![\"\"\/](\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/user-icon.svg\"){kind=icon}
Pierluigi Paganini<\/a>\n\t\t\t\t\t\t\t
![\"\"\/](\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\"){kind=icon}
April 20, 2026<\/p>\n\t\t\t\t\t\t![\"\"\/](\"https:\/\/www.europesays.com\/ai\/wp-content\/uploads\/2026\/04\/Claude-Opus.png\")
<\/p>\n
Claude Opus created a working Chrome exploit for $2,283, showing that widely available AI models can already find and weaponize vulnerabilities.<\/p>\n
Claude Opus managed to produce a functional Chrome exploit for just $2,283, raising concerns about how easily AI can be used to find and exploit vulnerabilities. <\/p>\n
Below is the cost of the experiment:<\/p>\n
ModelTokensCostClaude Opus 4.6 (high)2,140M$2,014Claude Opus 4.6 (high-thinking)189M$267Claude Sonnet \/ GPT-5.4 (minor)\u2014~$2Total2,330M across 1,765 requests$2,283<\/p>\n
While Anthropic held back its more advanced Mythos<\/a> model over safety fears, even earlier, widely accessible models like Opus 4.6 can already generate real attack code, showing that the risk is not theoretical but already here.<\/p>\n \u201cI pointed Claude Opus at Discord\u2019s bundled Chrome (version 138, nine major versions behind upstream) and asked it to build a full V8 exploit chain. The V8 OOB we used was from Chrome 146, the same version Anthropic\u2019s own Claude Desktop is running.\u201d wrote<\/a> Mohan Pedhapati, CTO of Hacktron. \u201cA week of back and forth, 2.3 billion tokens, $2,283 in API costs, and about ~20 hours of me unsticking it from dead ends. It popped calc.\u201d<\/p>\n Building the Chrome exploit cost about $6,283, but the return can easily exceed that. Programs like Google\u2019s v8CTF pay $10,000 per valid exploit, and past submissions earned $5,000, with even higher offers appearing privately. Similar bugs could bring large rewards from companies like Anthropic. Overall, the cost already pays off in legitimate bug bounty programs, and could be far more profitable in underground markets.<\/p>\n Anthropic Mythos announcement sparked debate, with some calling it hype and others raising alarms. Beyond the noise, it highlights a real issue: AI models can already turn patches into working exploits, as shown with Chrome\u2019s V8. The real risk lies in slow patching, outdated systems become easy targets. Whether Mythos lives up to the hype or not, progress won\u2019t stop. Sooner or later, even low-skilled attackers with access to AI tools will exploit unpatched software.<\/p>\n The experts pointed out that Electron apps like Discord, Slack, and Teams bundle their own Chromium versions, often lagging weeks or months behind updates. This creates \u201cpatch gaps\u201d where known V8 vulnerabilities remain exploitable. Researchers have already shown real-world exploits, including remote code execution on Discord. Many apps still run outdated versions, sometimes missing key protections like sandboxing, making full exploit chains easier. As a result, widely used applications remain exposed to known flaws long after patches exist upstream.<\/p>\n \u201cI picked Discord as my target. It only needs two bugs for a full chain since there\u2019s no sandbox on the main window. It\u2019s sitting on Chrome 138, nine major versions behind current.\u201d continues Pedhapati. \u201cYou\u2019d still need an XSS on\u00a0discord.com<\/a>\u00a0to deliver the payload. I\u2019ll leave how hard that is as an exercise for the reader.\u201d<\/p>\n Pedhapati explained that Claude Opus still needs heavy human guidance to build exploits. It often gets stuck, loses context, guesses instead of verifying, and even changes the goal when it can\u2019t solve a problem. It doesn\u2019t recover on its own, so the operator must step in, debug issues, and guide it forward. Setting up the right environment and managing sessions also takes significant effort.<\/p>\n Even with these limits, the trend is clear: future models will need less supervision. As AI speeds up exploit development, it shrinks the time needed to weaponize bugs, while patching still lags. This gap will likely increase real-world attacks.<\/p>\n Security patches themselves reveal vulnerabilities, and AI can quickly turn them into exploits. Open-source code makes this easier, since fixes appear publicly before updates spread. You can\u2019t hide these changes anymore, AI can scan and analyze everything.<\/p>\n \u201cEvery patch is basically an exploit hint.\u00a0A security patch in Chromium or the Linux kernel tells you exactly what was broken. Reverse-engineering patches used to take skill and time. Now you can throw tokens at the problem and, with a decent operator nudging it past stuck points, get to a working exploit much faster.\u201d continues the expert.<\/p>\n The real advantage goes to small, skilled teams. One expert can manage multiple AI-driven exploit efforts at once, greatly increasing their impact compared to less capable attackers.<\/p>\n The researchers doubts AI progress will slow and warns that simply saying \u201cpatch faster\u201d isn\u2019t enough. Teams should build security into development from the start, track all dependencies to know what they run, and enforce automatic updates to remove delays. He also suggests rethinking how and when patches get published, since public fixes can quickly turn into exploit blueprints for attackers using AI.<\/p>\n \u201cThis sounds crazy, but maybe Chrome, or any open source software, shouldn\u2019t publish V8 patches before the stable release ships. Every public commit is a starting gun for anyone with an API key and strong team members who can weaponize exploits.\u201d he concludes.<\/p>\n Follow me on Twitter:\u00a0@securityaffairs<\/a>\u00a0and\u00a0Facebook<\/a>\u00a0and\u00a0Mastodon<\/a><\/p>\n Pierluigi\u00a0Paganini<\/a><\/p>\n (SecurityAffairs<\/a>\u00a0\u2013\u00a0hacking,\u00a0Claude)<\/p>\n \t\t\t\t\t\t\t\t\t\t\t