Does Mythos mean you need to shut down your Open Source repositories?

Much Sturm und Drang in the world of Open Source with the announcement that the "Mythos" AI is now the ultimate hacker and is poised to unleash havoc on every code base.

So should you close all your Open Source projects to make them safe?

No.

Firstly, all your Open Source code has already been slurped up.

It was all ingested for "training purposes" years ago. If it was moderately interesting then it was backed-up by a digital hoarder. It has been archived by various digital libraries. Anyone who wants to do research on your code base can.

Closing now doesn't meaningfully protect you.

Secondly, most of the security holes in your systems are probably not in your code. Vulnerabilities exist throughout your supply chain. All the dependencies - your OS, libraries, and even hardware - are all richer targets for hackers. Finding a CVE in a popular library is almost certainly more worthwhile than investigating your Open Source code.

The bigger risk comes not from subtle logic bugs but from phishers, poor password hygiene, and insider threats. Securing your existing systems provides more protection than rushing to close-source your code.

Finally, closing the source of something doesn't protect you. These new AI models can easily investigate and your closed source systems and potentially penetrate them. It has always been possible to analyse websites and binaries. AI doesn't change that - although it might accelerate it.

Open Source does have risks but AI doesn't upend decades of evidence that closed-source is just as vulnerable to attackers.

In cases where the state creates code using public money, it has a responsibly to share that code. Automated threat analysis - even by hypercapabe AI - doesn't change that.

I would strongly recommend reading the UK's AI Safety Institute's evaluation of Claude Mythos Preview’s cyber capabilities and the NCSC's advice. Neither of them recommend closing down Open Source code.