§ 01 — The launch point
A model too dangerous to release publicly — and what it found
On April 7, 2026, Anthropic announced Project Glasswing — a gated cybersecurity initiative built around Claude Mythos Preview, their most capable frontier model to date. The unusual part? Anthropic decided not to release Mythos to the public. It is the first time in roughly seven years a major AI lab has withheld a model specifically over safety concerns. The last comparable case was OpenAI holding back GPT-2 in 2019.
The reason is straightforward: Mythos Preview is exceptionally good at finding and exploiting vulnerabilities. Not just finding known patterns in code — actually reasoning about systems the way an elite human security researcher would, then building working exploit chains autonomously. Twelve founding partners including AWS, Apple, Cisco, Google, Microsoft, NVIDIA, and the Linux Foundation now have access. Forty-plus additional organisations responsible for critical software infrastructure are joining the consortium.
“I’ve found more bugs in the last couple of weeks than I found in the rest of my life combined.”
— Nicholas Carlini, Research Scientist, Anthropic · red.anthropic.com
What has Mythos actually found? Thousands of zero-day vulnerabilities across every major OS, browser, and network stack — including a 17-year-old unauthenticated root RCE in FreeBSD’s NFS implementation (CVE-2026-4747), a 27-year-old crash bug in OpenBSD’s TCP stack, a 16-year-old out-of-bounds write in FFmpeg’s H.264 decoder that fuzzers had run past five million times without triggering, and a four-bug chain that escapes both the browser renderer and the OS sandbox. The cost per finding run: approximately $50.
For context: Mythos produced 181 working Firefox JavaScript engine exploits in testing. The previous generation model produced two. That is not an incremental improvement. That is a different category of capability entirely.
27
Years oldest Glasswing bug survived human review
>99%
Mythos findings still unpatched at announcement
~$50
Cost per AI vulnerability finding run
The project is named after the glasswing butterfly — Greta oto — whose transparent wings make it nearly invisible. The metaphor is deliberate: the most dangerous vulnerabilities are the ones hidden in plain sight, in code that has been reviewed and trusted for decades. Glasswing currently focuses on C and C++ systems code. It is not yet targeting the JavaScript and Node.js ecosystem explicitly. But that ecosystem has a structural problem of its own, and it is worth understanding before the lens turns toward it.
⚠ Name collision worth noting
GlassWorm (one word) is a separate, active malware campaign — unrelated to Anthropic — that has been targeting npm, GitHub, and VS Code extension marketplaces since October 2025. It uses invisible Unicode characters to hide malicious code and the Solana blockchain for command-and-control. In April 2026, researchers at Socket identified 73 new “sleeper” extensions in the Open VSX marketplace linked to GlassWorm. The similar name to Anthropic’s Project Glasswing is coincidental. GlassWorm = the attack campaign. Glasswing = the defence initiative. They are not the same thing.
§ 02 — The structural problem
Why Node.js is attractive to attackers — and always has been
Node.js powers an enormous portion of the modern web. The reasons for its dominance are well understood: a single language across the full stack, a non-blocking I/O model that handles concurrency elegantly, and most importantly, npm — the world’s largest software registry with over 3.1 million publicly available packages. The velocity that made Node.js the default choice for startups and enterprise engineering teams alike also created the world’s largest community-maintained attack surface.
The core runtime itself is under continuous security pressure. Node.js’s Permission Model — the sandboxing mechanism stabilised in 2024 to contain filesystem and network access — has suffered six or more bypass vulnerabilities in two years. That pattern deserves attention: a security feature designed specifically to limit damage has become a repeated vector in its own right.
| CVE | Description | Severity |
|---|---|---|
| CVE-2025-55182 | “React2Shell” — RCE via React Server Components deserialization. Actively exploited in Next.js. 39% of cloud environments affected (Wiz). | Critical |
| CVE-2025-59465 | HTTP/2 HPACK crash — malformed HEADERS frame causes remote denial of service across all active Node.js release lines. | High |
| CVE-2025-55130 | Permission Model bypass via crafted relative symlinks — complete escape of –allow-fs-read/write restrictions. | High |
| CVE-2025-59466 | Uncatchable stack overflow in async_hooks — unrecoverable process crashes bypassing all error handlers. Affects React Server Components, Next.js, all APM tooling. | High |
| CVE-2026-21636 | Unix Domain Socket connections bypass –allow-net in the Permission Model. | Medium |
| CVE-2026-21710 | DoS via __proto__ header name in req.headersDistinct — crashes Node.js process. | High |
The March 2026 security release addressed two high severity issues and five medium severity issues across all active release lines simultaneously. Node.js is patching actively. But the gap between patch availability and deployment across production systems remains dangerously wide. If you are not already subscribed to nodejs-sec, that is the first thing to fix today.
§ 03 — The real crisis
npm: 3.1 million packages, zero vetting, one install away
The Node.js core CVE list is manageable. The npm ecosystem is not.
Here is the structural reality: npm has no submission vetting process. Any package published to the registry is immediately available for installation by millions of developers. The average Node.js project pulls in 79 transitive dependencies — packages that your dependencies depend on, maintained by individuals you will never meet, with no contractual security obligations. Critically, npm lifecycle scripts — specifically postinstall — execute automatically with full developer privileges the moment you run npm install.
The uncomfortable truth
npm install is effectively a remote code execution primitive. Every package you install, and every package those packages install, runs arbitrary code on your machine with your permissions. No prompt, no confirmation, no audit trail.
This is not a theoretical risk. In 2025 attackers published 454,648 malicious npm packages. According to Sonatype’s 2026 Software Supply Chain Report, over 99% of all open-source malware now targets npm specifically. Q4 2025 alone saw a 476% spike in malicious package publications compared to the prior three quarters. This is not noise. This is a deliberate, intensifying, state-level campaign against the JavaScript developer ecosystem.
Attack timeline: 12 months of escalation
July 2025
ESLint/Prettier maintainer compromise
Phishing combined with typosquatting (npnjs.com) harvested npm credentials. Malware briefly served a WebSocket-based backdoor with remote code execution from packages with 2.8M+ weekly downloads. Source: Snyk
September 2025
The chalk/debug attack — 2.6 billion weekly downloads compromised
A phishing campaign impersonating npm support compromised maintainer “qix” and injected a crypto-stealer into 18 packages including chalk, debug, ansi-styles, supports-color, and strip-ansi. Malicious versions were live approximately two hours. CISA issued a formal alert. Sources: Palo Alto Networks, Sonatype 2026
September 2025
Shai-Hulud — the first self-replicating npm worm
Starting from the compromised @ctrl/tinycolor package, this worm autonomously infected 500+ packages within days. It stole GitHub PATs, npm tokens, and cloud credentials; created unauthorised GitHub Actions workflows for lateral movement; and included a destructive wiper payload triggered on infrastructure loss. A sequel variant appeared in November. Sources: CyberDesserts, CISA advisory
March 31, 2026
Axios compromised — North Korea nexus (UNC1069), CISA advisory issued
A social-engineered maintainer account takeover published two backdoored axios versions (~100M weekly downloads). The attack used a pre-staged decoy package plain-crypto-js@4.2.0, then pushed 4.2.1 with a postinstall hook that silently downloaded a cross-platform RAT for Windows, macOS, and Linux — no user interaction required. Both latest and legacy dist-tags were compromised to maximise blast radius. Huntress observed 135+ endpoints contacting the C2 within the 3-hour exposure window. CISA formal advisory issued April 20. Sources: Elastic Security Labs, CISA advisory, Unit 42
April 21–23, 2026 — This week
Three simultaneous supply chain attacks in 48 hours — npm, PyPI, Docker Hub
Three distinct campaigns hit separate ecosystems in a 48-hour window: a self-propagating credential stealer in pgserve (npm), a multi-stage stealer in xinference (PyPI), and trojanised Checkmarx KICS Docker images. Every payload had one objective: steal API keys, cloud credentials, SSH keys, and CI/CD tokens. The npm variant spread autonomously by scanning for npm publish tokens and republishing infected versions. Sources: GitGuardian, BleepingComputer
“Attackers are no longer simply experimenting with open source. Threat actors have identified data as the most profitable target, and developers as the easiest way in.”
— Brian Fox, CTO, Sonatype · 2026 Software Supply Chain Report
The Lazarus Group concentrated 97% of its 2025 npm activity in the JavaScript ecosystem, deploying over 800 packages with multi-stage payload chains targeting developer credentials and cloud access tokens. These are not opportunistic attacks. npm is an established primary vector for state-level offensive operations.
§ 04 — The urgency
The exploitation window has collapsed to hours
There is one figure that reframes the severity of everything above. In 2018, the median time between a CVE being published and that vulnerability being actively exploited was 771 days. By 2021 it was 84 days. By 2023 it was five days. By 2024, exploitation was being measured in single-digit hours. Today, 25% of CVEs are exploited on the same day they are published.
This collapse is AI-driven. Offensive actors are using large language models to parse CVE disclosures, generate proof-of-concept exploit code, and identify vulnerable targets at scale. The “patch it this sprint” strategy that was reasonable in 2020 is not viable in 2026.
771
Days median exploit time, 2018
$4.44M
Average data breach cost, IBM 2025
25%
CVEs exploited same day as disclosure
The Verizon 2025 Data Breach Investigations Report found that 30% of breaches now involve a third party — which, in most Node.js-heavy organisations, means a dependency. IBM’s Cost of a Data Breach 2025 puts the average identification time for supply chain breaches at 267 days. The September 2025 chalk attack was live for two hours. The gap between those two numbers is where breach damage actually happens.
§ 05 — The reframe
Don’t panic. AI is already on your side — and winning
Here is what the headlines tend to miss: the same capabilities that make AI dangerous as an offensive tool make it extraordinarily powerful as a defensive one. And defenders have something attackers fundamentally do not — full access to source code, architecture context, deployment configuration, and monitoring telemetry. AI amplifies that information advantage asymmetrically.
Anthropic draws an explicit parallel to fuzzers. When fuzzing tools became widely available, the security community worried they would primarily benefit attackers. What actually happened: fuzzers became foundational defensive infrastructure, now integrated into virtually every major open-source project’s CI pipeline. Glasswing and Mythos Preview represent the next iteration of that same trajectory, at a significantly higher level of capability.
“Over the last few months, we have stopped getting AI slop security reports. They’re gone. Instead, we get an ever-increasing amount of really good security reports.”
— Daniel Stenberg, creator of cURL · The Register, April 2026
Consider what the defensive AI landscape looks like right now. Google’s Big Sleep — a DeepMind and Project Zero collaboration — has found over 20 zero-days and directly foiled an active exploitation attempt on a SQLite vulnerability that attackers were already targeting. Kent Walker, Google’s President of Global Affairs, described it as the first time an AI agent directly foiled an active in-the-wild exploitation attempt. Google’s CodeMender has upstreamed 72 security fixes to open-source projects, rewriting entire vulnerability classes rather than patching individual bugs.
AISLE found 12 out of 12 OpenSSL CVEs in a single January 2026 release — the first time any entity, human or automated, has achieved a complete sweep of an OpenSSL security release. AISLE is now integrated into pull request workflows for OpenSSL and cURL, catching bugs before they ship. OpenAI’s Aardvark achieves a 92% detection rate with continuous commit monitoring. Microsoft Security Copilot found 20 bootloader vulnerabilities across GRUB2, U-Boot, and Barebox — work that saved approximately one week of expert analysis time.
cURL — present on an estimated 20 billion devices — found more vulnerabilities in Q1 2026 alone than in either of the two preceding full years. The reports Stenberg is receiving are not finding trivial surface issues. They are finding the deep, context-dependent flaws that pattern-matching static analysis tools have missed for decades.
The defender advantage
Defenders own the source code, architecture, and deployment context. AI amplifies this information asymmetry in your favour. The old “defenders must find all bugs, attackers need only one” calculus breaks when AI finds 12 of 12 CVEs in a single release sweep and integrates into every PR before code ships.
Lawfare’s April 2026 analysis of the AI revolution in cyber conflict makes the structural argument clearly: AI excels at the detection and analysis tasks that favour defenders, while struggling with the deception, persistence, and strategic judgment that offensive operations require. Attackers must stay hidden. Defenders just need to be thorough.
“The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI.”
— Cisco, Project Glasswing launch statement · anthropic.com/project/glasswing
The honest caveat — and credibility demands it be included — comes from IANS Faculty security analyst Rich Mogull: “The good guys have Mythos for now, but there really isn’t a moat around AI and we know adversaries will have similar capabilities eventually.” Project Glasswing is a temporary head start, not a permanent advantage. The window between defender access and attacker parity is not infinite. That is precisely why the urgency to act is measured in weeks, not quarters.
§ 06 — What to do
Practical steps — without the panic
You do not have access to Mythos Preview. You do not need it to meaningfully improve your security posture today. Here is what actually matters, split by role.
For engineers
- Run
npm auditin your CI pipeline — as a gate that blocks on high severity, not just reports - Commit and enforce lockfiles (
package-lock.jsonoryarn.lock). Non-negotiable in 2026. - Set
ignore-scripts=truein.npmrcfor CI/CD — prevents the entire class ofpostinstallRAT delivery shown in the Axios attack (CISA advisory) - Set
min-release-age=7in.npmrc— only install packages published at least 7 days ago - Subscribe to nodejs-sec for patch notifications
- Integrate AI-powered SAST via the Claude Code Security Review GitHub Action or Snyk on every PR
- Use
npm ci(notnpm install) in all CI/CD pipelines — it respects the lockfile exactly - Audit your IDE extensions. The GlassWorm campaign has placed 145+ malicious extensions in Open VSX. Disable auto-update and treat extensions as supply chain dependencies.
For engineering leaders
- Budget for AI-augmented AppSec tooling. ROI: ~$50 per AI finding run vs. $4.44M average breach cost
- If you maintain critical open-source software: apply for Glasswing / Claude for Open Source access
- Establish a dependency review process — treat package upgrades as code changes requiring security sign-off
- Require
npm auditgates in CI/CD that fail the build on high-severity findings, not merely report them - Frame third-party dependency risk at board level using Verizon DBIR — 30% of breaches involve third parties is a governance issue, not just an engineering problem
A practical note on the Claude Code Security Review GitHub Action: it runs on every pull request, analyses the full diff in context, provides severity ratings with remediation guidance, and includes false-positive filtering. Available today at no cost, integrates in under 30 minutes.
§ 07 — The closing paradox
The window is narrow — but it is open
Anthropic’s long-term thesis, stated explicitly in their Glasswing documentation: “Once the security landscape has reached a new equilibrium, we believe that powerful language models will benefit defenders more than attackers, increasing the overall security of the software ecosystem.”
The honest qualifier is that this equilibrium is not here yet. Glasswing’s over-99% unpatched finding rate is not a failure — it is a demonstration of how far ahead AI vulnerability discovery has run from the human capacity to triage and remediate at scale. That gap is as much a coordination and prioritisation challenge as a technical one.
The Node.js and npm ecosystem — 3.1 million packages, state-level adversaries, a self-replicating worm, and a 476% quarterly spike in malicious packages — is not a reason to stop building with Node.js. It is a reason to treat your dependency tree with exactly the same seriousness you apply to your own code. The tools to do that are here, improving every quarter, and most of them are free.
“The thing that can break everything is also the thing that fixes everything.”
— Picus Security, on the Glasswing Paradox · picussecurity.com
The race is live. Defenders have a structural advantage. The only question is whether you act on it before the next chalk-scale event hits your dependency tree.
References & further reading
- anthropic.com/glasswing — Project Glasswing official announcement & partners
- red.anthropic.com/mythos-preview — Mythos Preview CVE details, exploit chains, benchmarks
- The Hacker News — Mythos zero-days, April 2026
- Sonatype 2026 Software Supply Chain Report — 454K malicious packages, 99% targeting npm
- Node.js March 2026 security releases — official CVE patch notes
- Node.js January 2026 security releases — async_hooks, Permission Model CVEs
- CISA — Axios supply chain advisory, April 20 2026
- Elastic Security Labs — Axios RAT deep-dive
- Unit 42 / Palo Alto Networks — Axios threat brief
- GitGuardian — 48-hour triple supply chain attack, April 2026
- Socket — GlassWorm v2: 73 sleeper extensions in Open VSX
- SecurityWeek — GlassWorm Open VSX escalation
- Verizon DBIR 2025 — 30% of breaches involve third parties
- AISLE — 12/12 OpenSSL CVEs
- Picus Security — The Glasswing Paradox
- Lawfare — The AI Revolution in Cyber Conflict
- IANS Research — Glasswing and vulnerability management
- Palo Alto Networks — September 2025 chalk attack breakdown
- NPR — How AI is getting better at finding security holes
- Futurum Group — Glasswing: AI detection has crossed a threshold
- Help Net Security — CVE-2025-55182 React2Shell RCE
- GitHub — Claude Code Security Review Action
