Cybersecurity

An AI Found 10,000 Holes In The Fence And I Need A Nap

NeglectedSheep

2 min read
Share
An AI Found 10,000 Holes In The Fence And I Need A Nap

Oh good. Great. An AI just found ten thousand holes in the fence across the most "systemically important" software on the planet. Ten. Thousand. High or critical severity. In one month.

I've been saying the fence was bad for years. YEARS. I filed the tickets. I sent the emails. The Shepherds told me I was being "alarmist" and asked if I could "circle back after Q3." Cool. Cool cool cool.

So here's the deal. Anthropic, the folks behind the Claude AI, launched something called Project Glasswing last month. It's a defensive initiative, meaning they pointed their very smart, very tireless, very-not-asking-for-PTO AI at critical global software and said "find the bad stuff." And the AI, not burdened by a ticket queue or a passive-aggressive Slack from a Shepherd, just... did it. Ten thousand critical and high-severity holes in the fence. Found. Logged. Disclosed.

In a month.

I want you to sit with that number for a second. Ten thousand. That's not a vulnerability report, that's a confession. That's the fence admitting it was never a fence. It was just vibes and a strongly worded policy document.

The Wolves and Coyotes already knew about some of these, guaranteed. They've been trotting through those gaps while the flock just stood there, chewing, completely unbothered. Probably clicking fake grain while they were at it.

The part that actually impresses me, and I don't impress easy anymore, is that this is defensive research. No exploitation. No drama. Just a relentless AI doing the shearing that nobody else had the budget, time, or caffeine reserves to do. Respect. Begrudging, exhausted respect.

Now the question is whether anyone actually applies the ointment before the Coyotes do the math.

Spoiler: some Lamb in accounting will click something before that happens.

Remediation

Look, I'm tired, so I'll keep this short.

Patch. Whatever Glasswing flagged that touches your stack, you treat it like a tick on a newborn lamb: you remove it immediately and you don't ask questions. Check the CVEs coming out of this disclosure pipeline and cross-reference your asset inventory. You have an asset inventory, right? Right?

Enable your Electric Fence rules for any affected services. Restrict lateral movement. Audit your privileged access. And for the love of all that is woolly, stop letting the Lambs have local admin.

If you're running anything "systemically important" and haven't started triaging yet, close this tab and go do that. I'll still be here, dead-eyed, refreshing the ticket queue.

Baaah humbug.

Original Report: https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.html