Anthropic
AI found 23,000 software bugs. The humans can't keep up.
The impressive number is the find rate. The scary number is the fix rate.
Claude Mythos found 6,202 critical bugs across 1,000 open-source projects, 90.6% validated.
The numbers: 1,000 open-source projects scanned, 6,202 high/critical vulnerabilities found (of 23,019 total), 90.6% validated as real by six outside firms. Restricted to ~50 partners (AWS, Apple, Google, NVIDIA, JPMorgan), whose own bug-finding reportedly jumped more than tenfold. As capability demos go, this one's hard to wave away.
The part that should worry you
Anthropic basically admitted it: finding bugs is now cheap, fixing them is not. A lot of critical open-source software is maintained by a handful of unpaid volunteers. Point an automated vulnerability-finder at it and you get thousands of real flaws — and a patching queue no volunteer can clear. Now imagine the same tool, unrestricted, in offensive hands.
So file this under 'capability shift, confirmed' — and under 'the bottleneck moved'. For a decade the hard part of security was finding the holes. Mythos says that era is ending. The new hard part is the boring, human, under-funded work of closing them before someone else walks through.
Sources
- Project Glasswing: An initial update — Anthropic, 26 May 2026
- Anthropic says Mythos has already found more than 10,000 vulnerabilities — Engadget, 26 May 2026
- Anthropic: Claude Mythos identified 10,000+ software flaws — Help Net Security, 26 May 2026