The Software Under Your iPhone Just Got Hacked by an AI

Three times this week, the same conversation. A client calls, skips the pleasantries: "Did you see the Anthropic thing? What does it mean for us?"

Then a board member of a portfolio company, same question, different words: "My CISO says we're fine. Should I believe him?"

Then a PE operating partner, more direct: "Do we need to do something about this right now?"

Short answer: yes. Here's why, and here's what.

What Happened This Week

Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell called an emergency meeting with the CEOs of Bank of America, Citigroup, Goldman Sachs, Morgan Stanley, and Wells Fargo. The subject wasn't interest rates. It wasn't the Iran situation. It was an AI model. The Bank of England and the Bank of Canada held parallel discussions with their financial institutions the same week.

The trigger: Anthropic—the AI company behind Claude—released research showing its latest model can autonomously discover and exploit security vulnerabilities in every major operating system and every major web browser. Not theoretical weaknesses. Real ones, hiding in production software used by billions of people, some for decades.

Meanwhile, most organizations' cybersecurity dashboards are still green. That's the problem.

What It Actually Found

The technical details are dense. The implications are not.

Anthropic's model—Claude Mythos Preview—found a 27-year-old vulnerability in OpenBSD, an operating system chosen specifically for security-critical infrastructure like firewalls and routers. It found a 17-year-old flaw in FreeBSD that grants an unauthenticated attacker full control of a server. It found a 16-year-old vulnerability in FFmpeg, the media processing library that handles video for essentially every major platform.

Those names may not mean much to you. What they run will.

FreeBSD is the foundation underneath Netflix's content delivery network, WhatsApp's backend, Sony's PlayStation, Juniper's network equipment, and significant portions of Apple's macOS, iOS, and every other Apple OS. FFmpeg powers video processing for YouTube, Instagram, TikTok, and thousands of others. If you use an iPhone, stream video, or message on WhatsApp, you're already running on infrastructure this model cracked open.

It also found and exploited vulnerabilities in every major web browser. In one case, Anthropic's researchers turned a browser exploit into an attack where simply visiting a webpage gives the attacker the ability to write directly to the victim's operating system. No clicks. No downloads. Just opening a page.

And here's the part I keep coming back to: the model wasn't trained to do any of this. Nobody programmed it to hack. It got better at thinking, and hacking followed.

Why This Time Is Different

I'll spare you the full technical breakdown. Three numbers tell the story.

Anthropic's previous best model turned known browser vulnerabilities into working exploits twice out of several hundred attempts. Mythos Preview succeeded 181 times on the same test.

Two. Then 181.

The cost to find a critical vulnerability in OpenBSD—one of the most security-hardened systems in existence—was under $50 for the run that found it. A complete exploit chain against the Linux kernel cost under $2,000 and took less than a day. Engineers with no formal security training asked the model to find vulnerabilities overnight and woke up to working exploits.

Finding vulnerabilities is now cheap. Exploiting them is now fast. The skill barrier just collapsed. That's why cybersecurity stocks slumped when a draft of the research leaked in late March—before the model was even officially announced. Wall Street understood the implications before most organizations did.

What I'm Telling Clients

Every cybersecurity program is built on assumptions about the threat landscape. How fast attackers find vulnerabilities. How much expertise exploitation requires. How long you have between disclosure and weaponization. Those assumptions held for twenty years. They don't anymore.

Here's where that hits in practice.

Your patch window just shrank. It assumed human-speed threat development. When exploitation takes weeks of skilled labor, a two-week patch cycle is defensible. When exploitation takes hours, it's not. If deploying a critical security patch requires a change advisory board meeting, a scheduled maintenance window, and three levels of approval—that process was a governance control last quarter. This quarter, it's a vulnerability.

Your vulnerability backlog just got more dangerous. It was prioritized based on how hard each issue was to exploit. A "medium" risk rated on the basis that exploitation requires advanced skills looks different when exploitation becomes automated and costs less than a dinner. Your risk and compliance teams need to revisit those ratings—not on the next cycle, but now.

Your vendor risk assumptions need updating. Your third-party risk questionnaires ask whether vendors have a security program. They don't ask how fast a critical patch reaches production. They don't ask what happens if a zero-day drops on a Friday afternoon. Those are now the questions that matter.

Your open-source dependencies are more exposed. The FreeBSD vulnerability had been there for 17 years. FFmpeg's for 16. These are libraries embedded deep in your technology stack, often without your team knowing they're there. Your engineering leaders should be asking: do we even have a complete inventory of what we're running on?

Your pen test may have tested the wrong attacker. It was calibrated against human testers working within time and budget constraints. Mythos Preview ran thousands of parallel scans and found bugs missed for decades by every tool and reviewer that came before it. If your last pen test gave you confidence, ask what it was calibrated against.

The good news is real, and I don't want to bury it. The same AI capabilities that enable these attacks also dramatically improve defense. AI-driven vulnerability scanning using publicly available models is already finding critical bugs across open-source projects. The question isn't whether the tools exist. It's whether your organization is using them defensively before someone uses them offensively.

What the Response Tells You

Anthropic chose not to release Mythos Preview publicly. Instead, they launched Project Glasswing—a defensive coalition including Amazon, Apple, Microsoft, Google, Nvidia, CrowdStrike, Palo Alto Networks, JPMorgan Chase, and the Linux Foundation, backed by $100 million in usage credits. When those companies form a defensive coalition on the same day, that's not a press release. That's an industry bracing.

Treasury confirmed that Bessent convened the bank meeting to initiate a coordinated approach—and plans to lead more such meetings on an ongoing basis. Wall Street banks are now actively testing Mythos internally. And this isn't about one model from one company. These capabilities emerged from general improvements in reasoning, which means other frontier AI models are approaching similar thresholds. Anthropic's own researchers put it bluntly: there is no reason to think this is where capabilities plateau.

The Bottom Line

For twenty years, cybersecurity has operated in a relatively stable equilibrium. Same shape of attacks, evolving sophistication, manageable pace.

That equilibrium is breaking. And the response—Anthropic withholding the model, the Fed and Treasury convening emergency meetings, the world's largest technology companies forming a defensive coalition, central banks on three continents briefing their financial sectors—tells you everything about how seriously the people closest to this are taking it.

Your defenses were designed for human-speed attackers. That's no longer the only adversary in the room.

P.S. Forward Anthropic's Mythos Preview research to your CISO or head of IT and ask one question: "Does our current cybersecurity posture account for this?" If the answer requires a meeting to figure out, you've found the gap. Powell and Bessent didn't wait for a scheduled review. Neither should you.