Project Glasswing by Anthropic
Anthropic, the American artificial intelligence (AI) company behind the Claude assistant, has built an AI model so sharp at reading software code that it found security flaws hiding in major operating systems and web browsers for over two decades — flaws that the best human experts and automated tools had missed. The model is called Claude Mythos Preview, and Anthropic has no plans to release it to the public.
Instead, it has pulled together Amazon, Apple, Google, Microsoft, NVIDIA, Cisco, CrowdStrike, JPMorganChase and others into a coalition called Project Glasswing to use Mythos defensively, hunting down and fixing vulnerabilities before attackers find them. Anthropic is backing this with USD 100 million in credits and USD 4 million in donations to open-source security bodies.
Mythos found a 27-year-old bug in OpenBSD, an operating system considered unbreakable. It found a 16-year-old flaw in FFmpeg video software used by almost every streaming app on your phone in a line of code that automated scanners had tested 50 lakh times without catching. It chained together multiple Linux kernel flaws to show how an attacker could seize full control of a server. It did most of this without human guidance.
Every UPI transaction you make, every Aadhaar verification at a ration shop, every IRCTC tatkal booking, every medical record stored at a government hospital — all of it runs on layers of the same open-source software that Mythos is now scanning. Linux powers your Android phone and bank servers. A serious vulnerability in any of these systems is not some faraway American problem. It is our problem.
The same capability that makes Mythos brilliant at defence makes it equally dangerous for attack. If freely available, ransomware gangs, state-backed hackers and freelance criminals would have a tool that finds exploitable flaws faster than any human. Cybercrime already costs the world an estimated USD 500 billion a year.
Whether Anthropic’s intentions are noble or not, the fact that this capability exists at all changes the game permanently.
Mythos is locked away today. But AI capability spreads fast. Open-source models have been closing the gap with proprietary ones for years. When an open-source model reaches this level, anyone with a laptop will have it.
Picture what that means for India. A coordinated attack on UPI could freeze digital payments for crores of people. An exploit targeting Jio or Airtel’s network software could knock out communications across states. Probing of Aadhaar databases could enable identity theft at scale.
India has three main bodies responsible for cybersecurity. CERT-In (the Indian Computer Emergency Response Team) handles incident response and issues advisories when threats are detected. The National Critical Information Infrastructure Protection Centre (NCIIPC) is meant to protect systems in sectors like power, banking and telecom. And the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI) and Telecom Regulatory Authority of India (TRAI) set cybersecurity rules for their respective industries like banking, markets and telecommunications.
The problem is that these bodies largely operate in a reactive mode. CERT-In issues advisories after vulnerabilities are reported. Banks and telecom companies run periodic security audits, often once a year, sometimes once a quarter.
India’s regulators and defenders need access to AI-powered security tools of the same calibre as Mythos. The National Payments Corporation of India (NPCI), which runs the UPI backbone processing billions of transactions, should be running continuous AI-assisted vulnerability scans, not waiting for annual audits. The same applies to Bharat Sanchar Nigam Limited (BSNL), power grid operators and every government department handling citizen data.
While governments and corporations sort out the big picture, you are not helpless. Keep your phone’s OS and every app updated. Those updates you keep ignoring often contain patches for exactly the kind of vulnerabilities discussed above. Do it today.
Be very careful with messages you receive on WhatsApp, SMS or email. Spoofing attacks are getting sharper. A message that looks like it is from your bank or a government portal may be fake. Do not click links in unexpected messages. Do not share OTPs with anyone, no matter how convincing the caller sounds.
Use strong, unique passwords. Turn on two-factor authentication for your bank apps, email and UPI. These are not optional habits anymore. In the world that is coming, where AI can find and exploit system weaknesses at machine speed, your personal vigilance is your first and last line of defence.
Pay attention.
This post was last modified on April 9, 2026 2:21 pm