How Anthropic’s Opus Model Generates Real‑World Chrome Exploits and What It Means for Security

Anthropic decided not to release its Mythos vulnerability‑research model to the public out of fear that attackers could misuse it, but the company’s earlier Opus 4.6 model—replaced a week later by Opus 4.7—still possesses enough code‑generation power to produce runnable exploit code.

In a detailed blog post, Mohan Pedhapatti, CTO of the security firm Hacktron (online alias s1r1us), described how he used Opus 4.6 to build a complete exploit chain targeting the V8 JavaScript engine bundled with Chrome 138, which is also embedded in the current Discord desktop client. He spent a week iterating, consumed 2.3 billion tokens, and incurred $2,283 in API fees to finally achieve a “popped calculator” payload—opening the system calculator, a classic indicator that the attacker has gained control of the target.

Pedhapatti notes that while $2,283 is not trivial for an individual, it is negligible compared to the weeks‑long manual effort normally required to develop a similar exploit. Even adding a few thousand dollars for manual debugging, the total cost is far below the $15,000 bounty range offered by Google’s and Discord’s vulnerability reward programs, and far lower than the black‑market price of a comparable 0‑day.

According to the Opus 4.7 documentation, its security capabilities are roughly on par with Opus 4.6, but it is clearly weaker than the Mythos Preview and now includes built‑in safety mechanisms that automatically detect and block high‑risk security‑related requests.

Pedhapatti argues that the real issue is not any single model but the relentless improvement of code‑generation AI, which forces the entire industry to rethink security processes. He predicts that future generations of models will make it possible for anyone with patience and an API key to obtain system‑level privileges on unpatched software.

For Electron‑based applications (e.g., Slack, Discord) that rely on Chrome’s engine, the problem is the lag in updating their codebases. Electron 41.2.1, released on April 15, ships Chrome 146.0.7680.188—only one version behind the desktop Chrome 147.0.7727.101/102—but developers often do not push updates promptly, leaving users exposed.

Pedhapatti chose Discord as the attack target because it still runs Chrome 138, nine major versions behind the current release, dramatically widening the vulnerability window. He warns that as AI models become better at writing exploit code, the patch window for vendors will shrink, and each public patch essentially provides a “starting gun” for attackers who have access to the source before the fix is widely deployed.

He offers four concrete recommendations for software developers:

Prioritize security design before code is shipped.

Monitor dependency libraries closely to enable rapid response to changes.

Automate security‑patch installation to prevent users from remaining vulnerable due to delayed updates.

Open‑source projects like V8 should exercise greater caution when publishing vulnerability details.

Overall, the case study shows that AI‑driven exploit generation is no longer a theoretical risk; it is a practical, cost‑effective tool that can accelerate vulnerability discovery and exploitation, compelling the security community to adapt its defenses and response strategies.