Carlini Was Hired to Doubt AI. Then He Met Anthropic's Mythos.
The most powerful AI yet can find security holes no human can. Here's why that's good news for you.
In February, Nicholas Carlini was at a wedding in Bali. Between events, he opened his laptop. Anthropic had handed him early access to Mythos - its most powerful model, still months from public release. Carlini is the company's top security researcher, and he wanted to see what the thing could actually do.
Here's what you need to know about Carlini: he does not scare easily. In 2019, when OpenAI said its new model might be too dangerous to release, Carlini figured they were being dramatic. He built a career as the field's professional skeptic - the one who showed up at conferences to puncture inflated AI safety claims.
That night in Bali, he started changing his mind.
The Night the Rules Changed
He used a trick now called the Carlini Loop - just enough direction to make Mythos hunt differently on every pass. Then he set it loose on real code. Thousands of passes, finished in days. No coffee breaks. No complaints.
- 479 bugs in Linux alone. Linux runs billions of devices and has survived decades of expert scrutiny. Carlini had never found a single bug in it - not once in his career.
- A critical flaw in Ghost, the publishing software thousands of companies run. Then another. Then another - 500 in two weeks.
One clarification worth making: the broad open-source sweep - 500-plus validated high-severity bugs - came from Anthropic's public Opus model. Mythos is the restricted, far more powerful sibling that chains several flaws into a single working exploit, which is why Anthropic hasn't released it widely.
In early March, Carlini stood in front of a standing-room crowd at the [un]prompted conference in San Francisco and showed them. The Ghost exploit, live. Then the Linux bug. The room went silent.
Two days later, he emailed his Anthropic colleagues:
I don't think we should release Mythos yet.
The professional skeptic had become a believer. It's what security circles now call Bugmageddon.
The Patch Was the Easy Part
Carlini reported the Ghost bug the right way. The developers shipped a patch days later. Clean disclosure. Story over, right? Not even close.
| When | What happened |
|---|---|
| Feb 2026 | Carlini finds a critical Ghost bug: unauthenticated users could take over any Ghost-powered site. |
| Days later | Ghost ships a patch. Textbook responsible disclosure. Normally, this is where the story ends. |
| Weeks later | Attackers reverse-engineer the patch and begin hitting sites that have not updated. |
| Soon after | Unpatched sites get compromised. AI did not cause this - it compressed the timeline from months to weeks. |
That's Bugmageddon in one story. And it speeds up both sides at once: CrowdStrike clocked an 89% surge in AI-enabled cyberattacks in 2025 alone. The takeaway isn't that AI is dangerous. It's that the clock got faster.
What This Means for You
The Part Nobody's Writing About
Here's what the panic headlines miss: Carlini isn't arguing to lock this technology away. He flew to Washington arguing the opposite. After his March talk, Anthropic launched Project Glasswing - a consortium putting Mythos in the hands of the organizations that hold the digital world together.
Same engine, pointed the other way. Whatever helps an attacker find a zero-day helps a defender patch it first - and whoever gets there first wins. Carlini's clock is ticking: 6 to 12 months until rival AI companies hit Mythos-class power, some of which will ship it with no guardrails.
Carlini is the story because he followed the evidence. He didn't flip because someone told him to - he flipped because Mythos showed him something he couldn't argue away. The tech that scared him most is the tech he's now using to fix it. Skeptics who convert don't panic. They prepare.