On May 28, 2026, IBM and Red Hat announced Project Lightwell — a $5 billion commitment to secure open-source software supply chains using frontier AI capabilities. The catalyst was Anthropic's Mythos AI model, which in a preview run scanned open-source codebases and identified nearly 3,900 high- or critical-severity vulnerabilities. IBM CEO Arvind Krishna identified Mythos as "the critical triggering factor" behind the investment.
Project Lightwell represents the largest known investment specifically targeting open-source software supply chain security — a space that underpins virtually every enterprise software stack on the planet.
What Mythos Can Do
Anthropic's Mythos model introduces capabilities that go well beyond traditional static analysis:
- Vulnerability chaining: Mythos can autonomously identify a series of individually minor flaws and combine them into a viable attack path. It demonstrated this by chaining multiple Linux kernel flaws to achieve a full privilege escalation from regular user to root.
- Binary analysis without source code: Mythos can analyze compiled binary code without access to original source, making legacy systems and software with lost source code newly auditable — and newly vulnerable to AI-assisted attackers using similar models.
- Scale: IBM projects 59,000 CVEs will be identified in 2026 alone, while estimates suggest 500,000 additional vulnerabilities are quietly fixed by open-source maintainers each year without ever receiving formal CVE designations.
Project Lightwell's Structure
The initiative will operate as a subscription-based patching clearinghouse, backed by more than 20,000 IBM and Red Hat engineers. Using AI to validate and test fixes at scale, it will deliver secure patches directly into enterprise software supply chains.
Early adopters already collaborating on the initiative include: Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo — suggesting the financial sector is treating AI-accelerated vulnerability discovery as a systemic risk requiring coordinated response.
The Disclosure Crisis
Project Lightwell has surfaced a significant coordination challenge that the security community has not yet solved. As of late May 2026, Anthropic had disclosed 1,596 vetted vulnerabilities to maintainers across 281 open-source projects — yet only 97 had been patched, a fix rate of approximately 6%.
The standard 90-day coordinated disclosure window was designed for human-speed discovery, not an AI model capable of scanning 1,000 codebases per month. Some open-source maintainers have already asked Anthropic to slow its disclosure rate because they cannot keep up.
This creates a dangerous window: vulnerabilities have been disclosed to maintainers but remain unpatched, and the existence of the disclosure program signals to adversaries that significant unpatched flaws exist across the open-source ecosystem.
A Brief Shutdown and What It Signals
On June 12, 2026, Mythos 5 and Claude Fable 5 were briefly subjected to a Commerce Department emergency export-control directive, forcing Anthropic to shut down both models globally within 90 minutes before restrictions were later lifted. The incident illustrates how frontier AI models capable of autonomous vulnerability discovery are now being treated as dual-use technologies subject to national security oversight — the same category as advanced weapons systems and encryption tools.
As AI models grow more capable at finding and chaining vulnerabilities faster than humans can patch them, the industry faces a fundamental tension: the same tools that can dramatically improve supply chain security can also dramatically lower the barrier for adversaries who gain access to comparable capabilities.