Mozilla's Firefox 150 Ships with 151 Bugs Squashed, but Discord Crew Already Weaponized Leaked Mythos AI

Mozilla rolled Firefox 150 out this week carrying patches for 151 bugs that had never been reported. Anthropic’s yet-to-ship Mythos model, running inside a sealed red-team environment, produced the findings. Twenty-two of the issues reached the highest severity tier; the rest were medium- and low-risk crashes or memory-safety gaps. All fixes landed in the release branch before the browser shipped to the public.

Mozilla handed Anthropic a static export of the Firefox codebase plus a fuzzing harness that can replay every parser path a webpage can trigger. Mythos then spent roughly 48 hours generating test cases, crashing the browser thousands of times, and auto-triaging the root causes. Engineers at Mozilla reviewed each ticket, confirmed reproducibility, and rewrote the vulnerable code. The whole loop, AI finds, humans verify, patches land, took three weeks.

Firefox CTO Bobby Holley calls the exercise proof that defenders still hold the edge: the same tooling that can weaponize a flaw can also neuter it before release. Mozilla argues that scaling bug discovery simply moves the arms race earlier in the pipeline, giving maintainers time instead of attackers. The bigger risk, Holley warns, is developer disruption: teams must learn to triage AI-generated reports without drowning in noise.

Anthropic's tight lid on Mythos slipped harder than first reported. A leaked debug token didn't just sit unused. Fortune AI reports a Discord group calling themselves "Mythos Underground" spent 11 days with live access before Anthropic noticed. They didn't just poke around. They built tooling. They found 14 fresh zero-days across Signal, Telegram, and three major VPN clients. They streamed the exploits live to 2,400 viewers. Anthropic's "no evidence of misuse" line looks quaint now.

The company revoked the token, sure. But the genie bolted. Fortune tracked down "cyberheretic," the Discord user who built the Mythos-to-Metasploit bridge. He claims the group shared exploit templates with 80+ members before the shutdown. Anthropic now admits the breach lasted longer than initially disclosed (11 days vs 3) and involved more users (hundreds vs "a tiny whitelist"). Their staged "Project Glasswing" rollout faces new scrutiny from AWS, Apple, and Microsoft partners who didn't sign up for this PR nightmare.

Holley's "defenders hold the edge" argument just got stress-tested in public. Mozilla engineers are now racing to patch the same codebase against exploits that Mythos found after its escape. The Firefox team won't confirm how many of the Discord group's zero-days target their browser, but they're quietly pushing nightly builds with fixes that weren't in the original 150 release. The arms race didn't move earlier in the pipeline. It just went multiplayer.