What happened
Anthropic's May 22 Project Glasswing update (covered in depth by The Register on May 25) disclosed that ~50 partners used Claude Mythos Preview to find more than 10,000 high/critical-severity vulnerabilities in one month, and that Anthropic's own open-source scan of 1,000+ projects produced 6,202 high/critical candidates — of which 90.6% of independently reviewed samples were confirmed true positives. Critically, Anthropic shifted its public stance from 'we will not release Mythos' to 'in the near future, once we've developed far stronger safeguards, we look forward to making Mythos-class models available through a general release,' signalling expansion to US and allied government partners as the next step.
Why it matters
This is a dual-sided risk signal: the same capability that lets Cloudflare find 2,000 bugs and Mozilla patch 271 Firefox flaws will eventually be accessible to adversaries, compressing time-to-exploitation toward zero. The security bottleneck has structurally shifted from vulnerability discovery to patch throughput — organisations whose patch cycles run 30–90 days face a growing window of exposure as AI-found flaws accumulate faster than they can be fixed.
Applicability
All organisations running open-source software dependencies, critical infrastructure operators, and financial institutions should immediately review patch-cycle SLAs and invest in automated patch-testing pipelines. Consulting teams should use Glasswing's published CVD dashboard to identify whether their clients' key dependencies are in Anthropic's 1,000+ scanned projects.