The AI That Found a 27-Year-Old Bug Overnight — Why Claude Mythos Has the World on Edge

The AI That Hunted Software Vulnerabilities Overnight — What Is Claude Mythos?

In April 2026, Anthropic's newly announced AI model, Claude Mythos, sent shockwaves through the global security community. It accomplished in a single night what would take a security professional several weeks. According to reports, an engineer with no security training simply asked Mythos to "find vulnerabilities" — and by the next morning, a fully functional exploit had been written.

What really turned heads was Mythos discovering a bug in the OpenBSD operating system that had gone undetected for 27 years. It also unearthed a 16-year-old flaw in FFmpeg, a widely used video processing library. In professional security competitions (CTFs), it solved expert-level challenges at a 73% success rate — a benchmark no AI had ever reached before April 2025.

Too Dangerous to Release — Project Glasswing

Anthropic has decided not to make Mythos publicly available. The reason is straightforward: it's simply too dangerous in the wrong hands. Consider that over 99% of known software vulnerabilities worldwide remain unpatched — now imagine an AI that can automatically find them and generate working exploits being freely accessible to anyone.

Instead, Anthropic runs a selective access program called Project Glasswing. Only a few dozen critical organizations — including Amazon, Apple, Google, Microsoft, CrowdStrike, and JPMorgan Chase — have access to a restricted version called Mythos Preview. These organizations are permitted to use it strictly for defensive purposes: finding vulnerabilities first so they can be patched. Anthropic has also established a separate $4 million security support fund for open-source maintainers.

South Korea and New Zealand: Two Countries, Two Approaches

South Korea's Response: South Korea's Ministry of Science and ICT held four emergency meetings within just two days of the Mythos announcement. Chief Information Security Officers from more than 40 major organizations — including Naver, Kakao, Coupang, SK Hynix, and Shinhan Bank — were summoned. The three major telecoms (SK Telecom, KT, and LG Uplus) have bolstered their AI-based intrusion detection systems. A growing concern in the industry is that "even someone with no hacking knowledge could now generate nation-state-level exploit code."

New Zealand's Situation: New Zealand's Government Communications Security Bureau (GCSB) has already published its "2026–2030 Cybersecurity Strategy," formally acknowledging the threat of AI-powered attacks. The GCSB assessed New Zealand's cybersecurity maturity as "highly uneven," and the National Cyber Security Centre (NCSC) is tightening policies to mandate minimum security standards for public sector agencies. Security firms on the ground share a common warning: with AI automating phishing and malware creation, even small and medium-sized businesses in New Zealand are now facing very real threats.

Key Takeaways

• Claude Mythos is an AI released by Anthropic in April 2026, capable of automatically discovering decades-old software vulnerabilities
• Due to its high risk potential, it has not been publicly released and is only available to select organizations through Project Glasswing
• The South Korean government responded swiftly with emergency meetings and security audits of major enterprises
• New Zealand is proactively addressing AI threats through its 2026–2030 Cybersecurity Strategy
• For everyday users, keeping software updated, using strong passwords, and enabling two-factor authentication have never been more important

Final Thoughts

Claude Mythos is a landmark example of just how rapidly AI technology is advancing. There's no such thing as perfect security — but simply updating your software today and turning on two-factor authentication can go a long way toward keeping your digital life significantly safer.