The AI that hacked every major browser

In Today’s 5-Minute AI Digest. You will get:

1. The MOST important AI News & research
2. AI Prompt of the week
3. AI Tool of the week
4. AI Tip of the week

…all in a FREE Weekly newsletter. 

THE HOOK

Anthropic announced a model last week that found thousands of zero-day vulnerabilities across every major operating system and browser — including a 27-year-old bug in OpenBSD — then chose not to release it. The same week, a one-person startup’s AI agent breached Bain & Company in 18 minutes, completing a hat-trick across all three MBB consulting firms. I think these stories are connected in a way that matters: the assumptions behind how most organisations secure their AI tools are due for a serious update.

AI NEWS ROUNDUP

1. Anthropic withholds Mythos Preview, launches Project Glasswing

Anthropic’s unreleased model discovered thousands of critical zero-day flaws — some decades old — across browsers, operating systems, and open-source projects. Rather than ship it publicly, they’re giving access to 12 partners (AWS, Apple, Microsoft, CrowdStrike) through Project Glasswing, plus $100M in credits for defensive work. The UK AI Safety Institute confirmed Mythos completes expert-level cybersecurity tasks 73% of the time.

What this means for you: Anthropic won’t be the only lab with this capability for long — the Stanford data shows the gap between frontier and open-source models is narrowing fast. When similar capabilities reach wider distribution, the offensive tooling available to attackers grows with them.
Read our Deep Dive article

Source: Anthropic / Fortune / AISI

2. Meta ships Muse Spark — proprietary, not open-source

Meta’s first model from Superintelligence Labs breaks with the company’s open-source identity. Code-named Avocado, Muse Spark features multi-agent orchestration and a “Contemplating mode” that deploys parallel sub-agents. Competitive on health and multimodal tasks; still trails on coding. If you’ve been building on Llama expecting Meta’s best work to stay open, that assumption is worth revisiting.

Source: Axios / TechCrunch

3. Stanford AI Index: adoption outpacing the internet

AI adoption is faster than any previous technology wave. But the infrastructure cost is staggering: 29.6 gigawatts of global power draw from AI data centres, and water use for GPT-4o alone may exceed drinking needs for 12 million people. Anthropic leads the model rankings. TSMC fabricates nearly every leading chip.

Worth asking: if your AI strategy depends on a single chip manufacturer and a power grid already running at capacity, how resilient is that really?

Source: Stanford HAI / MIT Technology Review / IEEE Spectrum

4. PwC: 74% of AI’s economic gains go to 20% of companies

A survey of 1,217 executives finds most businesses stuck in pilot mode while a small group converts AI into revenue. The gap isn’t between companies that use AI and those that don’t. It’s between companies that use AI for growth and those still running pilots. Worth asking how many of those pilots will ever move to production.

Source: PwC 2026 AI Performance Study

5. CodeWall completes MBB hat-trick — Bain breached in 18 minutes

A one-person startup’s autonomous AI agent has now breached all three elite consulting firms. Bain’s competitive intelligence platform fell to exposed JavaScript credentials and an unscoped SQL injection endpoint — giving access to 159 billion rows of consumer data across 11 databases. McKinsey and BCG fell in February and March. Same agent. Same class of bugs.

I’ll be blunt: these firms have dedicated security teams and substantial budgets. The vulnerabilities were basic — SQL injection, exposed endpoints. If your internal AI tools haven’t been tested for these attack vectors, it’s worth checking sooner rather than later.

Source: CodeWall / Financial Times

OUR INTERPRETATION

🔭 The annual security audit may be approaching obsolescence

The standard enterprise security model — annual penetration test, scoped to two weeks, delivered as a PDF — was designed for a world where attackers needed months to find and chain exploits. That assumption doesn’t hold any more. Not after this week.

My prediction: by Q4 2026, continuous autonomous security testing becomes a standard procurement requirement for enterprises deploying internal AI tools.

Here’s the reasoning. Enterprise buyers already require SOC 2 and ISO 27001 as procurement conditions. When a high-profile breach of an internal AI tool triggers regulatory scrutiny — and the CodeWall disclosures make that increasingly plausible — procurement teams will add continuous AI-specific testing to their vendor checklists. The pressure won’t come from CISOs. It’ll come from legal and procurement, the same way GDPR compliance did: what starts as a best practice becomes a purchasing checkbox within about 18 months.

The companies building this capability now will have a procurement advantage by Q4. The ones that treat this as a compliance update risk being the ones explaining the breach to their board.

Anyway — I’m curious. Has your organisation tested its internal AI tools for these attack vectors? Reply and let me know. I’m tracking how common this actually is.

THIS WEEK’S TOOLKIT

🎯 Prompt of the Week: The “AI Deployment Risk Scan”

I’ve been running a version of this against internal AI setups for a few weeks, and it’s surprisingly useful. If you deploy any internal AI tool, paste this into Claude or GPT-4 with a description of your setup:

You are a senior penetration tester reviewing an internal AI deployment. I will describe our setup. For each element, identify the attack surface, rate the risk (Critical / High / Medium / Low), and recommend one specific remediation step. Focus on: (1) authentication on API endpoints, (2) where system prompts are stored, (3) what data the AI can access, (4) whether outputs are logged and auditable, and (5) what happens if someone injects instructions through uploaded documents. Be direct — no reassurance, just findings.

The trick is the adversary framing. When you tell the model to act as a pentester, it stops being polite and starts being useful. Won’t replace a proper audit, but ten minutes with this will surface questions your team probably hasn’t asked yet.

🛠️ Tool of the Week: prompt-armor (open-source)

“An open-source firewall for LLM prompts. Five detection layers, 27ms, no LLM required.”

prompt-armor runs five analysis layers in parallel — regex, heuristic, semantic similarity, structural analysis, and anomaly detection — fused through a trained meta-classifier. Scores 91.7% F1 against 25,160 known attack patterns. Runs offline, Apache 2.0 licence. No API key, no per-request cost. pip install prompt-armor, point it at your input pipeline, and you’ll have a clearer picture within a day. (Novel attacks still get through — that’s worth knowing upfront.)

Rating: ⭐⭐⭐⭐ (4/5)

github.com/prompt-armor/prompt-armor

💡 Tip of the Week: Treat your system prompts like code, not config

This is one of those things that seems obvious once someone says it, but almost nobody does it. Most organisations store their system prompts in the same database their AI queries. That means anyone with database access can change how the AI behaves — no deployment pipeline, no CI/CD check, no review. The change is invisible unless you’re monitoring for it. McKinsey’s Lilli had 95 system prompts stored exactly this way.

The fix: version-controlled, access-restricted repositories. Treat prompt changes like code deployments: reviewed, approved, logged. If your tool doesn’t touch internal data, the risk is lower. But if it has database access or handles customer queries, prompt integrity is a security control — not a config preference.

YOUR MOVE

Three things you can do this week:

•       Run the audit prompt above against your internal AI tools. Ten minutes.

•       Ask your engineering team one question: where are the system prompts stored, and who has write access?

•       Forward this to whoever owns AI tool security at your organisation. They may not have seen the CodeWall disclosures yet.

Reply with what you find. I read every response.

— R. Lauritsen

P.S. The companion deep dive on Project Glasswing — what Mythos actually found, how the partner programme works, and what it means for enterprise AI security — is live now: iprompt.com/glasswing