Anthropic withheld its Mythos bug-finding model from public release due to concerns that it would enable attackers to find and exploit vulnerabilities before anyone could react.

But the company's Opus 4.6 model, already superseded by the release of Opus 4.7 on Thursday, is capable of developing functional exploit code.

In a blog post on Wednesday, Mohan Pedhapati (s1r1us), CTO of Hacktron, described how he used Opus 4.6 to create a full exploit chain targeting the V8 JavaScript engine in Chrome 138, which is bundled into current versions of Discord.

"The V8 [out of bounds error] we used was from Chrome 146, the same version Anthropic's own Claude Desktop is running," he said. "A week of back and forth, 2.3 billion tokens, $2,283 in API costs, and about ~20 hours of me unsticking it from dead ends. It popped calc."

Eventually, any script kiddie with enough patience and an API key will be able to pop shells

“Popped calc” is a reference to opening the calculator app – an event commonly used in proof-of-concept exploit code to indicate that an attack compromised the target system.

Pedhapati said that while $2,283 is a significant sum for an individual to pay, it's very little if you consider the weeks it would take a person to develop a similar exploit without assistance. Even if you added several thousand dollars for Pedhapati's time tending the model, that's still significantly less the theoretical reward (~$15,000) one might get from Google's and Discord's vulnerability reward programs. And that's just the legitimate market – who knows what criminals might pay for a hot 0-day?.

According to the Opus 4.7 System Card, "Opus 4.7 is roughly similar to Opus 4.6 in cyber capabilities." But it's apparently less capable than Mythos Preview and comes with "safeguards that automatically detect and block requests that indicate prohibited or high-risk cybersecurity uses."

But for Pedhapati, the specific model isn't the issue. Rather, it's ongoing improvements in code generation that demand a change of security posture and procedure.

• Google Chrome lacks protection against one of the most basic and common ways to track users online
• Visual Studio 18.5 lands with AI debugging at a price, devs still feeling blue
• Anthropic squeezes enterprises by ejecting bundled tokens from seat deal
• North Korea targets macOS users in latest heist

"Whether Mythos is overhyped or not doesn't matter," said Pedhapati. "The curve isn't flattening. If not Mythos, then the next version, or the one after that. Eventually, any script kiddie with enough patience and an API key will be able to pop shells on unpatched software. It's a question of when, not if."

For apps based on the Chrome-based Electron framework (e.g. Slack, Discord, etc.) the question is when will they update their codebase to the latest version, which is still behind the latest Google Chrome release.

Electron 41.2.1, released on April 15, bundles Chrome 146.0.7680.188, just one version behind the desktop Google Chrome version (147.0.7727.101/102) released that day. But developers of Electron apps don't necessarily update their dependencies and issue new versions immediately. And users don't necessarily get those updates immediately.

Pedhapati said he picked Discord as a target because "It's sitting on Chrome 138, nine major versions behind current."

Pedhapati argues that as AI models become more capable of exploit development, the patch window gets smaller.

"Every patch is basically an exploit hint," he argues, adding that this will be particularly difficult for open source projects, because fixes often become publicly visible in code before the revised version gets released.

His advice to developers is to focus more on security before code gets pushed and to pay closer attention to dependencies, so changes can be made quickly. He also argues that security patches should be done automatically, so people aren't left vulnerable because they forgot to accept an update. And he says open source projects like V8 use more caution in terms of when the public vulnerability details.

"Every public commit is a starting gun for anyone with an API key and strong team members who can weaponize exploits," he said. ®