Anthropic's Mythos AI Identifies 3,900 Critical Open Source Vulnerabilities; IBM Launches $5B Project Lightwell

Summary

IBM and Red Hat announced Project Lightwell on May 28, 2026—a $5 billion security initiative designed as a coordinated clearinghouse for enterprise open source software. The announcement was anchored by a significant technical milestone: Anthropic's Mythos Preview AI model identified nearly 3,900 high and critical-severity vulnerabilities in open source software during a preview run, demonstrating frontier AI's capacity to accelerate security vulnerability discovery at previously unachievable scales.

The initiative addresses a widening vulnerability crisis. CVE publications are projected to climb from 40,000+ in 2024 to 59,000 by 2026, yet the remediation gap—the delay between discovering a vulnerability and patching it across all affected production systems—continues to widen. More than 90% of Fortune 500 companies depend on open source software, but the projects powering critical infrastructure are often maintained by volunteers and underfunded teams unable to keep pace with AI-accelerated vulnerability discovery.

Project Lightwell deploys three complementary mechanisms: a secure intermediary allowing enterprises to report vulnerabilities before public disclosure (with fixes pushed upstream to benefit the broader ecosystem), automated backporting of patches to production-pinned library versions (eliminating forced upgrades and compatibility risk), and a hybrid human-AI model combining Mythos with 20,000 engineers from IBM and Red Hat for vulnerability triage, review, and deployment. Early adopters include Bank of America, BNY, and other major financial institutions.

• Major financial institutions have committed to early adoption, signaling strong enterprise demand for coordinated, AI-assisted open source security infrastructure