Anthropic's Project Glasswing finds 10,000+ critical bugs in core software

Anthropic’s Project Glasswing, launched a month ago with roughly 50 partners, has used the unreleased Claude Mythos Preview model to surface more than 10,000 high- or critical-severity vulnerabilities in software that underpins the internet and critical infrastructure. Cloudflare alone flagged 2,000 bugs with a false-positive rate it considers better than human testers, Mozilla patched 271 issues in Firefox 150 (ten times the prior release), and the UK AI Security Institute reports Mythos is the first model to solve both of its multistep cyber ranges end-to-end. Vendors including Microsoft, Oracle, and Palo Alto Networks are shipping noticeably larger patch batches as a result.

A separate scan of 1,000+ open-source projects yielded 6,202 issues initially rated high or critical. Of the 1,752 triaged so far by independent firms, 90.6% were valid and 62.4% confirmed as high/critical — including a now-patched wolfSSL flaw (CVE-2026-5194) that allowed certificate forgery for impersonating banks or email providers. Anthropic is withholding details under standard 90-day disclosure windows.

The takeaway is a structural shift: discovery is no longer the bottleneck in software security — human triage, maintainer capacity, and patch deployment are. Some open-source maintainers, already drowning in low-quality AI-generated reports, have asked Anthropic to slow its disclosures. The economics of offensive vs. defensive security are visibly changing, and Anthropic is using these results to shape how future Mythos-class models are released.