. Anthropic said the volume of AI-found flaws is turning verification, disclosure, and patching into the new bottleneck. AI-powered vulnerability hunting could soon test whether defenders can […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-8271","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8271"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8271"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8271\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Patching could not keep up<\/h2>\n
Public release is still off the table<\/h2>\n