Mozilla shipped Firefox 150 this week. It patches 271 vulnerabilities. All uncovered by Anthropic’s Claude Mythos Preview in one scan of the browser’s codebase.
The number stuns. Firefox teams typically fix dozens per release. Here, an AI model matched elite human researchers across bug types—from memory safety slips to use-after-free errors in DOM and WebRTC. No exotic flaws. Just the finite defects machines now spot as readily as people.
Firefox CTO Bobby Holley called it transformative. “Defenders finally have a chance to win, decisively,” he wrote in a Mozilla blog post. Earlier, Claude Opus 4.6 found 22 bugs fixed in Firefox 148. Mythos delivered over 12 times more. Nearly 6,000 C++ files scanned. Results fed straight into patches.
But. This isn’t just about Firefox. Anthropic’s model roots out thousands of zero-days across major OSes and browsers. A 27-year-old OpenBSD bug. A 17-year-old FreeBSD NFS remote code execution, now CVE-2026-4747. Flaws in FFmpeg’s H.264 codec, lingering 16 years. Mythos reconstructed source code from binaries, chained exploits, evaded sandboxes.
Mythos Emerges from Project Glasswing
Anthropic announced Project Glasswing on April 7. Access restricted to 12 launch partners—Amazon, Apple, Cisco, CrowdStrike, Google, JPMorgan, Microsoft, Nvidia, others—plus 40 more for defense work. Pricing: $25 per million input tokens, $125 output. No public release. Why? Dual-use power. The same reasoning that finds bugs builds attacks.
UK AI Security Institute tested it. Mythos nailed 22 of 32 steps in a 32-step corporate network simulation, succeeding three of ten times. It crafts tools for lateral movement, data exfiltration. “The defects are finite, and we are entering a world where we can finally find them all,” Mozilla noted in its blog.
Launch day snag. Unauthorized access via a third-party vendor’s guessed URL. Anthropic investigates. Containment slips highlight risks. Capabilities leak faster than patches sometimes.
Ars Technica reported Mozilla’s take: AI closes the machine-human gap in vuln discovery. Ars Technica. WIRED added context on adjustment pains: “It has taken resources and discipline to adjust to the firehose of bugs,” but essential as attackers gain same tools. WIRED.
SecurityWeek detailed CVEs: Over 40 in Firefox 150’s advisory (MFSA 2026-30), but only three credited publicly to Mythos—CVE-2026-6746, CVE-2026-6757, CVE-2026-6758. Most lower severity, bundled. SecurityWeek.
Engadget quoted Mozilla: “So far we’ve found no category or complexity of vulnerability that humans can find that this model can’t.” Engadget. ZDNet urged updates, noting split-view tweaks alongside fixes. ZDNet.
Attackers vs. Defenders: The Balance Tips?
Zero-days lose value. Discovery cheapens. Attackers once hoarded flaws for millions. Now? AI floods the field. But proliferation worries linger. Anthropic discloses responsibly via Glasswing. Still, X posts buzz with Firefox 150 alerts. One from @Pirat_Nation: “Mozilla’s CTO described the development as transformative for defensive security work on large open-source projects.”
Help Net Security echoed: Mythos shifts advantage to defenders. Help Net Security. The Next Web, origin of the tally, framed it as zero-days’ expiration. The Next Web.
Scale changes everything. Human teams can’t match. Firefox’s codebase, battle-tested for decades, yielded 271 in hours. Imagine enterprise stacks. Banks eye access, per sources. Anthropic plans European rollout.
Risks persist. Model generates exploits at 72% success on Firefox bugs. Chains six RPCs for FreeBSD root. Red teams warn: Even hardened nets fall in sims. Containment? Launch breach proves tricky.
Yet defenders lead—for now. Patches ship pre-disclosure. Firefox 150 proves it. Update. The tunnel lights up.
WebProNews is an iEntry Publication