Preparing for Mythos: Practical advice for engineering teams

March and April were already bruising months for security, with multiple high-profile incidents demonstrating the fragility of software supply chains. Then, on top of that, came news of Anthropic's new "Mythos" model, which they found was "strikingly capable at computer security tasks". Anthropic was worried enough to withhold the model from general release and launch Project Glasswing to give "organizations that build or maintain critical software infrastructure" a head start in finding and patching vulnerabilities before advanced models become more widely available. Expect a slew of updates and patches over the next weeks and months as a result of this work. This post assesses the seriousness of the threat and the steps you should be taking now.

So how bad is it?

There have been some strong, even apocalyptic, reactions to this news, including this cfr.org article, which described Mythos as an "inflection point" and warned, "The global Hunger Games for AI security has arrived," and the New York Times, which spoke about "profound geopolitical implications."

My own take is that we're in for a bumpy ride over the next few months (or even years), but I'm not on team apocalypse. I reason that defenders will use the same models attackers use to find and exploit vulnerabilities, and thus will find and fix them first. It is not an arms race with no end in sight, as there is no endless supply of critical security vulnerabilities in any given codebase. We will reach a point where models cannot find significant new vulnerabilities in well-maintained, audited codebases. This is backed up by the results of running Mythos on curl, which turned up only one new (non-critical) vulnerability.

That said, the exact place where Mythos apparently excels over other models is not in discovering vulnerabilities, but in effectively exploiting them (including exploit chaining). On the positive side, this implies that we can use existing models to identify and remediate vulnerabilities. On the negative side, it means that attackers will exploit critical vulnerabilities even faster than before. As I said, it's going to be a bumpy ride, but the organizations and projects that stay the course will come out meaningfully more secure on the other side.

How to survive Mythos

The first thing to realize is that you should be using the models yourself. Whether or not agents write your code, you should have agents reviewing pull requests from a security perspective, and models running against your legacy codebase to check for vulnerabilities. There is an example in this talk of a simple prompt that you can use (note the "hint" advice to focus the model on a particular area).

Next, remember that basic security advice has not changed. Practice Defense in Depth and the Principle of Least Privilege. Have multiple layers of security and use isolation techniques. Get rid of long-lived access tokens wherever possible (which were partly responsible for both the Trivy and Axios attacks).

Finally, Mythos poses a particular threat to open source software — the code is publicly available, so it's easy to point a model at it — and open source software underpins every software supply chain. You need to make sure you are getting the latest security patches (and expect an avalanche of them over the coming weeks and months) for all dependencies in your system, and that they are from a trustworthy source. At the same time, you need to be sure you're not pulling in a malicious update from the latest Shai Hulud or similar attack, which could create an unsettling tension. Chainguard can help resolve this tension. We provide open source that is continuously updated, built from verified sources, and hardened before it reaches you. This means you can safely use the latest patches without worrying about malicious updates. To be specific:

• We provide a secure library of container images that is constantly being updated and built from the latest sources with near-zero CVEs. Our images are stripped of unnecessary packages, further reducing the attack surface.

• Our Libraries product effectively defends against Shai Hulud attacks by publishing only packages that can be built from publicly available, verifiable sources — if the source isn't available, we won't publish it. We don't include any install-time scripts, cutting out another major attack vector.

• GitHub Actions are of critical importance to a secure supply chain. We provide a library of common actions that have been security-hardened, including pinning to immutable SHA commits — which prevents tag-tampering attacks like the one used against Trivy — and hardening against common misconfigurations such as script injection.

• Our Agent skills library provides a catalog of skills that have been reviewed and hardened, providing confidence that their use will not result in credential harvesting or other malicious behavior.

Take action today

The threat from models like Mythos is real. The coming months will see many high-impact vulnerabilities. It is not, however, the start of the apocalypse or a sign of artificial general intelligence. Follow good security hygiene, apply your patches, and you will come through the other side more secure than you went in. Talk to Chainguard to do this in easy mode.