On May 28, 2026, IBM and Red Hat announced Project Lightwell: a $5 billion commitment to secure open source infrastructure. The trigger was Anthropic's Mythos — a frontier AI model built for code security — which audited over 1,000 open source projects and identified 23,000 potential vulnerabilities. Anthropic estimates that roughly 6,200 of those are high- or critical-severity.
The number is big enough to produce a reflex. "Someone should fix this." That someone, if you run Linux infrastructure, containers, or any modern stack — is partly you.
What Mythos actually did
Mythos is Anthropic's Claude-based model tuned for vulnerability research. It is not IBM's tool — it was built by Anthropic as part of Project Glasswing, a closed initiative distributing Mythos Preview to roughly 50 partner organizations including security firms, tech companies, and government agencies. IBM and Red Hat are among those partners, and Project Lightwell is the enterprise response to what Mythos found.
[INTERN LÄNK: Anthropic Project Glasswing]
Mythos does not just run static analysis against known CVE databases. Anthropic describes it as performing contextual code review, tracing dependency chains, and flagging exploitable paths — not just the presence of a known-bad function call. It has already demonstrated this in practice: documented finds include a 27-year-old OpenBSD TCP vulnerability, a 17-year-old FreeBSD NFS remote code execution flaw, and a 16-year-old FFmpeg H.264 codec bug.
The distinction from traditional SCA tools matters. Trivy, Grype, Snyk — these match package versions against advisory databases. They are fast and they work, but they miss two things: vulnerabilities that have not yet received a CVE assignment, and vulnerabilities in code you depend on indirectly, two or three layers down. Mythos is positioned to catch the latter at scale.
What the 23,000 number actually means
The 23,000 figure is potential vulnerabilities flagged by Mythos. Of those, 1,900 have been reviewed by external security firms, and 1,726 have been confirmed as valid — a 90.6% true positive rate. Of the confirmed findings, over 1,000 are rated high or critical.
The 6,200 figure is Anthropic's projection for the full scan — how many high- or critical-severity findings the complete audit is expected to reach as more of the 23,000 are reviewed. The IBM press release cites a more conservative interim number: nearly 3,900 high- or critical-severity vulnerabilities identified so far.
6,200 projected criticals across 1,000+ projects averages to roughly 6 per project. That is not a useful number on its own. The distribution is what matters: a few widely-used foundational libraries with many criticals represent a different class of problem than many niche tools each with one. IBM has not published the project-by-project breakdown. Coordinated disclosure is underway — findings go to maintainers before they go public.
What Project Lightwell actually does
Project Lightwell is IBM and Red Hat's enterprise response to the Mythos findings. It has three components:
A clearinghouse model. IBM will establish a coordination layer that validates patches, manages upstream disclosure, and handles lifecycle management — so enterprise users get vetted fixes, not just raw CVE advisories.
20,000+ engineers. IBM is deploying a global force of engineers augmented by AI to conduct vulnerability triage, review, and secure patch development across open source ecosystems.
Commercial subscriptions. Within 30 days of the announcement, IBM plans to offer enterprises a way to integrate secure patches directly into their existing supply chains. Early adopters already include Bank of America, Goldman Sachs, JPMorganChase, Mastercard, and several other major financial institutions.
[INTERN LÄNK: supply chain security]
What this means for a DevOps engineer running production
Three things to actually do:
Run your own scan now, before the Lightwell disclosures start. When IBM begins publishing findings, your incident queue will fill up with CVEs that other people told you about. Get ahead of it. Trivy against your container images, Grype against your dependency manifests, OWASP Dependency-Check if you have a JVM stack. You will not catch everything Mythos might find, but you will catch what you have not looked at yet.
# Scan a container image
trivy image --severity HIGH,CRITICAL your-registry/your-image:tag
# Scan a filesystem or repo
trivy fs --severity HIGH,CRITICAL /path/to/repoAudit your transitive dependencies. Most teams have a clear picture of their direct dependencies. The transitive ones — libraries your libraries use — are where the quiet risk lives. npm audit, pip-audit, cargo audit, and mvn dependency:tree are entry points. For container workloads, scan the full image, not just your code layer.
Watch the ingestion pipeline. If you pull base images from Docker Hub, packages from PyPI, or build artifacts from GitHub Actions, you are trusting those supply chains. Lightwell's scope includes many of the foundational projects in those chains. When a critical finding goes public for a project in your stack, you need to know within hours, not days. Configure something — Dependabot, Renovate, a Trivy nightly scan in CI — that tells you before your production systems tell you in a more dramatic way.
The maintainer problem Lightwell cannot solve
IBM is committing $5 billion. That will move things. What it will not change is the fundamental economics of open source maintenance.
Most of the projects in Lightwell's scope are maintained by people who are not paid to do security work. A critical finding from Mythos arriving in your inbox when you have two hours a week to work on the project is not the same as a critical finding arriving in a team with a security engineer on retainer.
The fixes will happen. They will not happen fast enough for all of them. And they will depend on maintainers choosing to engage rather than walking away from a project that is suddenly more work.
This is the part that $5 billion in tooling does not fix. What would fix it is funding maintainers directly. The Sovereign Tech Agency does this — their Fellowship program supports individual open source maintainers, and in 2026 alone they distributed a €1.28 million grant to KDE. OpenSSF's Alpha-Omega project funds security work directly in critical projects; they have distributed over $20 million across more than 70 grants, and in March 2026 received a fresh $12.5 million from Anthropic, AWS, GitHub, Google, Microsoft, and OpenAI combined. If your organization depends on open source — and it does — contributing to those mechanisms is not charity, it is supply chain risk management.
[INTERN LÄNK: open source funding]
My read on Project Lightwell
IBM and Red Hat are doing real security work here. The Mythos audit is genuinely useful at a scale no manual effort could reach, and the 90%+ true positive confirmation rate suggests the findings are not noise.
The $5 billion framing is a press release number. The actual question is how many of those projected 6,200 critical findings get patched by maintainers who have the time and support to do it. That answer will emerge over the next 12 to 24 months, not in a press release.
In the meantime: scan what you run. Know your dependencies. Watch the disclosures when they come. The audit is done. The remediation is just starting.
Sources: IBM Project Lightwell announcement, May 28, 2026; Red Hat press release: Project Lightwell; Anthropic: Mythos detected 23,000 potential vulnerabilities — SecurityWeek; Anthropic red team blog: Mythos Preview; OpenSSF Alpha-Omega; Sovereign Tech Agency