Mythos Detected 23,000 Vulnerabilities Across 1,000 OSS Projects
(Tuesday May 26, 2026 @05:00PM (BeauHD)
from the hide-and-seek dept.)
- Reference: 0183423362
- News link: https://news.slashdot.org/story/26/05/26/2026259/mythos-detected-23000-vulnerabilities-across-1000-oss-projects
- Source link:
[1]wiredmikey shares a report from SecurityWeek:
> Anthropic says its Claude Mythos model [2]discovered thousands of severe vulnerabilities across more than 1,000 open source software (OSS) projects. According to the AI giant, Mythos Preview has [3]identified more than 23,000 potential vulnerabilities. Of these, 1,900 have been reviewed by external security firms, and 1,726 have been confirmed, including over 1,000 rated "high" or "critical" severity.
>
> The findings are still being reviewed, and Anthropic estimates that nearly 3,900 critical and high-severity vulnerabilities will be confirmed based only on current findings. As the scans are ongoing, the company believes the number of severe vulnerabilities may reach 6,200. Anthropic says more than 1,100 unverified findings have been reported to vendors, and 75 issues with a critical or high severity rating have been patched. Vendors have published 65 security advisories.
"The number of patches is still relatively low for three reasons. First, we're still early in the 90-day window that's set out in our Coordinated Vulnerability Disclosure policy: we expect many more patches to land soon," the AI company explained.
"Second, we are likely to be undercounting patches because some vulnerabilities are patched without a public advisory: in those cases, we're reliant on scanning for the patches ourselves using Claude. Third, the low volume of patches reflects a genuine problem: even at our relatively slow pace of disclosures, Mythos Preview is adding to an already-overloaded security ecosystem," it added.
[1] https://slashdot.org/~wiredmikey
[2] https://www.securityweek.com/anthropic-mythos-detected-23000-potential-vulnerabilities-across-1000-oss-projects/
[3] https://www.anthropic.com/research/glasswing-initial-update
> Anthropic says its Claude Mythos model [2]discovered thousands of severe vulnerabilities across more than 1,000 open source software (OSS) projects. According to the AI giant, Mythos Preview has [3]identified more than 23,000 potential vulnerabilities. Of these, 1,900 have been reviewed by external security firms, and 1,726 have been confirmed, including over 1,000 rated "high" or "critical" severity.
>
> The findings are still being reviewed, and Anthropic estimates that nearly 3,900 critical and high-severity vulnerabilities will be confirmed based only on current findings. As the scans are ongoing, the company believes the number of severe vulnerabilities may reach 6,200. Anthropic says more than 1,100 unverified findings have been reported to vendors, and 75 issues with a critical or high severity rating have been patched. Vendors have published 65 security advisories.
"The number of patches is still relatively low for three reasons. First, we're still early in the 90-day window that's set out in our Coordinated Vulnerability Disclosure policy: we expect many more patches to land soon," the AI company explained.
"Second, we are likely to be undercounting patches because some vulnerabilities are patched without a public advisory: in those cases, we're reliant on scanning for the patches ourselves using Claude. Third, the low volume of patches reflects a genuine problem: even at our relatively slow pace of disclosures, Mythos Preview is adding to an already-overloaded security ecosystem," it added.
[1] https://slashdot.org/~wiredmikey
[2] https://www.securityweek.com/anthropic-mythos-detected-23000-potential-vulnerabilities-across-1000-oss-projects/
[3] https://www.anthropic.com/research/glasswing-initial-update
90 days (Score:2)
by Tomahawk ( 1343 )
Here's 23,000 vulnerabilities that we found, and we're giving you 90 days to fix them.
And....go!
---
Yes, it's an average of 23 per project. But still.
Death of security (Score:3)
by Petersko ( 564140 )
When the pace of bug discovery overwhelms the capacity to patch, and the discovery tools are available to... well, everybody... doing any business online is fraught with peril. You can't even triage trust by the integrity of the company. You might trust that "Valerie's Dog Treats" is legit, but their payment dependancy might be using compromised packages.
How in hell are we going to hold this thing together?
Caveat... (Score:1)
> already-overloaded security ecosystem
This is true, but in part because a lot of 'security' reports are pretty bogus, even if they get CVEs and 'security researchers' call it a vulnerability, others may be inclined to roll their eyes. For example, the curl project had a write up:
[1]https://daniel.haxx.se/blog/20... [daniel.haxx.se]
So LLM findings I anticipate to be similar, but just a firehose of stuff to dig through to separate the real findings from the innocuous ones.
We likely will never have a grip on that, as it's generally easiest to patch the report and no
[1] https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/