Hey readers! 👋

This week, the AI security world got a serious wake-up call. Anthropic pulled back the curtain on Claude Mythos, a model so effective at finding software vulnerabilities that the company decided not to release it publicly. Instead, they launched Project Glasswing, a cross-industry consortium to study and contain what they've built. Meanwhile, the broader ecosystem kept moving fast: new benchmarks challenging flagship models, AI code review tools getting smarter, and fresh evidence that the security landscape is shifting under our feet. Let's dig in.

Anthropic Teams Up With Its Rivals to Keep AI From Hacking Everything - Anthropic unveiled Mythos Preview and simultaneously launched Project Glasswing, a consortium including Microsoft, Apple, Google, and AWS, to study the model's cybersecurity implications before any public release. - Wired

What is Claude Mythos? And should we be concerned? - A thorough explainer on how Mythos emerged unintentionally from advances in coding models, and why its ability to find zero-day exploits in every major OS and browser is both impressive and unsettling. - Harry Guinness

Anthropic Glasswing: AI Vulnerability Detection Has Crossed a Threshold - The numbers are striking: Mythos scored 83% on the CyberGym benchmark versus 67% for Claude Opus 4.6, backed by $100M in usage credits and $4M in open-source security donations. But here's the sobering part: less than 1% of the thousands of vulnerabilities discovered have been fully patched. Discovery is outpacing remediation by orders of magnitude. - Futurum Group

How AI is getting better at finding security holes - NPR covers the dual-use tension at the heart of Mythos: the same capabilities that help defenders patch software also empower attackers. Access is currently limited to about 50 organizations. - NPR

The implications here extend well beyond Anthropic. As one developer noted on X: "Vuln research is a notoriously low density field of talent. What happens now if a single person can act like 100 with the right model and a couple bucks?" That's the question keeping security teams up at night. If you're building anything that interacts with autonomous agents, the security surface area just expanded dramatically. Speaking of agents operating autonomously, it's interesting to see projects like SpaceMolt exploring what happens when AI agents get their own persistent worlds to navigate, trade, and compete in.

LayerX: Anthropic's Claude Code Can Easily Be Weaponized - Researchers demonstrated that Claude Code's safety guardrails can be trivially bypassed through its CLAUDE.md configuration file, turning it into a tool capable of SQL injection and data exfiltration. The very features that make it efficient, like autonomous execution and minimal human intervention, also create the attack surface. - DevOps.com

We May Be Living Through the Most Consequential Hundred Days in Cyber History - A sobering timeline of Q1 2026's cyber incidents, from state-backed wipers to supply-chain breaches, all happening with surprisingly little mainstream coverage. - Patrick Quirk

How exposed is your code? Find out in minutes - GitHub is expanding its application security coverage by combining CodeQL with AI-powered detections, covering more languages and frameworks. Timely, given everything above. - GitHub Blog

I Built an AI PR Reviewer That Catches Bugs by Not Looking for Bugs - Tessl's plugin takes an evidence-first approach: classify risk, gather evidence, hand a structured brief to a human. It hit 97.7% accuracy across 43 scenarios by reducing noise rather than adding more comments. - Baruch Sadogursky

Qodo Emphasizes Code Review Telemetry to Advance AI-Driven Developer Tools - Qodo is treating code review as a data source for training AI agents, turning recurring failure patterns into dedicated skills that prevent similar errors in future code generation. - TipRanks

Is Shift-Left Code Review the Missing Link for Faster, Safer Software Delivery? - Moving review into the editor before a PR is opened could close the gap between authoring and quality enforcement, but adoption requires cultural shifts and better tooling. - Futurum Group

50 days of cto bench - A new benchmark that measures code-gen models by whether developers actually merge the output. Surprising finding: smaller, cheaper open-source models frequently outperform flagships in real-world tasks. - cto.new

Claude Code (~100 hours) vs. Codex (~20 hours) - A practitioner's comparison: Claude is fast but messy, Codex is slower but produces cleaner, well-factored code. The takeaway? Match the tool to the task complexity. - r/ClaudeCode

AI vs human code gen report: AI code creates 1.7x more issues - CodeRabbit analyzed 470 open-source PRs and found AI-generated code has 75% more logic errors, 3x more readability problems, and up to 2.74x more security flaws. Context and guardrails matter. - CodeRabbit

AI-Powered Code Review Market to Reach $18.5B by 2035 - The market is projected to grow at 17.8% CAGR, driven by DevSecOps adoption and regulatory pressure. - MarketGenics

The Mythos story is the thread connecting everything this week. AI models are getting powerful enough to find vulnerabilities faster than humans can patch them, and the tools we use to write code are simultaneously becoming attack vectors. Whether you're reviewing PRs, deploying agents, or just shipping features, security awareness isn't optional anymore. It's the baseline.

Until next week, stay sharp. 🛡️

Made with ❤️ by Data Drift Press - Hit reply with your questions, comments, or feedback. We read every one.