AI hackers shake up cyber-security

Source: economist.com

TL;DR

• Anthropic withholds its powerful AI model Mythos from public release due to its skill at finding software vulnerabilities.
• Mythos found thousands of high- or critical-severity zero-day bugs in systems like FreeBSD, FFmpeg, and cloud software.
• AI bug-hunting may disrupt cyber-security short-term but ultimately aid defenders by enabling thorough pre-release checks.

The story at a glance

Anthropic announced on April 7th, 2026, that its new AI model Mythos would not be released publicly because it excels at finding and exploiting security holes in software, surpassing most humans. The firm is restricting access via Project Glasswing to 12 founders including Apple, Google, and Nvidia, plus 40 more infrastructure firms. This follows recent advances in AI bug detection, prompted by worries over risks to digital systems.

Key points

• Mythos has uncovered “thousands” of high- or critical-severity flaws, including zero-days in FreeBSD (operating system), FFmpeg (video library), and unfixed cloud software; details withheld until patches.
• OpenAI responded with a closed GPT 5.4 Cyber, a similar hacking-focused model.
• Testing by Britain's AI Security Institute showed Mythos competitive on simple tests but superior on advanced multi-step hacks.
• AI progress is rapid: older models found nearly a fifth of Firefox's 2025 high-severity bugs and a dozen in OpenSSL this January.
• Cost is high—one bug hunt cost $20,000 in compute tokens—challenging for volunteer-maintained projects like Linux.
• Prompted meetings: US Treasury Secretary Scott Bessent with bank bosses; UK regulators similarly.

Details and context

Zero-day bugs, unknown before discovery, hide in much software because exhaustive human checks are impossible. Jeff Williams of Contrast Security notes they lurk everywhere; Mythos proves novel by finding new ones, not just training data repeats.

AI bug reports were once full of false positives or trivia, but Bruce Schneier observes a recent shift to good quality. Still, the race matters: can fixes outpace exploits? Project Glasswing gives select firms early access to patch internet-critical code before broad AI proliferation.

Unmaintained code in routers, TVs, fridges, and machines poses risks; attackers could exploit freely. Researchers see long-term defender wins via pre-publish scans, but short-term chaos as capabilities spread.

Key quotes

• “In the medium term I think this will be a mess... But in the long run I think it will actually be good for the defenders.” —Bruce Schneier, computer-security expert.
• “One change I’ve noticed in the past couple of months is that a lot of these AI-generated bug reports are increasingly of good quality.” —Bruce Schneier.

Why it matters

AI models like Mythos expose flaws across operating systems, browsers, and crypto software, threatening e-commerce, finance, and infrastructure if misused. Businesses face higher patching urgency, while consumers and investors see risks in unpatched devices like routers or IoT gadgets. Watch Project Glasswing patches, AI exploit speed versus fixes, and public model releases with caution.