Anthropic's Mythos AI Bug Finder Cracks Code Like an Egg

In late March, WolfSSL’s triage engineer Anthony Hu faced a flood of bug reports—80 in one week, far more than usual. Among them was a critical vulnerability that let an attacker impersonate a legitimate user.

The report came from Nicholas Carlini, a well‑known AI researcher now at Anthropic. Carlini used Anthropic’s new model, Mythos, to spot the flaw, which had been lurking in WolfSSL’s code since 2017.

Why Mythos Matters

Mythos can scan code with minimal guidance and combine multiple bugs into complex attack chains—capabilities previously limited to senior security researchers.

  • Finds vulnerabilities in hours, not weeks.
  • Works on any codebase, from embedded devices to cloud services.
  • Triggers rapid patches; WolfSSL released a fix within hours.

Project Glasswing: A Controlled Rollout

Anthropic is limiting Mythos access to a handful of partners under Project Glasswing. The goal is to let trusted firms harden their software before bad actors can exploit the model.

U.S. officials, including Treasury Secretary Scott Bessent and Fed Chair Jerome Powell, warned financial leaders to prepare for the new threat surface.

Industry Ripple Effects

Since AI tools entered the security space, bug discovery rates have surged. WolfSSL’s updates jumped from a single fix per release to 22 patches in April, 21 of them high‑severity.

Other firms feel the pressure:

  • Plurilock now employs AI assistants for routine scans.
  • cURL maintainer Daniel Stenberg halted bounty payouts after AI‑generated reports flooded his inbox.

Not Just Anthropic

OpenAI’s April release, GPT‑5.5, matches Mythos on many cyber tasks, according to the UK AI Security Institute. The rapid rise suggests more powerful models are on the horizon.

What Experts Say

Ian L. Paterson, CEO of Plurilock, notes a 10‑to‑100× speed‑up in finding real bugs over the past six months.

Todd Ouska, WolfSSL CTO, says Mythos can stitch together attacks the way only seasoned researchers could.

Matt Holland of Field Effect warns that while AI boosts volume, it won’t invent brand‑new attack classes.

How to Respond

For developers, run AI‑assisted static analysis before shipping code. For users, keep software updated—patches are the only defense against bugs that AI uncovers.

"Please, please update. Please update," says Anthony Hu, urging rapid adoption of fixes.

As AI bug finders become standard, the race will be between defenders who use tools like Mythos and attackers who try to weaponize the same insights.