An automated vulnerability scanner called Mythos, built by AI firm Anthropic, has flagged nearly 23,000 security holes across open-source projects — among them a bug in OpenBSD that has lurked unnoticed for 27 years. The findings, shared by Anthropic researchers this week, underscore how deeply ancient code can still threaten modern systems and why the open-source community urgently needs faster ways to patch.
The 27-year-old OpenBSD flaw
One of the most striking discoveries was a vulnerability in OpenBSD, a widely used Unix-like operating system prized for its security. Mythos identified a bug dating back to 1997 — roughly the same era as the first public release of the OS. The flaw, which the researchers did not name publicly, had gone undetected for nearly three decades. That means every version of OpenBSD built or deployed since the late 1990s likely carried the weakness, potentially exposing systems that rely on the operating system for firewalls, routers, or servers.
How Mythos works
Mythos is a static analysis engine designed to scan source code for patterns that resemble known vulnerability classes. It does not run the code; instead it reads it like a proofreader looking for common mistakes — buffer overflows, injection points, use-after-free errors. Anthropic says the tool was tested on a broad set of open-source repositories, and the 23,000 vulnerabilities it found represent a snapshot of the state of security in the wild. The company has not released the full list of affected projects, but the OpenBSD case alone shows how deep the problem goes.
Why patching lags
The sheer volume of vulnerabilities — 23,000 — would overwhelm any manual review team. Many open-source projects rely on part-time maintainers or volunteers who juggle patches alongside day jobs. A bug that has sat unseen for 27 years also illustrates a harder problem: old code gets assumed safe simply because no one has found a flaw in it yet. Once a flaw is found, the clock starts on a fix, but the time between disclosure and patch can stretch for weeks or months. Mythos's detection, researchers argue, should push the community toward automated triage and prioritized patching — not just more manual scanning.
Anthropic has not said whether it will make Mythos publicly available or open-source the tool itself. For now, the company is working with a handful of open-source projects to help them review the specific vulnerabilities Mythos flagged. The OpenBSD team has been notified about the 27-year-old flaw, and a fix is expected in the next release. But with 23,000 holes still unaddressed across countless projects, the bigger question remains: how many other decades-old bugs are still waiting to be found — and who will find them next?
