Anthropic's Mythos scans cURL, finds one low-severity bug

The Register reports that Anthropic's Mythos was used to scan the cURL git repository under the Linux Foundation's Project Glasswing program, according to a Monday blog post by cURL developer Daniel Stenberg. Stenberg wrote that he never received direct access and that "someone else with access ran Mythos against curl's codebase and later sent him a report." The submitted report listed five items labeled as "confirmed security vulnerabilities," but Stenberg wrote that after his team's review they "had trimmed the list down and were left with one confirmed vulnerability." He added, "The single confirmed vulnerability is going to end up a severity low CVE planned to get published in sync with our pending next curl release 8.21.0 in late June." The Register notes three of the five were false positives and the fourth was a simple bug; Mythos also flagged several non-security bugs.

Automated vulnerability scanners, including AI-driven tools, commonly trade coverage for precision. Industry-pattern observations: false positives and findings that reflect documentation gaps are typical when a tool lacks deep, project-specific context or human-in-the-loop validation. For security teams, that means tool outputs need triage workflows and integration with existing code review processes.

Reporting frames the Mythos result as undercutting some of the earlier hype about its capabilities. Industry-pattern observations: single-case demonstrations against a mature, well-audited codebase are weak evidence for general-purpose automated exploit discovery; independent, reproducible evaluations across diverse projects are more informative.

Look for independent audits of Mythos, public precision/recall benchmarks, broader Project Glasswing reports, and whether Anthropic or third parties publish methodology and reproducible test cases.