Mythos uncovers 6,202 critical bugs in major open-source projects
Anthropic's Mythos security agent identified 6,202 high- or critical-severity vulnerabilities across 1,000+ open-source repositories in a one-month pilot, with independent verification confirming 90 percent of findings and a false-positive rate below human testers.

Anthropic released interim results from Mythos and Project Glasswing on May 27, revealing that the AI security agent has identified 6,202 high- or critical-severity vulnerabilities across more than 1,000 widely used open-source repositories. Partners running the tool in private codebases reported hundreds of critical bugs each, with some teams seeing a tenfold increase in detection speed. Cloudflare alone flagged 2,000 issues—400 of them high or critical—and reported fewer false positives from Mythos than from human penetration testers.
Of the 6,202 open-source findings, 1,752 have been independently verified by six third-party security firms. Ninety percent of those checks confirmed real vulnerabilities, and 62 percent (1,100 bugs) retained their original high or critical severity rating. One example: Mythos generated a working exploit against wolfSSL that would allow an attacker to forge certificates, enabling a convincing phishing site that browsers would treat as legitimate with no warning to the user.
The flood of disclosures is outpacing remediation capacity. Some project maintainers have asked Anthropic to slow the reporting rate because patching takes an average of two weeks per high-severity bug. The sheer volume—23,000 total findings when medium- and low-severity issues are included—has exposed a bottleneck in open-source security infrastructure that few anticipated would emerge this quickly.
What remains unclear is whether Anthropic will expand Mythos access beyond enterprise partnerships or keep the tool gated. The current pilot concludes in the coming weeks, and the next release should clarify how much capability will reach smaller projects that lack dedicated security teams.


