Hi folks,

This week’s lead story looks at Project Glasswing, an effort to bring frontier AI security tools into the hands of open-source maintainers (though not exclusively), as models like Anthropic’s Claude Mythos begin to uncover vulnerabilities that have gone undetected for decades.

Elsewhere, there’s a continued push toward open messaging infrastructure in Europe, new tools to secure AI agents, and a mix of projects and platforms shaping how open infrastructure is built and governed, and more.

As usual, feel free to reach out to me with any questions, tips, corrections, or suggestions: forkable[at]pm.me.

Paul

<Open issue>

Glasswing brings frontier AI to open source security

Anthropic says its shiny new, cutting-edge Claude Mythos model has reached a level of coding and security capability where it can find and exploit software vulnerabilities that survived years — and in some cases decades — of human review.

While the ramifications of this are far-reaching, Mythos is a big deal for the open source world in particular. Through Project Glasswing, the Linux Foundation, Anthropic, and a group of large tech companies including Amazon, Apple, Google, and Microsoft are putting Mythos to work on defensive security across critical software systems, including widely used open-source projects.

Anthropic is committing up to $100 million in usage credits to the effort, alongside $2.5 million for Alpha-Omega and OpenSSF through the Linux Foundation, plus $1.5 million for the Apache Software Foundation.

“Open source security has historically been a thankless task,” The Linux Foundation’s CEO Jim Zemlin wrote. “Triaging and fixing bugs, writing and testing patches, crafting careful communications strategies – none of this is what maintainers had in mind when they sent their first project commit. We believe AI can help address this.”

Open source underpins much of the modern software stack, but many maintainers are already overwhelmed by bug reports, supply chain attacks, and AI-generated noise. Now they may also have to contend with AI systems that are exceptionally good at surfacing zero-days.

To underscore this point, Anthropic published a handful of examples. Mythos, it said, found a flaw in OpenBSD, a security-focused operating system, dating back 27 years.

In short, Glasswing isn’t just about AI helping create patches a bit faster. It’s about getting frontier defensive capability into the hands of maintainers before the same class of models is used more aggressively elsewhere.

Zemlin stressed that access — not just capability — will determine whether these tools actually help the open-source ecosystem.

“Because the dark side of AI-augmented security is AI-augmented insecurity, we must ensure that access to the best AI cybersecurity tooling is evenly distributed and not concentrated in the hands of the few with the cash and the headcount,” Zemlin noted. “None of this matters if the cost is prohibitive. Project Glasswing is designed to ensure that maintainers get access to these tools for free. This is the only way to foster wide adoption of top AI cybersecurity capabilities – by removing any economic friction.”

Read more: The New Stack & The Linux Foundation & Glasswing & Mythos Preview

<Patch notes>

A ‘beam of light’ for EU sovereignty

Belgium is rolling out a Matrix-based messaging app for government use, in a push toward digital sovereignty. The move leans on open protocols to reduce reliance on proprietary communication platforms.

Read more: Resilience Media

Microsoft open-sources agent security toolkit

Microsoft released the Agent Governance Toolkit, an open-source runtime security layer for AI agents. The project focuses on monitoring behaviour and enforcing guardrails as agents take on more tasks autonomously.

Read more: Microsoft & GitHub

A ‘spiritual successor to WordPress’

Cloudflare has unveiled Emdash, a new open-source CMS positioned as a modern, serverless successor to WordPress. WordPress co-creator Matt Mullenweg said the project was likely designed to drive usage of Cloudflare’s own services, though overall he was complementary of the project.

Read more: Cloudflare & GitHub & Matt Mullenweg

Google releases Gemma 4

Google has launched Gemma 4, the latest version of its open model family aimed at developers. The release continues Google’s push to provide smaller, more accessible models alongside its closed systems.

Read more: Google

Netflix goes into the VOID

Netflix has released VOID, an open-source model that removes objects from video — including their effects on the scene, such as shadows, reflections, and physical interactions. The model builds on CogVideoX and is fine-tuned for interaction-aware video editing in post-production.

Read more: Forbes & VOID (GitHub)

Meta shifts on open models

Meta this week introduced Muse Spark, its first frontier model and the first without open weights, marking a break from its earlier approach. The company says it still plans to release some models openly, though questions remain over how far that commitment will go.

Read more: Meta & Axios & The New Stack

Microsoft deactivates dev accounts

Microsoft deactivated two notable open source developer accounts as part of a new developer verification program, raising concerns about access and control over software distribution platforms. The move highlights ongoing tension between platform governance and open development.

Read more: The Register

<Final commit>

A DIY retro camera

An open-source camera project called Saturnix is gaining a little steam, built around a Raspberry Pi with a 16MP sensor and styled after point-and-shoot cameras from the 1990s.

It’s not a finished product you can buy. Instead, the creator has published the design files, code, and instructions, so users assemble it themselves using off-the-shelf parts like a Raspberry Pi, camera module, and custom 3D-printed case.

The appeal is in that setup: the software can be modified, and the hardware can be rebuilt or adapted as needed. It’s still early, but it offers a glimpse of what open hardware can look like when the full stack — from casing to code — is available to the user.

Read more: Hackaday & GitHub