Reports and commentary have intensified around claims that advanced AI systems can now discover software flaws and, in some cases, produce working exploits for them. A widely discussed account about Anthropic’s reported system, Mythos, said access had been limited to about 40 organizations in critical infrastructure so they could identify and remediate vulnerabilities before the capability spreads more broadly. Security contacts cited in the reporting said the tool was finding a notable number of high-quality bugs, while skeptics cautioned that some of the claims may be overstated.
The debate has focused less on automated bug hunting alone than on the more consequential assertion that AI can bridge the gap from vulnerability discovery to exploit development, including alleged zero-day exploitation against major operating systems and browsers. Separate commentary described the development as a potential “AlphaGo moment” for vulnerability research, arguing that once such capability is demonstrated, containment becomes difficult because model replication, distillation, and parallel advances elsewhere could quickly erode any initial controls. The prospect has sharpened concerns for CISOs that defenders may face a dangerous period in which elite organizations gain access to powerful AI-assisted security tooling while critical infrastructure and legacy environments remain slow to patch, harden, or replace.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
A May 2026 analysis cited recent UK AI Safety Institute evaluations claiming Anthropic's Claude Mythos Preview was the first model to complete the 32-step 'The Last Ones' corporate network attack simulation end to end. The same reporting said OpenAI's GPT-5.5 also showed strong expert-task performance with partial end-to-end success, framing this as a threshold crossing in offensive AI cyber capability.
Hacktron CTO Mohan Pedhapati said he used Anthropic's Opus 4.6 model to develop a full exploit chain against Chrome 138's V8 engine after about a week of iteration, roughly 20 hours of manual guidance, and 2.3 billion tokens costing about $2,283. The report highlighted potential downstream exposure for Electron-based apps such as Discord and Slack that may lag behind current Chromium/V8 releases.
Subsequent analysis characterized the reported Mythos capability as an 'AlphaGo moment' for vulnerability research, highlighting the broader significance of AI-driven vulnerability discovery and exploitation claims.
The reporting describes claims that Mythos can discover a surprising number of high-quality software vulnerabilities and, more significantly, generate working exploits, including for alleged zero-day vulnerabilities in major operating systems and web browsers.
According to the referenced reporting, Anthropic restricted access to its reported AI system, Mythos, to 40 organizations it considers part of critical infrastructure so they could identify and remediate vulnerabilities before broader release or leakage of the capability.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
11 references tracked. Mallory keeps watching after this page renders.
voidsec.com
Open sourcethecyberthrone.in
Open sourcescworld.com
Open sourceresilientcyber.io
Open sourcetrustedsec.com
Open sourcevincenzoiozzo.com
Open sourcevulnu.com
Open sourcelabs.cloudsecurityalliance.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.