{"id":12507,"date":"2026-04-22T14:55:09","date_gmt":"2026-04-22T14:55:09","guid":{"rendered":"https:\/\/www.europesays.com\/ai\/12507\/"},"modified":"2026-04-22T14:55:09","modified_gmt":"2026-04-22T14:55:09","slug":"anthropics-claude-is-pumping-out-vulnerable-code-cyber-experts-warn","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ai\/12507\/","title":{"rendered":"Anthropic\u2019s Claude Is Pumping Out Vulnerable Code, Cyber Experts Warn"},"content":{"rendered":"

This is the online edition of The Wiretap newsletter, your weekly digest of cybersecurity, internet privacy and surveillance news. To get it in your inbox, subscribe here<\/a>.<\/p>\n

NurPhoto via Getty Images<\/p>\n

In March, developers at Ohio-based cybersecurity company TrustedSec were regularly using Anthropic\u2019s premium Claude Opus model to speed up app development and generate attacks to test client defenses. But in recent weeks, they\u2019ve stopped using it. <\/p>\n

Performance dropped so sharply in the weeks after the release of Opus 4.6 in early February that the model began introducing \u201cserious defects and security issues,\u201d says TrustedSec CEO and former NSA analyst Dave Kennedy. <\/p>\n

\u201cRight now, from five weeks ago to today, the code quality is over 47.3% worse than when it was first released,\u201d Kennedy tells Forbes. \u201cIt\u2019s really bad, I mean unusably bad.\u201d That figure is according to a tool he built to test Claude\u2019s quality, which tracks code quality, bugs, security issues and whether it completes a coding job from start to finish without problems.<\/p>\n

The ultimate risk, he says, is that novice developers using Claude for coding won\u2019t spot flaws, \u201cintroducing serious defects.\u201d \u201cIt\u2019s very alarming,\u201d he says. Kennedy says Opus 4.7, the latest model, was \u201cmarginally better\u201d but still not at the quality level of 4.6 when it was released.<\/p>\n

In recent weeks, scores of once-happy Anthropic customers have flocked to Reddit and X to vent similar frustrations. It\u2019s not just programmers experiencing usability issues. An AI executive at chipmaker AMD wrote on Github<\/a> that her team had seen Claude\u2019s thinking become so \u201cshallow\u201d that it \u201ccannot be trusted to perform complex engineering tasks.\u201d<\/p>\n

Analyses from coding security company Veracode have also found that Claude models are writing less secure code than competitors. Over the last year, Veracode has been testing AI systems by asking them to complete 80 coding tasks. In 52% of those, Opus 4.7 included a vulnerability in the code. That\u2019s up from 51% for Opus 4.1 and 50% for Claude Sonnet 4.5, a lower level, more cost-efficient model that doesn\u2019t use up as much compute. OpenAI\u2019s models perform notably better at around 30%.<\/p>\n

Jens Wessling, Veracode\u2019s chief innovation officer, says the data backed up user claims of model degradation. Wessling believes models are being trained to write working code, \u201cnot to consistently apply the controls that make software secure.\u201d<\/p>\n

\u201cIt reflects a real dynamic where faster, more capable models can still produce insecure output at meaningful rates,\u201d he tells Forbes. \u201cWithout changes to how that code is validated and remediated, the net effect can look like more buggy or vulnerable software, not less.\u201d<\/p>\n

Anthropic said it was actively investigating the claims of degradation in Opus and that engineers should always check for vulnerabilities. Previously, head of Claude Code Boris Cherny posted on X<\/a> that the company had chosen to turn down how hard Claude thinks before editing code, down from “high” to “medium” effort, in response to complaints about token usage, referring to a unit of text or code that a model uses to process and generate language.<\/p>\n

Adding irony to injury, this month Anthropic announced it had developed a new model, Mythos, that was capable of autonomously finding security issues in commonly-used browsers and operating systems and at scale. The company limited Mythos use to 40 major organizations, from Apple to Google, so it can be used to secure widely-used products before hackers get hold of similarly powerful AI.<\/p>\n

Kennedy is so concerned about the potential for any AI giant\u2019s models regressing that he\u2019s reconsidering how his team uses AI. Now, he is building his own on-premise AI infrastructure so he can run bespoke models that he can control. \u201cWho can we really trust here?\u201d he asks.<\/p>\n

Got a tip on surveillance or cybercrime? Get me on Signal at +1 929-512-7964<\/a>.<\/p>\n

THE BIG STORY<\/p>\n

A Trump campaign rally at Madison Square Garden in 2024 (Photo by Michael M. Santiago\/Getty Images)<\/p>\n

Getty ImagesInside Madison Square Garden\u2019s Surveillance Machine<\/p>\n

Wired has a deep dive into the surveillance apparatus at New York\u2019s Madison Square Garden, where one trans woman was tracked for two years and protestors were snooped on by people pretending to be cops. Even Knicks players are warning about rooms being bugged, and staff fear being followed to local bars. <\/p>\n

Stories You Have To Read Today<\/p>\n

Tinder and Zoom announced partnerships<\/a> with Sam Altman\u2019s World company, which scans people\u2019s eyeballs to prove they\u2019re human and validate their identity.<\/p>\n

Palantir published a 22-point manifesto<\/a> from the new book of cofounder and CEO Alex Karp, which included a call for national service. \u201cWe should, as a society, seriously consider moving away from an all-volunteer force and only fight the next war if everyone shares in the risk and the cost,\u201d he wrote. While Karp\u2019s business works closely with the Pentagon, Karp himself is not known to have served in the military.<\/p>\n

As part of an international police operation, the DOJ seized<\/a> some of the biggest online markets offering to provide distributed denial of service (DDoS) attacks, which flood websites and apps with traffic to take them offline.<\/p>\n

Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, pleaded guilty<\/a> to his role in a hacking conspiracy to steal at least $8 million in virtual currency from U.S. companies. Investigators alleged Buchanan was part of the Scattered Spider crew, which targeted a range of retail and telecommunications companies globally.<\/p>\n

In case you missed it, Forbes published its eighth annual AI 50 list<\/a>, with sponsoring partner Mayfield, that highlights the most promising privately held AI companies in the world. There\u2019s a lot of familiar names, like Anthropic, Harvey and ElevenLabs, but this year Forbes has also highlighted some exciting newcomers, including presentation builder Gamma, drug discovery startup Chai Discovery and New York-based Rogo, which is building AI for bankers and investors. We also launched our first ever AI 50 Brink list<\/a>, featuring early stage companies with the potential to rival their more established peers in the future.<\/p>\n

Winner of the Week<\/p>\n

Last year, the DOJ sued Rhode Island to acquire non-public voter databases that included sensitive information like birth dates and Social Security numbers, without any justification. Now, a U.S. district court judge granted a motion<\/a> from voting rights groups and the ACLU to dismiss it.<\/p>\n

Loser of the Week<\/p>\n

A 35-year-old former cop, Robert Jay Josett, pleaded guilty<\/a> to using Flock Safety car surveillance technology<\/a>, among other snooping tools, to track the whereabouts of his wife, mistress and romantic rivals. He\u2019s been ordered to serve a 52-week domestic violence program and sentenced to three years informal probation.<\/p>\n

More On ForbesForbesThe Next AI Arms Race Is About Fortifying Data CentersBy Phoebe Liu<\/a>ForbesReranking The World\u2019s Billionaires By Wealth \u2013 And AltruismBy Matt Durot<\/a>ForbesInside The Pawn Shop For The Ultra-RichBy Sergei Klebnikov<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"This is the online edition of The Wiretap newsletter, your weekly digest of cybersecurity, internet privacy and surveillance…\n","protected":false},"author":2,"featured_media":12508,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[24,53,3154,182,5189,313,4018,353,9960,314,318],"class_list":{"0":"post-12507","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-anthropic","8":"tag-ai","9":"tag-anthropic","10":"tag-anthropic-claude","11":"tag-claude","12":"tag-code","13":"tag-cybersecurity","14":"tag-hackers","15":"tag-mythos","16":"tag-opus-4-6","17":"tag-security","18":"tag-vulnerabilities"},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/12507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/comments?post=12507"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/12507\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media\/12508"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media?parent=12507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/categories?post=12507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/tags?post=12507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}