Slicast
Monday, June 29, 2026
EN·DarkSubscribe
Slicast
AI Infrastructure · News & Analysis
HomePolicyReport
Policy · Report

Security research warns summer 2026 sees spike in AI-discovered vulnerabilities as ML tools find hidden software flaws at scale.

AI-augmented discovery accelerates security incident response burden on critical infrastructure; validates cybersecurity capex as necessary AI offset.
Trade pressSlicast · June 28, 2026 · Global · Source: The Register
importance 65

A "messy" summer awaits security teams tasked with fixing vulnerabilities in open source code, according to Dan Lorenc, CEO and co-founder of Chainguard, a software supply-chain security company. Chainguard is spearheading Athena, a newly formed coalition of roughly two dozen companies committed to using AI to prevent attacks on open source software and make bug-finding and fixing "as easy to consume as possible."

Founding members include BNY, Cisco, Cloudflare, Corridor, DepthFirst, Docker, JPMorganChase, Kyndryl, LTM, and PwC. Many of these companies also partner with Anthropic's Project Glasswing and OpenAI Daybreak, which grant access to advanced bug-hunting models. Athena accepts vulnerability findings from all frontier models and has already processed more than 20,000 findings and developed over 2,000 patches across 500 open source projects. The coalition's first wave of bug disclosures begins in roughly three weeks.

"This is going to be a messy summer for everyone," Lorenc told The Register. Skepticism persists about the capabilities of advanced frontier models like Anthropic's Mythos and OpenAI's GPT-5.5-Cyber, but the data is compelling. "The stats and data we're seeing are so scary – if you just keep running scans on the same libraries and same code, it just keeps finding more [vulnerabilities]. We haven't seen that curve start to bottom out yet."

The scale of the problem becomes apparent when running these models at the application level. Most modern applications contain roughly 95 percent open source code from third parties. When advanced models scan this code, they discover massive quantities of vulnerabilities in open source components that organizations cannot remediate on their own.

"You're finding thousands of these [bugs] at a time, and they're across tons of projects you didn't even know you were using before you ran this tool, and you don't even know how to contact the people, you kind of get stuck," Lorenc explained. The challenge intensifies because the time between a CVE's public disclosure and confirmed exploitation has essentially collapsed. "Then you're putting yourself at risk – and you were already at risk before you ran these scans, but no one else knew about it. In an unintended way, [AI] has created this pickle for everyone."

In May, Anthropic scanned more than 1,000 open source projects with Mythos Preview and identified an estimated 6,202 high or critical-severity vulnerabilities.

Athena operates as a clearinghouse for the vulnerability deluge. Member companies submit reports of bugs found in open source code through any frontier model. Chainguard deduplicates, correlates, and batches findings across entire libraries to address classes of vulnerabilities rather than individual flaws. Affected projects are hardened and made available to Athena members through Chainguard Libraries before public disclosure occurs a month later. For maintainers unable to develop permanent fixes, Athena assumes the role of "maintainer of last resort."

The Linux Foundation amplified this effort by announcing Akrites, an industry coalition established to defend open source software against AI-enabled threats. Akrites creates a shared Security Incident Response Team (SIRT) and standardized Coordinated Vulnerability Disclosure (CVD) process. Founding companies include Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, Nvidia, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler.

"As AI finds more vulnerabilities, the industry will rush to patch them. Without coordination, those fixes will fragment across different patches and forks, and maintainers who are already overwhelmed, unreachable, or haven't touched a project in years," Lorenc said. A dedicated SIRT gives maintainers a single partner for disclosure and remediation rather than fielding hundreds of uncoordinated reports. "Now the work is making sure there's always someone on the other end to catch them."

Read the original
In-depth analysis
CommentaryAWS G7 Instances Bring Blackwell to the Cloud — and Trainium May Be Going External
Related reports
PolicyUS government seeks to dismiss pollution lawsuit against xAI Colossus project, supporting Musk's mega-data center initiative.2026-06-26PolicyTrump administration defends xAI's Colossus data center project in court against environmental pollution lawsuit.2026-06-26PolicyAnthropic filed largest-ever model-distillation lawsuit against Alibaba, following suits against other Chinese AI companies.2026-06-26PolicyEuropean Commission issued preliminary ruling designating Amazon Web Services and Microsoft Azure as 'gatekeepers' under the Digital Markets Act despite neither meeting quantitative thresholds.2026-06-26PolicyEuropean Commission preliminarily designated Amazon Web Services and Microsoft Azure as digital market gatekeepers under the Digital Markets Act (DMA), imposing stricter interoperability and compliance obligations.2026-06-25
Security research warns summer 2026 sees spike… · Slicast