Anthropic’s Mythos found security vulnerabilities in curl

[golden_labels]

Mythos found five vulnerabilities. Out of them:

• 3 were not there.
• 1 was not relevant to security.
• 1 is of low severity

The world is shattered. /s

Source: Daniel Stenberg, “Mythos finds a curl vulnerability” (2026-05-11)

Note that Anthropic didn’t call Stenberg back after he applied for access they offered. That does sound bad: it raises a suspicion of biasing the test sample to support the claim.

[SiliconWizard]

The name is very well chosen: Mythos => mythomaniac.

That's currently one trend that I find even more concerning than LLM-generated code: false positives using those tools as code analyzers, and people trusting them. I see it as a real problem already, because projects/organizations that use those tools will increasingly make it harder for real engineers to ignore them. They may even eventually get fired for doing so.

Yes, the world is shattered.

[Siwastaja]

That's currently one trend that I find even more concerning than LLM-generated code: false positives using those tools as code analyzers, and people trusting them. I see it as a real problem already, because projects/organizations that use those tools will increasingly make it harder for real engineers to ignore them. They may even eventually get fired for doing so.

Yes, the world is shattered.

Funny that you didn't read the article. You may also want to not read https://daniel.haxx.se/blog/2026/04/22/high-quality-chaos/ . Same observation Greg KH made, which you also won't want to read. Same observation everywhere: sudden huge increase in AI bug report quality, huge drop in false positives, "slop" almost gone within a few months. That's really interesting and significant, but maybe not for you.

[golden_labels]

My original post refers to how Anthropic advertised Mythos. It’s “too dangerous to be available to the general public,” yet an independent analysis shows it doesn’t fare better than existing models. Together with the questionable practice of not giving Stenberg access after initially it has been offered to it. Of course this is just a single example. It may be an outlier. But if one avoids transparency, opinions are formed from such scraps.

It is not about just any LLM’s usability for finding vulnerabilities.

[Siwastaja]

My original post refers to how Anthropic advertised Mythos. It’s “too dangerous to be available to the general public,”

To me it totally looks like a desperate publicity stunt, due to this thing called "competition".

If it's too good to be true, then it probably isn't. "Mythos", like newer models in general, is probably just a small but not insignificant step forward, but that's about it. (It could be a total flop as well, but that's unlikely, too.)

They might feel sorry they didn't come up with this stunt before. I mean, the big shift Greg KH and others saw in early 2026 is exactly because AI models and tooling got better; not just at Anthropic but others as well. They could as well played the same card with Opus 4.5, or Google or OpenAI could have played this card. At any point in time during the last year. None of the models got like 100x better overnight, but at some point small gradual improvements hit the point where the consequences become visible, of course enabling "dangerous use" too.

The downside of this stunt is that now expectations are so high, that actual performance will be underwhelming even if it was a significant step forward. They are probably counting on the fact that their paying customers (and sensible developers) saw through their marketing and understand what to really expect, while politicians, tech bloggers and other unnecessary oxygen users who generated good lift for them already forgot about it and moved to the next big thing. This might end up being a good marketing strategy after all. It's a trick I don't like, but this is how the world of marketing unfortunately works.