- A security researcher built a full Chrome exploit chain using Claude Opus 4.6 for just $2,283 in API costs.
- The findings replicate the dangerous capabilities that led Anthropic to withhold its Mythos model from public release.
- The exploit targeted the same V8 engine version bundled in Anthropic’s own Claude Desktop app.
Anthropic’s most alarming AI research just lost its exclusivity. A security researcher has demonstrated that the company’s already-released Claude Opus 4.6 model—the predecessor to Thursday’s Opus 4.7—can develop functional exploit code targeting Chrome’s V8 JavaScript engine, reported The Register. The finding directly challenges Anthropic’s decision to withhold its more capable Mythos model over cybersecurity concerns.
Mohan Pedhapati, who goes by s1r1us and serves as CTO of security firm Hacktron, spent a week feeding prompts into Opus 4.6’s API. The process consumed 2.3 billion tokens and cost $2,283. The result: a working exploit chain that could “pop calc”—security-speak for gaining code execution on a target machine—on Chrome 138, which is nine major versions behind the current release.
The irony is hard to miss. The V8 vulnerability Pedhapati exploited came from Chrome 146—the exact version Anthropic’s own Claude Desktop runs on Electron. “The V8 out of bounds error we used was from Chrome 146, the same version Anthropic’s own Claude Desktop is running,” Pedhapati told The Register. The model Anthropic shipped publicly can hack the browser its own product depends on.
The Mythos Problem Just Became Everyone’s Problem
Anthropic’s decision to withhold Mythos Preview was supposed to be a responsible pause—an acknowledgment that AI-powered vulnerability research had crossed a threshold. The company’s own Opus 4.7 System Card states that “Opus 4.7 is roughly similar to Opus 4.6 in cyber capabilities” but comes with “safeguards that automatically” limit dangerous behaviors. Yet Pedhapati’s work shows the baseline capability already exists in models anyone can access through an API key.
The specific target matters. Pedhapati chose Discord as his demonstration platform because it runs on Electron 35—bundling Chrome 138, nine major versions behind the current release. Electron 41.2.1, released April 15, ships with Chrome 146.0.7680.188. But developers of Electron-based apps like Slack and Discord are notoriously slow to update their embedded Chromium versions, creating a widening attack surface that AI models can now exploit at scale.
“Whether Mythos is overhyped or not doesn’t matter,” Pedhapati said. “The curve isn’t flattening. If not Mythos, then the next version, or the one after that. Eventually, any script kiddie with enough patience and an API key will be able to pop shells.”
AI Exploit Development Shrinks the Patch Window
The economics are what make this dangerous. Pedhapati acknowledged that $2,283 is significant for an individual attacker but trivial for a nation-state or criminal organization—especially compared to the weeks it would take a human researcher to develop a similar exploit from scratch. AI-assisted vulnerability research doesn’t just lower the skill barrier; it compresses the timeline between vulnerability disclosure and weaponization.
“Every patch is basically an exploit hint,” Pedhapati argued, noting that open-source projects face particular risk because fixes often become publicly visible in code before revised binaries are distributed. The gap between a security patch landing on GitHub and end users receiving an automatic update is now wide enough for an AI to walk through.
The finding lands as Anthropic faces scrutiny over Mythos and the White House moves to give federal agencies access to the withheld model. The deliberately neutered cyber capabilities in Opus 4.7 now look less like a safety measure and more like a speed bump.
Anthropic declined to comment on Pedhapati’s findings when contacted by The Register. The company has previously stated that Mythos Preview demonstrated cyber capabilities “significantly beyond” publicly available models—a claim that Pedhapati’s $2,283 experiment complicates.
The exploit chain is documented in Pedhapati’s Hacktron blog post. Chrome 147.0.7727.101, released April 15, patches the vulnerability used in the demonstration.