Mirko Swillus

Important heads-up to FOSS maintainers by Daniel from curl:

"Any project that has not scanned their source code with AI powered tooling will likely find huge number of flaws, bugs and possible vulnerabilities with this new generation of tools."

Since I'm working for Alpha-Omega currently, please reach out to me if you could use some support regarding this. We're setting up various programs to help FOSS maintainers in the times of "high-quality chaos".

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/

Mythos finds a curl vulnerability

yes, as in singular one. Back in April 2026 Anthropic caused a lot of media noise when they concluded that their new AI model Mythos is dangerously good at finding security flaws in source code. Apparently Mythos was so good at this that Anthropic would not release this model to the public yet but instead … Continue reading Mythos finds a curl vulnerability →

daniel.haxx.se
May 11 at 9:04amWeb
Show threadjsMay 11
@mechko Is any open source project in scope? If I maintain an open source project, can I just ask you to run it against my project?
Show threadMirko SwillusMay 12
@js We're focussing on prevalent projects currently, like the ones which are widely used.
Show threadjsMay 12
@mechko So I take that as a no and you reach out to projects?
Show threadRingo De SmetMay 11
@mechko
@purpleidea FYI 👆🏼
Show threadpǝǝʌɐɾ sMay 11
@mechko in other words, the cURL codebase is, with apologies to Douglas Adams, “Mostly Bugless”?
Show threadEliot LearMay 11
@mechko The only thing that's surprising is that it found only one vulnerability. Curl is a monster of a package with huge numbers of dependencies.
Show threadJanneMay 11

@eliotlear @mechko and another good point, the tooling doesn't find new classes of exploits or new approaches to break code.

Lots of old and familiar kind of holes to go through, still..

Show threadSam StephensMay 12
@eliotlear @mechko the blog talks about why that is; because it's already been security analysed by many models. The conclusion Daniel reaches is (my paraphrase) LLM models really are good for security analysis, but Mythos is overhyped, and not much better than the other models they've already used.
Show threadgnirreMay 11
@mechko Do you know why it took so long for curl to get access to Mythos? Is there a long line of projects waiting...?