Anthropic's Mythos is an AI-driven tool designed to identify software vulnerabilities. Initially accessible to roughly 50 organizations, it has now been expanded to approximately 150 additional partners, including entities in critical infrastructure sectors and major technology vendors. Mythos has discovered over 23,000 potential vulnerabilities, with an estimated 6,000 severe issues. Despite the large number of findings, only 75 critical and high-severity vulnerabilities have been patched so far. Anthropic is working with partners to scale up vulnerability verification and patching efforts and to improve vulnerability disclosure processes. The expansion reflects an effort to secure critical software ecosystems but does not indicate an active exploitation campaign.

The impact involves the identification of a significant number of potential vulnerabilities in software used by critical infrastructure and widely relied-upon codebases. While these findings could lead to improved security through remediation, the large volume of unpatched vulnerabilities presents a risk if adversaries discover and exploit them before fixes are applied. There is no evidence of known exploits in the wild related to these findings. The potential impact of successful attacks on these systems could be substantial, affecting millions of users and carrying national and global security implications.

No direct mitigation actions are required by organizations beyond participating in or monitoring the Mythos program. Anthropic and its partners are actively working to verify and patch identified vulnerabilities. Organizations with access to Mythos should prioritize reviewing and remediating reported vulnerabilities. Others should stay informed on disclosures and patches from affected vendors. Patch status is not yet confirmed for most vulnerabilities; check vendor advisories for updates. Anthropic is also collaborating to improve vulnerability disclosure and patching workflows to accelerate remediation.