Anthropic's Claude Mythos found 10,000 critical vulnerabilities in one month. The patches can't keep up.

TL;DRAnthropic’s Glasswing project found 10,000+ critical flaws across 1,000 open-source projects in a month. Only 97 have been patched.

Anthropic disclosed on Friday that Project Glasswing, its restricted cybersecurity initiative, has uncovered more than 10,000 high- or critical-severity vulnerability candidates across some of the most systemically important software in the world since the programme went live one month ago. Of those, 1,726 have been validated as true positives. 1,094 are confirmed high- or critical-severity flaws. Only 97 have been patched.

The gap between those numbers is the story. Anthropic’s Claude Mythos Preview, a frontier model with specialised capabilities for finding vulnerabilities in source code, can identify flaws at a pace that the open-source ecosystem cannot absorb. The 6,202 high- or critical-severity candidates affect more than 1,000 open-source projects. Eighty-eight advisories have been issued. The rate of discovery is orders of magnitude faster than the rate of remediation.

“The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity,” Anthropic acknowledged. The company is urging software developers to shorten patch cycles and make security fixes available as quickly as possible. Oracle has already shifted from quarterly to monthly patch releases to address the acceleration. Microsoft has warned that the number of monthly patches it expects to release will “continue trending larger for some time.”