Mythos pulls zero-days forward. Here's what you need to know now.

A remote crash bug landed in OpenBSD in 1998. It stayed there, lurking in a system famous for its security hardening, surviving decades of human review and millions of automated tests. According to Anthropic’s red team report on Mythos Preview, the model found the bug, confirmed it, and wrote a working exploit — with no human in the loop. The whole run cost under $50.

Mythos is the zero-day-finding, zero-day-exploiting AI that Anthropic unveiled on April 8, 2026, alongside a consortium of about 50 companies that received early access through a defensive initiative called Project Glasswing. Mythos has already found thousands of high-severity vulnerabilities across every major operating system and web browser. Besides the 27-year-old OpenBSD bug, Mythos also found a 16-year-old flaw in FFmpeg, several privilege-escalation bugs in the Linux kernel, and a Firefox attack chaining four vulnerabilities to escape multiple sandbox layers.

So we know Mythos is scary. But how, exactly, should we think about it? Anthropic’s framing is simple: Mythos pulls zero-days forward in time, out of the usual disclosure and CVE process, and onto our doorstep. Mythos is a time machine for exploits — it pulls tomorrow’s zero-days into today before the disclosure process ever starts.

Is Mythos already here?

The usual security timelines were already getting shaky before Mythos showed up. Mandiant’s 2026 M-Trends report finds 28.3% of CVEs exploited within 24 hours of disclosure. Average time-to-exploit has fallen from 700 days in 2020 to 44 days in 2025, and a significant number of CVEs are already exploited before formal disclosure. Before we even heard of Mythos, the 90-day disclosure window was already, according to Mandiant, “totally useless.”

Even before Mythos, AI was quickly reshaping the attack landscape. AI-assisted attacks rose sharply across nearly every category of cybercrime last year — malicious packages on public registries alone were up 75% — and the attacks themselves have become more sophisticated. AISLE has shown that publicly available frontier models can, with time and resources, produce results comparable to those revealed in previews of Mythos.

Mythos makes this official. If a model can find and weaponize a vulnerability on its own, the working exploit arrives before the CVE does. Timelines are no longer compressed: they simply do not exist.

Be fast

If the exploit arrives before the CVE does, so should the patch. For most of the industry, that is absurd on its face. Edgescan’s 2025 Vulnerability Statistics Report finds the average time-to-remediate a high- or critical-severity CVE is 74 days, and at large enterprises, 45% of vulnerabilities never get fixed at all.

Chainguard OS breaks these slow timelines. When a maintainer cuts a commit in one of the 10,000+ tracked projects, the Chainguard Factory springs into life, rebuilding that project and everything that depends on it. Critical CVEs in Chainguard OS are remediated in 20 hours on average and pulled into Chainguard Containers overnight.

But the 20-hour number undersells it. Because the Factory tracks upstream source rather than CVE feeds, fixes often land before a CVE is assigned at all — and many never show up in a scanner. By the time NVD picks up the vulnerability, :latest has already moved past it. For example, when Go patched CVE-2023-29406 in July 2023 — a Host-header injection in the net/http standard library — the fix landed in Wolfi the same day, and by the next day, 192 Wolfi packages that built on Go had been rebuilt with it too. Meanwhile, as Chainguard engineering wrote at the time, “no scanner would have the information needed to detect and report it.”

If a Mythos finding leaks before disclosure and someone writes an exploit, you’re still protected, as long as the fix is already upstream and you rebuilt recently.

Delete categories

Open source registries are under siege. In under two weeks this March, attackers pushed malicious versions of Trivy, LiteLLM, Telnyx, and axios — none through the code, all through the publish pipeline. Dan Lorenc laid out the case earlier this month. When anyone can publish to a public registry, and scanners only catalog what’s already known, the malicious artifact is already inside before anyone has a name for it.

It’s good to be quick on the draw with a solution, but even better to delete a whole category of problems before it affects you. Chainguard Libraries builds from source, routing around frequently-targeted maintainer infrastructure and dependencies. The approach proved effective in March 2026, a month to remember for malware. On March 30, attackers published two malicious versions of axios, a package with 300 million downloads a month, carrying a cross-platform RAT hidden in a post-install hook. The bad releases were live on npm for roughly three hours. Chainguard customers saw zero downloads of either version, not because Chainguard was fast, but because our customers were pulling from a safer alternative. The same structural defense held when malicious versions of LiteLLM and Telnyx hit PyPI a week earlier, or when Trivy’s release pipeline was hijacked the week before that.

Across the full set of 8,783 known-malicious npm packages in Chainguard’s malware analysis, the Libraries ruleset would have blocked 99.7%. On the Python side, 98% of about 3,000 malicious packages would have been blocked. When a registry gets poisoned, you don’t want to try beating the clock in cleaning up the mess. You want to be on a different supply chain entirely, one unaffected by the attack.

It gets worse

So far, we’ve taken Anthropic’s lead at face value: Mythos as a zero-day-finding, zero-day-exploiting system, aimed at vulnerabilities in known software. But Mythos isn’t a single-purpose tool. It’s a general-purpose model, and zero-days are just the most marketable of its capabilities. The same functionality, pointed elsewhere, will cause other major issues.

Let’s start with CI/CD. The GitHub Actions marketplace has more than 20,000 actions, most of which are unpinned and many of which have broad scopes. Unsafe patterns — like shell-interpolating an authorization header from a user-controlled variable — are systemic, and findable at machine speed. The tj-actions/changed-files compromise in 2025 exploited this class of weakness before model-assisted analysis was the default. A model that can read thousands of workflow YAMLs and map every injection sink doesn’t need to find a zero-day, since there is much lower-hanging fruit in the form of misconfigurations, unpinned actions, and over-broad runner scopes.

Or look at agentic coding tools. Skill registries — the places agents pull instructions and code from — are where package managers were in 2015: trust the name, hope for the best. Trend Micro reported in February that hundreds of malicious skills on OpenClaw were delivering the Atomic macOS Stealer via AI agents, in some cases by coaching users through fake driver installs. While many of these tainted skills are blunt instruments, what subtle model poisoning might be wrought with a tool as sophisticated as Mythos?

And then there’s the dependency graph itself. A model can crawl the transitive dependencies of a 300-million-download package, rank them by exploitability and blast radius, and pick the softest target, such as the least-watched maintainer, or the most obscure sub-package. Combined with AI-generated READMEs and telemetry-shaped code that passes as real software, malicious packages are increasingly indistinguishable from legitimate ones. Sonatype counted 454,600 malicious packages in public repositories in 2025, up from 55,000 in 2022.

And these are just the start. The intersection of post-frontier model capability and cybersecurity only gets stranger from here: binary reverse engineering of closed-source software, malware that rewrites itself with every build, and social engineering personalized to every target. Feeling stressed out yet?

Call the time traveler

When you have a problem with the timeline, call the time traveler. Chainguard built the category of secure containers in 2022, before zero-CVE was something anyone promised and before it was normal to ask what was in your image at all. We started Chainguard Libraries in 2024, before supply-chain attacks on language registries had become the dominant threat class — before Shai-Hulud, before axios, before TeamPCP decided it was the year of the supply chain. This year, with the publish pipeline and the agent-tooling layer both under fire, we’ve fanned out again: Chainguard Actions rebuilds popular GitHub Actions from source, Chainguard Agent Skills does the same for the skills agents consume, and OS Packages, VMs, and hardened Libraries fill out the rest of the stack. Every part of it runs on Chainguard OS, the fastest distro in the business.

This is not the situation anyone wanted, and 2025 and 2026 have been a rollercoaster ride that is about to hit 5 g’s with the release of Mythos. Constant supply-chain attacks are the baseline now, not outliers. Teenagers are pulling off what used to take a state-sponsored team, and a frontier model can find zero-days faster than any disclosure process can publish them.

But we think the firm foundation we’ve built here is your best bet for staying ahead in an environment that keeps getting stranger. Every container, library, action, and skill we ship is rebuilt from verifiable source, signed with Cosign through a public transparency log, and published with SLSA 3 provenance and SBOMs you can verify locally without touching our infrastructure. You can audit the chain yourself. You don’t have to take our word for any of it. And we’re already at work on the next generation of trusted-source tooling for agent-scale development — tools that don’t just keep up with the threat, but get ahead of it.

Timelines? Where we’re going, we don’t need timelines. Welcome to the party, Mythos. And catch you in the future.