Risky Business #832 — Anthropic Unveils Magical 0day Computer God

April 8, 2026 | Host: Patrick Gray | Co-hosts: Adam Boileau & James Wilson

Episode Overview

This week’s Risky Business dives deep into the cybersecurity bombshell of the week: Anthropic’s unveiling of its Mythos AI model, an LLM built for unparalleled code analysis and vulnerability discovery. The hosts dissect what Mythos means for the security research field, implications for open-source software, and AI’s role in defending (and potentially breaking) modern systems. The episode also rounds up a wild week of critical vulnerabilities, relentless nation-state attackers (with a particularly close look at North Korean tradecraft), US government cyber policy missteps, and some much-needed comic relief at the expense of ill-conceived “secure” messaging apps.

Main Theme: Anthropic’s Mythos LLM – The Infinity 0day Machine

What Happened?

Anthropic has previewed 'Mythos,' a generative AI model described as extraordinarily adept at finding software vulnerabilities, writing exploits, and “outperforming” many human bug hunters ([01:44]).
Mythos has been run against large sets of open-source code and is so productive at discovering security bugs that Anthropic is restricting access due to safety concerns.
A campaign, "Project Glasswing," will give select vendors (Microsoft, Apple, CrowdStrike, FFMPEG, etc.) preview access for triage and mass patching ([05:47]).

Key Insights & Reactions

LLMs Are Now Vulnerability Researchers

Adam Boileau: “They appear to have hooked this Mythos LLM up to a whole bunch of code bases...It's found a heap ton of bugs so far...as good as high end humans at finding bugs.” ([01:44])

The End of Human-Centric Bug Hunting?

James Wilson: “The concept of prompt engineering seems to be all but gone...it still hasn’t solved the problem of how do the defenders actually go about triaging this...All these fixes landing is probably going to give rise to the next wave of bugs anyway.” ([04:27])
Patrick Gray: “I kind of feel like the job for vulnerability researchers in the future might be leveraging these models into finding stuff that is not one shotable until the next model. Right. So that’s going to be the job...” ([03:06])

Hype, Safety, and the Disruption to Security Work

Patrick Gray: “Anthropic decided early on that its brand is very much around safety...AI is big and scary and can cause so many societal harms...it is sort of self serving...” ([06:29])

Exploit Dev Has No ‘Soul’: The Field Is Ripe for Automation

Adam Boileau: “The funny thing for being a vuln hunter is the human touch doesn’t matter here. What matters is the shell out the other end…AI is actually going to be pretty good at replacing us. And that’s a crazy time.” ([08:22])
Patrick Gray: “Exploits don’t need to have soul and suffering, right?” ([08:22])

What Next for Vendors?

Rapid integration with QA, triage, and bug-fixing processes is now essential, as described with examples of FFMPEG and Project Glasswing ([05:47], [09:34]).
Vendors may need to restructure software to be “Claude-friendly,” rethinking repo organization for AI-assisted auditing ([11:36]).

Notable Quotes

Adam Boileau: “The Anthropic blog post…‘Ultimately, it’s about to become very difficult for the security community...We’ve spent the last 20 years in relatively stable security equilibrium.’ It’s like, excuse me? It’s been bonkers since the Internet...” ([08:22])
James Wilson: “It even challenges some of the paradigms we were operating in in software engineering...for Claude to [reason with] your entire software suite, you kind of have to go back to putting all of these things into one repo.” ([12:43])
Patrick Gray: “I can’t think of a bigger change in software development like ever…DevOps versus Waterfall: how is this even a conversation?” ([13:57])

Security News Highlights

1. Ongoing “Horror Show” Vulnerabilities ([09:34])

Critical flaws in F5 (Big IP), React 2 shell, Fortinet EMS
Mass exploitation risks persist. AIs like Mythos could act as both cure and cause for more rapid discovery and patching.

2. Progress Share File Bug ([14:54])

Classic admin-auth bypass reminiscent of early 2000s mistakes, is now present in modern systems.
“Just a very funny...throwback from the old days of a bug.” — Adam Boileau ([14:54])

3. TrueConf Exploited by Chinese Intelligence ([15:43])

Video conference platform with supply chain–like attack: backdoored client updates push malware to targets ([16:04])
Used against government agencies; CISA issues two-week patch mandate.

4. Rowhammer Attacks on Nvidia GPUs ([17:25])

Three independent research teams exploit Rowhammer on Nvidia GPUs, ultimately leading to privilege escalation on host systems—even with best-practice protections.
“Privilege escalation via the GPU, even in the case where the IOMMU controls are turned on...pretty cool research...” — Adam Boileau ([17:25])

5. Axios NPM Package Supply Chain Attack ([18:41])

North Korea’s Lazarus Group compromised Axios after weeks of elaborate phishing and social engineering.
“It didn’t take much…very real looking Slack workspace…scheduled meetings—he went and installed it. And it’s just like, buddy…” — James Wilson ([19:21])
Hosts caution against blaming the victim: “You’re not going to be thinking that, right?...That’s the whole point of spending weeks and faking websites.” — Patrick Gray ([20:32])

6. Drift DeFi Platform Heist: $280M Lost ([22:17])

North Korean “tradecraft”: months-long infiltration, IRL meetings, and TestFlight/VSCode repo hooks for lateral movement and malware deployment.
“They invested like a million bucks of their own money...months worth of prep—that’s a pretty high bar.” — Adam Boileau ([23:13])
“They deployed TestFlight apps...if you even point your VS Code editor at it...scripts...run with zero user interaction.” — James Wilson ([23:37])

7. North Korean IT Worker Deep-dive

Related — James interviews Jeff White (Lazarus Heist podcaster) on “fake IT workers” infiltrating the Western workforce ([24:48])

8. CISA Budget Cuts ([26:10])

US cuts CISA budget by 30% ($707M), gutting vulnerability scanning, field support, and critical public-private liaisons.
“You really do get the impression...trying to make it as dead as possible...” — Patrick Gray ([27:24])
“It's just a massive own goal...there won't even be a CISA to talk about, I would imagine before long.” — James Wilson ([27:24])
Occurs against rising Iranian and Chinese ICS/network attacks ([28:07], [28:50]).

9. Russian Home Router DNS Hijacks ([29:22])

GRU hacks residential routers to redirect to fake Microsoft login pages: “...that doesn't feel particularly satisfying...I don't know why they're doing it.” — Adam Boileau ([29:49])

10. Healthcare Ransomware & Defense Improvements ([30:51])

Even with persistent attacks, more healthcare orgs are able to absorb and mitigate incidents, reducing public outages.
“We are probably getting better at more managed, more controlled...playbook responses...” — Adam Boileau ([32:06])

11. “Ghost Murmur”: Trump’s Disclosed Mystery Device ([33:02])

NY Post reports on speculative US “quantum” heartbeat-detecting device, possibly real, possibly disinfo.
“Built around microscopic defects in synthetic diamonds…if it's true...just been burnt because it's exposed its fundamental weakness.” — James Wilson ([34:15])

12. Teleguard Secure Chat App Fails Hilariously ([36:06])

Swiss Cows’ Teleguard app: private keys sent to the server, rendering encryption useless—and sometimes even exposed to third parties via bugs.
“If you want a brief smile in these otherwise very bleak times...details of the fail are most entertaining and rewarding.” — Adam Boileau ([36:06])

Sponsor Interview: Modern Enterprise KYC with Persona

James Wilson interviews Benjamin Chait (Persona Product) ([39:30]-[52:49])

Key Discussion Points

Enterprise Use Cases for KYC
- Not just “day one” verification — supports ongoing, multi-stage identity checks triggered by system access, device changes, or periodic compliance processes.
- Quote, Benjamin Chait: “We’re not just looking at the photo...we’re also looking at device, network...other security signals for a more robust check.” ([41:49])
Integration Is Critical
- Persona’s strength is flexibility — connects to multiple platforms (IAM, ATS, productivity tools) ([39:30]).
- Can tailor authentication depth and re-validation friction to risk/context (“selfie + ID” for high-risk, “nothing visible” for device checks).
Small Business Relevance
- Candidate validation and KYC are especially important for remote-first, small/medium enterprises who may lack built-in enterprise security guardrails ([50:39]).

Memorable Quotes & Moments

“Exploit dev has no soul and suffering.” — Patrick Gray ([08:22])
“Where’s the suffering? That’s an important part of goth music. We don’t have that in the exploit dev world.” — Adam Boileau ([08:25])
“Literally table stakes at the moment now for any business that wants to remain relevant in this emerging landscape.” — James Wilson ([13:57])
“How many times…a cybersecurity event...led to a bunch of interruption to service is because the company had to turn everything off because they didn’t have a plan...” — Adam Boileau ([32:06])
“Private keys...just kind of ask the server for those private keys...the whole point of end to end crypto somewhat defeated.” — Adam Boileau ([36:06])

Timestamps for Key Segments

00:06–03:06 – Mythos model intro, AI's bug-hunting debut
04:27–09:34 – The end of prompt engineering, defense, and exploit dev existential angst
09:34–16:54 – “Horror show” vulnerability roundup: F5, Fortinet, Progress Share File, TrueConf
17:25–18:41 – Rowhammer vs Nvidia: GPUpwnage
18:41–24:48 – North Korean supply chain and DeFi tradecraft; Lazarus Heist (James’s interview plug)
26:10–28:07 – CISA budget slashed; US cyber policy ramifications
28:50–30:51 – Russian router hacks; Medical sector attack/defense update
33:02–36:06 – Ghost Murmur “quantum heartbeat finder”; Secure chat app fail (Teleguard)
39:30–52:49 – Sponsor interview with Persona: modern identity verification for enterprises

In Summary

A landmark episode marking the arrival of “AI-powered 0day apocalypse” — with Mythos, the security community faces a paradigm shift that may, paradoxically, benefit defenders and attackers in unpredictable ways. Alongside, the relentless pressure from bugs, espionage campaigns, and the (self-inflicted) wounds of cyber bureaucracy proved that things will remain, in the words of the hosts, “utterly bonkers.”

Risky Business #832 — Anthropic Unveils Magical 0day Computer God

April 8, 2026 | Host: Patrick Gray | Co-hosts: Adam Boileau & James Wilson

Episode Overview

Main Theme: Anthropic’s Mythos LLM – The Infinity 0day Machine

What Happened?

Anthropic has previewed 'Mythos,' a generative AI model described as extraordinarily adept at finding software vulnerabilities, writing exploits, and “outperforming” many human bug hunters ([01:44]).
Mythos has been run against large sets of open-source code and is so productive at discovering security bugs that Anthropic is restricting access due to safety concerns.
A campaign, "Project Glasswing," will give select vendors (Microsoft, Apple, CrowdStrike, FFMPEG, etc.) preview access for triage and mass patching ([05:47]).

Key Insights & Reactions

LLMs Are Now Vulnerability Researchers

Adam Boileau: “They appear to have hooked this Mythos LLM up to a whole bunch of code bases...It's found a heap ton of bugs so far...as good as high end humans at finding bugs.” ([01:44])

The End of Human-Centric Bug Hunting?

James Wilson: “The concept of prompt engineering seems to be all but gone...it still hasn’t solved the problem of how do the defenders actually go about triaging this...All these fixes landing is probably going to give rise to the next wave of bugs anyway.” ([04:27])
Patrick Gray: “I kind of feel like the job for vulnerability researchers in the future might be leveraging these models into finding stuff that is not one shotable until the next model. Right. So that’s going to be the job...” ([03:06])

Hype, Safety, and the Disruption to Security Work

Patrick Gray: “Anthropic decided early on that its brand is very much around safety...AI is big and scary and can cause so many societal harms...it is sort of self serving...” ([06:29])

Exploit Dev Has No ‘Soul’: The Field Is Ripe for Automation

Adam Boileau: “The funny thing for being a vuln hunter is the human touch doesn’t matter here. What matters is the shell out the other end…AI is actually going to be pretty good at replacing us. And that’s a crazy time.” ([08:22])
Patrick Gray: “Exploits don’t need to have soul and suffering, right?” ([08:22])

What Next for Vendors?

Rapid integration with QA, triage, and bug-fixing processes is now essential, as described with examples of FFMPEG and Project Glasswing ([05:47], [09:34]).
Vendors may need to restructure software to be “Claude-friendly,” rethinking repo organization for AI-assisted auditing ([11:36]).

Notable Quotes

Adam Boileau: “The Anthropic blog post…‘Ultimately, it’s about to become very difficult for the security community...We’ve spent the last 20 years in relatively stable security equilibrium.’ It’s like, excuse me? It’s been bonkers since the Internet...” ([08:22])
James Wilson: “It even challenges some of the paradigms we were operating in in software engineering...for Claude to [reason with] your entire software suite, you kind of have to go back to putting all of these things into one repo.” ([12:43])
Patrick Gray: “I can’t think of a bigger change in software development like ever…DevOps versus Waterfall: how is this even a conversation?” ([13:57])

Security News Highlights

1. Ongoing “Horror Show” Vulnerabilities ([09:34])

Critical flaws in F5 (Big IP), React 2 shell, Fortinet EMS
Mass exploitation risks persist. AIs like Mythos could act as both cure and cause for more rapid discovery and patching.

2. Progress Share File Bug ([14:54])

Classic admin-auth bypass reminiscent of early 2000s mistakes, is now present in modern systems.
“Just a very funny...throwback from the old days of a bug.” — Adam Boileau ([14:54])

3. TrueConf Exploited by Chinese Intelligence ([15:43])

Video conference platform with supply chain–like attack: backdoored client updates push malware to targets ([16:04])
Used against government agencies; CISA issues two-week patch mandate.

4. Rowhammer Attacks on Nvidia GPUs ([17:25])

Three independent research teams exploit Rowhammer on Nvidia GPUs, ultimately leading to privilege escalation on host systems—even with best-practice protections.
“Privilege escalation via the GPU, even in the case where the IOMMU controls are turned on...pretty cool research...” — Adam Boileau ([17:25])

5. Axios NPM Package Supply Chain Attack ([18:41])

North Korea’s Lazarus Group compromised Axios after weeks of elaborate phishing and social engineering.
“It didn’t take much…very real looking Slack workspace…scheduled meetings—he went and installed it. And it’s just like, buddy…” — James Wilson ([19:21])
Hosts caution against blaming the victim: “You’re not going to be thinking that, right?...That’s the whole point of spending weeks and faking websites.” — Patrick Gray ([20:32])

6. Drift DeFi Platform Heist: $280M Lost ([22:17])

North Korean “tradecraft”: months-long infiltration, IRL meetings, and TestFlight/VSCode repo hooks for lateral movement and malware deployment.
“They invested like a million bucks of their own money...months worth of prep—that’s a pretty high bar.” — Adam Boileau ([23:13])
“They deployed TestFlight apps...if you even point your VS Code editor at it...scripts...run with zero user interaction.” — James Wilson ([23:37])

7. North Korean IT Worker Deep-dive

Related — James interviews Jeff White (Lazarus Heist podcaster) on “fake IT workers” infiltrating the Western workforce ([24:48])

8. CISA Budget Cuts ([26:10])

US cuts CISA budget by 30% ($707M), gutting vulnerability scanning, field support, and critical public-private liaisons.
“You really do get the impression...trying to make it as dead as possible...” — Patrick Gray ([27:24])
“It's just a massive own goal...there won't even be a CISA to talk about, I would imagine before long.” — James Wilson ([27:24])
Occurs against rising Iranian and Chinese ICS/network attacks ([28:07], [28:50]).

9. Russian Home Router DNS Hijacks ([29:22])

GRU hacks residential routers to redirect to fake Microsoft login pages: “...that doesn't feel particularly satisfying...I don't know why they're doing it.” — Adam Boileau ([29:49])

10. Healthcare Ransomware & Defense Improvements ([30:51])

Even with persistent attacks, more healthcare orgs are able to absorb and mitigate incidents, reducing public outages.
“We are probably getting better at more managed, more controlled...playbook responses...” — Adam Boileau ([32:06])

11. “Ghost Murmur”: Trump’s Disclosed Mystery Device ([33:02])

NY Post reports on speculative US “quantum” heartbeat-detecting device, possibly real, possibly disinfo.
“Built around microscopic defects in synthetic diamonds…if it's true...just been burnt because it's exposed its fundamental weakness.” — James Wilson ([34:15])

12. Teleguard Secure Chat App Fails Hilariously ([36:06])

Swiss Cows’ Teleguard app: private keys sent to the server, rendering encryption useless—and sometimes even exposed to third parties via bugs.
“If you want a brief smile in these otherwise very bleak times...details of the fail are most entertaining and rewarding.” — Adam Boileau ([36:06])

Sponsor Interview: Modern Enterprise KYC with Persona

James Wilson interviews Benjamin Chait (Persona Product) ([39:30]-[52:49])

Key Discussion Points

Enterprise Use Cases for KYC
- Not just “day one” verification — supports ongoing, multi-stage identity checks triggered by system access, device changes, or periodic compliance processes.
- Quote, Benjamin Chait: “We’re not just looking at the photo...we’re also looking at device, network...other security signals for a more robust check.” ([41:49])
Integration Is Critical
- Persona’s strength is flexibility — connects to multiple platforms (IAM, ATS, productivity tools) ([39:30]).
- Can tailor authentication depth and re-validation friction to risk/context (“selfie + ID” for high-risk, “nothing visible” for device checks).
Small Business Relevance
- Candidate validation and KYC are especially important for remote-first, small/medium enterprises who may lack built-in enterprise security guardrails ([50:39]).

Memorable Quotes & Moments

“Exploit dev has no soul and suffering.” — Patrick Gray ([08:22])
“Where’s the suffering? That’s an important part of goth music. We don’t have that in the exploit dev world.” — Adam Boileau ([08:25])
“Literally table stakes at the moment now for any business that wants to remain relevant in this emerging landscape.” — James Wilson ([13:57])
“How many times…a cybersecurity event...led to a bunch of interruption to service is because the company had to turn everything off because they didn’t have a plan...” — Adam Boileau ([32:06])
“Private keys...just kind of ask the server for those private keys...the whole point of end to end crypto somewhat defeated.” — Adam Boileau ([36:06])

Timestamps for Key Segments

00:06–03:06 – Mythos model intro, AI's bug-hunting debut
04:27–09:34 – The end of prompt engineering, defense, and exploit dev existential angst
09:34–16:54 – “Horror show” vulnerability roundup: F5, Fortinet, Progress Share File, TrueConf
17:25–18:41 – Rowhammer vs Nvidia: GPUpwnage
18:41–24:48 – North Korean supply chain and DeFi tradecraft; Lazarus Heist (James’s interview plug)
26:10–28:07 – CISA budget slashed; US cyber policy ramifications
28:50–30:51 – Russian router hacks; Medical sector attack/defense update
33:02–36:06 – Ghost Murmur “quantum heartbeat finder”; Secure chat app fail (Teleguard)
39:30–52:49 – Sponsor interview with Persona: modern identity verification for enterprises

Risky Business #832 -- Anthropic unveils magical 0day computer God

Summary

Risky Business #832 — Anthropic Unveils Magical 0day Computer God

Episode Overview

Main Theme: Anthropic’s Mythos LLM – The Infinity 0day Machine

What Happened?

Key Insights & Reactions

Notable Quotes

Security News Highlights

1. Ongoing “Horror Show” Vulnerabilities ([09:34])

2. Progress Share File Bug ([14:54])

3. TrueConf Exploited by Chinese Intelligence ([15:43])

4. Rowhammer Attacks on Nvidia GPUs ([17:25])

5. Axios NPM Package Supply Chain Attack ([18:41])

6. Drift DeFi Platform Heist: $280M Lost ([22:17])

7. North Korean IT Worker Deep-dive

8. CISA Budget Cuts ([26:10])

9. Russian Home Router DNS Hijacks ([29:22])

10. Healthcare Ransomware & Defense Improvements ([30:51])

11. “Ghost Murmur”: Trump’s Disclosed Mystery Device ([33:02])

12. Teleguard Secure Chat App Fails Hilariously ([36:06])

Sponsor Interview: Modern Enterprise KYC with Persona

Key Discussion Points

Memorable Quotes & Moments

Timestamps for Key Segments

In Summary

Summary

Risky Business #832 — Anthropic Unveils Magical 0day Computer God

Episode Overview

Main Theme: Anthropic’s Mythos LLM – The Infinity 0day Machine

What Happened?

Key Insights & Reactions

Notable Quotes

Security News Highlights

1. Ongoing “Horror Show” Vulnerabilities ([09:34])

2. Progress Share File Bug ([14:54])

3. TrueConf Exploited by Chinese Intelligence ([15:43])

4. Rowhammer Attacks on Nvidia GPUs ([17:25])

5. Axios NPM Package Supply Chain Attack ([18:41])

6. Drift DeFi Platform Heist: $280M Lost ([22:17])

7. North Korean IT Worker Deep-dive

8. CISA Budget Cuts ([26:10])

9. Russian Home Router DNS Hijacks ([29:22])

10. Healthcare Ransomware & Defense Improvements ([30:51])

11. “Ghost Murmur”: Trump’s Disclosed Mystery Device ([33:02])

12. Teleguard Secure Chat App Fails Hilariously ([36:06])

Sponsor Interview: Modern Enterprise KYC with Persona

Key Discussion Points

Memorable Quotes & Moments

Timestamps for Key Segments

In Summary