When Anthropic unveiled its new Mythos fashion in April, it additionally delivered a stern caution to someone growing device. The fashion used to be so robust at sniffing out device vulnerabilities, the lab claimed, that it had came upon hundreds of high-severity insects that may want to be fastened earlier than it might be made public.
Now, safety researchers for Mozilla’s Firefox browser are offering a more in-depth take a look at what that procedure has appeared like in apply, and what Mythos’ powers imply for device safety at huge.
In a publish revealed on Thursday, Mozilla stated Mythos has unearthed a wealth of high-severity insects, together with some that had lain dormant within the code for greater than a decade.
That’s an important growth from what AI safety equipment have been in a position to even six months in the past. Till now, AI bug-finding equipment have include serious drawbacks, continuously inundating safety groups with low high quality reviews and false positives. However Mozilla’s researchers say the most recent technology of equipment have became a nook, in particular now that agentic techniques can assess their very own paintings and filter unhealthy effects.
“It’s tricky to overstate how a lot this dynamic modified for us over a couple of quick months,” the researchers wrote. “First, the fashions were given much more succesful. 2d, we dramatically advanced our ways for harnessing those fashions.”
The effects are placing: In April 2026, Firefox shipped 423 malicious program fixes, in comparison to simply 31 precisely a yr previous. The researchers have additionally revealed main points on 12 of the insects, which vary from a couple of odd sandbox vulnerabilities, to a 15-year-old error in how the browser parses an HTML part.
“These items are in truth simply abruptly excellent,” Brian Grinstead, a prominent engineer at Mozilla, advised TechCrunch. “We see that on our personal inner scanning, we see that on exterior malicious program reviews, and we see that during all kinds of indicators around the business.”
Techcrunch match
San Francisco, CA
|
October 13-15, 2026
The truth that the device helped expose vulnerabilities in Firefox’s “sandbox” device is especially spectacular, given how intricate an assault that exploits it must be. To seek out sandbox vulnerabilities, the fashion should write a compromised patch for the browser, then assault essentially the most safe a part of the device with the brand new code applied. Discovering and demonstrating the malicious program is a mild, multi-step procedure, requiring each creativity and shut consideration.
To place this into context, Mozilla’s malicious program bounty program can pay researchers who can discover a malicious program in Firefox’s sandbox as much as $20,000 — the absolute best praise to be had. Regardless of the top-dollar bounty, alternatively, Grinstead says Mythos is locating extra sandbox problems than human researchers ever did. “We do get them,” he advised TechCrunch, “however now not on the quantity that we’re in a position to search out with this system.”
Particularly, the Firefox group nonetheless isn’t the use of AI to mend the insects, in spite of well-documented growth in AI coding equipment. The group does ask AI to code up patches for every malicious program, however the ensuing code in most cases can’t be deployed immediately, and as a substitute serves as a fashion for a human engineer.
“For the insects we’re speaking about on this publish, each unmarried one is one engineer writing a patch and one engineer reviewing it,” Grinstead says. “We now have now not discovered it to be automatable.”
It’s nonetheless now not transparent how AI’s rising features will exchange the wider steadiness of energy in cybersecurity. One month since Mythos used to be previewed, lots of the insects came upon most probably haven’t been patched, which makes it laborious to seize the entire scope in their have an effect on. Anthropic has been scrupulous about following accountable disclosure norms, nevertheless it’s most probably unhealthy actors are the use of equivalent ways in the back of the scenes, even supposing the fashions they’re the use of aren’t reasonably as just right.
Talking at a contemporary match, Anthropic CEO Dario Amodei used to be constructive that the brand new equipment would in the end choose defenders. “If we maintain this proper, we might be in a greater place than we began, as a result of we fastened most of these insects. There are simplest such a lot of insects to search out,” Amodei stated. “So I believe there’s a greater international at the different aspect of this.”
Having handled the gritty main points, Grinstead has a extra measured view: “It’s helpful for each attackers and defenders, however having the instrument to be had shifts the benefit a little bit bit to protection. Realistically, no one is aware of the solution to this but.”
Whilst you acquire via hyperlinks in our articles, we would possibly earn a small fee. This doesn’t have an effect on our editorial independence.
