logoalt Hacker News

New serious vulnerabilities spiked around release of Claude Mythos Preview

149 pointsby cubefoxyesterday at 9:16 PM71 commentsview on HN

Comments

denverllctoday at 12:16 PM

One of the major differences between Amodei’s and Hagseth’s views is that Hagseth said that in their world they don’t distinguish between “defensive” and “offensive” capabilities.

In other words, a weapons missle defense system is equivalent to an attack one.

I think that applying this thinking to software is a mistake. A lot of commercial software uses open source libraries under the hood, and and while the large corporations might have access to Mythos/Fable/gpt 5.6, the open source library maintainers typically don’t. That leaves them vulnerable to foreign adversaries who do have access to AI models. Attackers don’t need Mythos-level capability then, they just need to outperform whatever the maintainers are using.

Which means that Anthropic’s decision to restrict security research on even Sonnet makes that gap (and thus an attackers opportunity) even larger.

I say this as a coder who wants to release some of my internal libraries to open source. The risk now is that I open up my own products (which use those libraries) to vulnerability scanners while not having those kinds of detection methods myself. This, it’s safer to not release and keep internal than to risk increasing my own attack risk.

Hopefully we will come to see that software is not equivalent to missle defense — writing safe code is different than attacking others’.

show 5 replies
rurbantoday at 6:06 AM

I do maintain dozens of C/C++/Perl projects. I got massive amounts of new good vulnerability reports, more than with the latest fuzzing waves. Fuzzing is still the majority overall, but Opus dominates now. Haven't got any Mythos/Fable vuln yet. And with the help of Sonnet/DeepSeek I can finally get around and weed out all the still existing fuzzing bugs. It has nothing to do with Mythos for me, just people getting Anthropic Max accounts.

And CVE's: People actually do that now, which before they didn't. Github allowing it now, certainly does help massively. This is a good thing

cpercivatoday at 3:11 AM

This is hardly news? We've known for months that a flood of AI-assisted vulnerabilities was coming; I posted on Twitter in March calling 2026 the year of a million CVEs: https://x.com/i/status/2035045573116789002

show 1 reply
hopppyesterday at 10:59 PM

How are these reports verified to be valid? If there are too many some could be hallucinations too.

show 2 replies
solenoid0937yesterday at 10:51 PM

I predict once the responsible disclosure period is up we will see a lot more

Aaron_NWtoday at 4:14 PM

Maybe a bit of both Mythos helping find bugs and engineers relying on AI shipping more bugs. Both can be true.

simonreifftoday at 4:53 AM

So basically there are two plausible explanations:

1. Someone with early access to Mythos leaked it to the bad guys.

2. Cybercriminals are getting enough mileage out of alternatives to Mythos to create exploits far more quickly, even though they don't have access to Mythos.

My own guess is that it's a combination of #2 plus vibe-coding degrading software quality at multiple layers, open the door to sophisticated exploits, but I have no insider access to Mythos so am just guessing. Maybe someone with Mythos access might say why they think this vulnerability spike happened when it did.

show 3 replies
high_bytetoday at 11:36 AM

those spikes in march and june? war with iran. interesting...

Robdel12today at 2:52 AM

…are we really drawing conclusions on this starting at April? When it was released in June?

show 2 replies
eternauta3ktoday at 4:42 AM

Can we learn something from these vulnerabilities? New categories of attacks and corresponding protections?

cmxchtoday at 1:44 PM

How many are valid and reproducible ones and how many are just mythical unicorns?

nullbiotoday at 11:39 AM

Do you know what else spiked? Vulnerability patches.

It's almost like... Finding bugs is a good thing.

6d7770today at 6:03 AM

This is good. Poor quality software gets outed and maybe fixed.

comradesmithtoday at 12:02 AM

Good

black_13today at 1:48 AM

[dead]

general_revealtoday at 4:51 AM

So, another victory for the LLM. We were told by project maintainers that AI generated pull requests for vulnerabilities would be blocked. Looks like humans take another L. We have to get out of the way.

IAmGraydontoday at 2:19 AM

Is this because LLMs are better at finding vulnerabilities or because increased use of LLMs for coding is creating more vulnerabilities?

show 1 reply