Anthropic's Mythos just found decades-old security holes in everything you use, gave the patches to Apple and Google first, and now hackers are racing to exploit everyone who hits "remind me later."
The Summary
- Anthropic's Mythos AI model found vulnerabilities in every major operating system and browser, including a 28-year-old flaw in security-focused OpenBSD
- 40 major tech companies got early access to patch before public disclosure, meaning your devices are about to demand updates
- Timing matters: patches reveal vulnerabilities to hackers who reverse-engineer them, and the U.S. is currently in active conflict with Iran
- The lazy "remind me later" button just became a security liability in the age of AI-powered vulnerability scanning
The Signal
This is the first real glimpse of what offense-defense asymmetry looks like when AI agents enter the security game. Anthropic claims Mythos "surpasses all but the most skilled humans" at finding code vulnerabilities. That's not marketing. A 28-year-old bug in OpenBSD, an operating system literally designed for security paranoia, means Mythos is seeing things human auditors missed for three decades.
The discovery itself isn't the story. The cascade is. Anthropic gave Apple, Google, Amazon, and 37 other companies early access. That's the responsible disclosure playbook. But here's the new variable: every patch those companies push is a treasure map for adversaries.
"Patches fix the problem, but those fixes can also be reverse engineered by hackers to learn the source of the vulnerability."
How the new patch race works:
- Company ships patch with technical details about what it fixes
- Sophisticated actors reverse-engineer the patch to understand the original flaw
- They scan the internet for unpatched systems and exploit the window before adoption hits critical mass
- The window used to be weeks. Now it's hours.
The geopolitical timing sharpens the stakes. The U.S. opened "major combat operations" against Iran in late February. Iran-linked hacker groups have already hit medical equipment maker Stryker and compromised FBI Director Kash Patel's email. State-sponsored actors don't need to build Mythos themselves. They just need to watch what gets patched and move faster than the patch adoption curve.
This is the agent economy's dark mirror. Mythos proves AI can outperform human security researchers at scale. That's the promise: better, faster vulnerability detection. The peril is that the same capabilities are now table stakes. If Anthropic can build Mythos, so can others. The offensive applications are obvious. The defensive moat is how fast you patch.
The Implication
Install the updates. All of them. The second they hit your device. The old calculus where you could delay a patch for convenience just broke. In an environment where AI models are scanning code faster than humans ever could, and nation-state actors are actively looking for footholds, the gap between patch release and exploitation is collapsing to nothing.
For companies: this is a preview of the new security baseline. If you're not running automated patch management and monitoring agent-assisted vulnerability scanning, you're already behind. The humans-only security team is over.