Anthropic’s unreleased Claude Mythos has uncovered long-hidden flaws in critical open-source infrastructure, prompting a $100 million industry patch coalition and triggering cybersecurity reviews across India’s government and IT sectors.
Anthropic’s unreleased Claude Mythos has uncovered decade-old vulnerabilities in critical open-source software including the Linux kernel, OpenBSD, and FFmpeg, setting off a global defensive patch race before the model’s public debut.
The discoveries sit at the centre of Project Glasswing, Anthropic’s $100 million coalition with 40 companies, open-source maintainers, and the Linux Foundation to scan large codebases, patch hidden flaws, and secure digital infrastructure before malicious actors gain access to similar AI-grade tools.
The development has drawn close attention in India, where MeitY officials and CERT-In are assessing the implications for legacy government systems, national digital infrastructure, and cyber resilience against state-backed threats. Srinivas Padmanabhuni, Chief Technology Officer at AiEnsured, warned: “Government systems like Aadhaar and GST run on older codebases.” He added, “These are exactly the kinds of systems where Mythos has already demonstrated the ability to find vulnerabilities that stayed hidden for decades.”
The risk extends beyond software into SaaS, deep-tech products, bespoke enterprise code, SCADA, IoT, utilities, and manufacturing systems. Vinayak Godse, CEO of the Data Security Council of India, cautioned: “It’s an entire tsunami coming in,” underscoring the potential exposure of physical and digital infrastructure alike.
For Indian firms, the bigger dilemma is strategic: whether to allow a U.S.-built LLM to audit indigenous and open-source-dependent stacks or risk falling behind in vulnerability hardening. The outcome could reshape software assurance, secure SDLC practices, bug bounty ecosystems, and the broader debate around digital sovereignty and open-source trust.
