I can't currently see how they can release without it causing way more chaos than help. Scanning your own code is a useful security tool, but being able to scan others is basically an exploit finder, which against open source is impossible to police.
Not that you really want to stop open source contributors from getting help from contributor forks anyway, although like the article says you then end up with overloaded maintainer(s) who can't keep up or triage legit issues easily.
It all seems like a hard product to monitize, easy on corporate code maybe, but in open source maintainers have to pay for scans that will give them more to do, or risk exploitors getting some big zero days very cheap. Starts to feel a bit mafia protection racket somehow.
Maybe they'll just decide not to care about the impact as someone else will do it anyway? Maybe they continue their surprisingly slow role or to responsibly bring it up. Maybe there's a clever project to tell if code is a fork even if you obscure it, or they'll make something that will only give you the patches not the problem... I'd love to be a fly on the wall for their risk analysis of the whole situation.
I think they already did that on the 23rd.
https://fortune.com/2026/04/23/anthropic-mythos-leak-dario-a...
I can't currently see how they can release without it causing way more chaos than help. Scanning your own code is a useful security tool, but being able to scan others is basically an exploit finder, which against open source is impossible to police.
Not that you really want to stop open source contributors from getting help from contributor forks anyway, although like the article says you then end up with overloaded maintainer(s) who can't keep up or triage legit issues easily.
It all seems like a hard product to monitize, easy on corporate code maybe, but in open source maintainers have to pay for scans that will give them more to do, or risk exploitors getting some big zero days very cheap. Starts to feel a bit mafia protection racket somehow.
Maybe they'll just decide not to care about the impact as someone else will do it anyway? Maybe they continue their surprisingly slow role or to responsibly bring it up. Maybe there's a clever project to tell if code is a fork even if you obscure it, or they'll make something that will only give you the patches not the problem... I'd love to be a fly on the wall for their risk analysis of the whole situation.
Incredibly misleading title, practically click bait.