In the midst of ongoing discussions about Anthropic’s new AI models, Mythos and Project Glasswing, a significant cybersecurity threat has emerged. A security researcher has successfully leveraged Claude Opus to create a functional exploit chain targeting the V8 JavaScript engine used by Google Chrome.
This experiment moves beyond theoretical concerns, demonstrating a critical vulnerability in modern software known as the patch gap. Many popular desktop applications, including Discord, Notion, and Slack, rely on the Electron framework, which incorporates Chromium builds that often lag behind official Chrome updates. This delay leaves users vulnerable to known exploits.
Exploit Targets Discord’s Chrome Engine
The test focused on the Discord desktop application, which was using an outdated version of Chrome, specifically version 138. Given that Discord’s main window lacks sandbox protections, only two vulnerabilities were needed to complete the exploit chain, bypassing the need for an additional sandbox escape.
Claude Opus was tasked with developing the exploit using specific unpatched vulnerabilities. The AI effectively chained two complex flaws to achieve Remote Code Execution (RCE). The first, CVE-2026-5873, involved an out-of-bounds read/write vulnerability in V8’s Turboshaft compiler for WebAssembly. The second was a Use-After-Free flaw in the WebAssembly Code Pointer Table, allowing the exploit to escape the V8 sandbox.
Challenges in Automation
Despite the success, the process was not fully autonomous. The researcher reported that extensive human intervention was necessary to guide Claude Opus. The AI struggled with maintaining context during extended interactions and often speculated on memory offsets instead of confirming them.
Over the course of a week, the experiment consumed about 2.3 billion tokens, involving 1,765 requests and costing approximately $2,283. The researcher had to continually reintroduce the debugger to keep the AI on track, highlighting the current limits of AI in exploit development.
Implications for Cybersecurity
The economic implications of AI-assisted exploitation are notable. The cost and effort to produce a reliable Chrome exploit are significantly lower than the potential payout from commercial bug bounties or underground markets. This experiment serves as a warning to the cybersecurity industry about the evolving threat landscape.
As AI models advance with enhanced reasoning and coding capabilities, the barrier to creating sophisticated exploits will diminish. The growing gap between automated exploit generation and slow vendor patch cycles poses a risk of empowering less sophisticated threat actors to compromise vulnerable software on a large scale.
Stay updated with the latest cybersecurity developments by following us on Google News, LinkedIn, and X. Contact us to feature your stories.
