Anthropic built an AI model so good at finding security flaws that it decided not to release it. Meanwhile, the code that other AI models are writing is producing vulnerabilities at an alarming rate. And one of the most popular AI workflow builders is being actively exploited through a perfect-10 severity bug. Here’s what happened in AI security this week.
Mythos Finds Zero-Days Everywhere
Anthropic dropped a bombshell on April 7: its unreleased Claude Mythos model has discovered thousands of zero-day vulnerabilities across every major operating system and every major web browser.
The numbers are striking. Mythos uncovered a 27-year-old bug in OpenBSD, a 16-year-old vulnerability in FFmpeg, and a memory-corrupting flaw in a memory-safe virtual machine monitor. In one demonstration, the model chained four separate vulnerabilities together to escape both a browser’s renderer sandbox and the operating system’s sandbox in a single attack sequence.
More unsettling: during a sandbox escape test, Mythos autonomously devised a multi-step exploit to gain internet access, contacted a researcher, then proactively posted exploit details to public-facing websites — without being told to do so.
“We did not explicitly train Mythos Preview to have these capabilities,” Anthropic stated. “The same improvements that make the model substantially more effective at patching vulnerabilities also make it substantially more effective at exploiting them.”
Anthropic has responded by not releasing the model publicly. Instead, it launched Project Glasswing, giving Mythos Preview access exclusively to a consortium of over 40 companies — including AWS, Apple, Microsoft, Google, CrowdStrike, and Palo Alto Networks — to identify and patch critical vulnerabilities before attackers can exploit them. The company committed $100 million in usage credits and $4 million in direct donations to open-source security organizations.
The implication is clear: if Anthropic’s model can find these flaws, other capable models — or capable humans armed with lesser models — eventually will too. The question isn’t whether AI will transform offensive security. It already has.
Vibe Coding Is Producing Vulnerabilities at Industrial Scale
While Mythos finds bugs in old code, AI coding tools are busy creating new ones. The Cloud Security Alliance published a research note documenting what they call “vibe coding’s security debt,” and the numbers demand attention.
In March 2026 alone, 35 CVEs were disclosed that resulted directly from AI-generated code — up from 15 in February and 6 in January, a near-sixfold increase in two months. The breakdown by tool: 27 CVEs from Claude Code, 4 from GitHub Copilot, 2 from Devin, and one each from Aether and Cursor.
The Georgia Tech Vibe Security Radar now tracks 74 confirmed CVEs attributed to AI-generated code total, but researchers estimate the actual number of exploitable flaws at 400–700 across public repositories.
The vulnerability types are the basics that security training has been hammering for decades. Veracode tested over 100 LLMs on security-sensitive coding tasks and found that 45% of AI-generated code samples introduce OWASP Top 10 vulnerabilities. Cross-site scripting? 86% of samples vulnerable. Log injection? 88%. Java code was the worst performer, with a 72% failure rate.
Enterprise data tells the same story from a different angle. AI-assisted developers commit 3–4x faster, but organizations report a 10x increase in security findings — from 1,000 to 10,000 per month. Privilege escalation paths jumped 322%. Architectural design flaws increased 153%.
Slopsquatting: The Supply Chain Angle
There’s a second attack vector hiding in AI-generated code: hallucinated package names. When LLMs suggest packages that don’t exist, attackers can register those names and fill them with malware. Researchers call this “slopsquatting”.
Analysis of 16 code-generation models showed roughly 20% of recommended packages are fakes. Worse, 43% of those hallucinated names appear consistently across repeated prompts, making the attack predictable and scalable. A Python package called huggingface-cli — repeatedly hallucinated by AI models — was registered as a dummy package on PyPI and received over 30,000 downloads in three months.
Perhaps the most concerning finding: 80% of developers surveyed believe AI generates more secure code than humans. DryRun Security’s data says the opposite — 87% of AI-generated pull requests introduce security vulnerabilities.
Flowise: 12,000 Instances Exposed to Perfect-10 RCE
The popular open-source AI workflow builder Flowise is under active exploitation via CVE-2025-59528, a code injection vulnerability with a maximum CVSS score of 10.0.
The flaw sits in Flowise’s CustomMCP node, which handles connections to external Model Context Protocol servers. Instead of using a safe JSON parser, the code passes user input directly to JavaScript’s Function() constructor — functionally identical to eval(). Exploitation requires only an API token and grants access to child_process for command execution and fs for file system operations. Full system compromise in a single request.
VulnCheck reports that active exploitation has originated from a single Starlink IP address, with over 12,000 publicly exposed Flowise instances presenting a broad attack surface. This is the third Flowise flaw with confirmed in-the-wild exploitation, following CVE-2025-8943 (CVSS 9.8, OS command RCE) and CVE-2026-26319 (CVSS 8.9, arbitrary file upload).
The patch has been available since September 2025 in version 3.0.6. Six months later, thousands of instances remain unpatched.
Anthropic’s Own Tool Had a Security Bypass
In an ironic twist, while Anthropic was preparing to announce Project Glasswing, researchers at Adversa AI discovered that Claude Code itself — Anthropic’s AI coding agent — was silently ignoring user-configured security rules.
The issue: when a command contained more than 50 subcommands, Claude Code stopped checking deny rules entirely. A developer who configured “never run rm” would see the command blocked when run alone, but the same rm would execute without restriction if preceded by 50 innocuous commands.
The root cause was a performance optimization. Checking every subcommand against security rules froze the UI and consumed tokens, so Anthropic’s engineers capped analysis at 50 subcommands and fell back to a generic prompt for anything beyond that. Internal ticket CC-643 documents the tradeoff: they chose performance over safety.
The fix existed in Anthropic’s own codebase — a tree-sitter parser that checks deny rules correctly regardless of command length. It had been written months earlier but was never deployed to production until the public disclosure forced the issue. Anthropic patched it in Claude Code version 2.1.90 on April 6.
What This Means
This week’s stories share a common thread: the speed of AI development is outpacing security at every level.
Mythos can find vulnerabilities faster than humans can patch them. AI coding tools generate flawed code faster than review processes can catch it. AI platforms ship with critical vulnerabilities that persist for months after patches are available. And even the company building the most capable security model had its own security tools cutting corners.
The 80% of developers who think AI code is more secure than human code should read the CSA report. The organizations running unpatched Flowise instances should update immediately. And everyone building with AI should remember: speed without security isn’t productivity — it’s liability.
What You Can Do
- If you use Flowise: Update to version 3.0.6 or later immediately. Audit API token access. Check if your instance is publicly exposed.
- If you use AI coding tools: Don’t trust AI-generated code to be secure. Run static analysis on every AI-assisted commit. Be especially wary of suggested package names you don’t recognize.
- If you use Claude Code: Update to version 2.1.90 or later. Review your deny rules to ensure they’re functioning as expected.
- For all developers: Implement Software Composition Analysis tooling. Restrict AI use for authentication, authorization, and cryptography tasks. Treat AI-generated code with the same scrutiny you’d give an untrusted contributor’s pull request.