The demonstration had a real-world backdrop. Ghost had shipped a fix for that same flaw back in February, free and documented. In May, attackers used it to compromise more than 700 websites that had not applied the fix. They quietly rewrote published content to serve malware to the sites’ readers. The weakness, in the end, was the 11 weeks between the fix existing and the fix being applied.
That gap is about to get considerably more expensive to leave open, and the scholarly publishing community needs to be prepared.
What changed this spring
In April, Anthropic announced Mythos, a general-purpose model that turned out to be unusually good at finding software vulnerabilities. By Anthropic’s own account, nobody set out to build that skill, which emerged as the model got better at everything else. The security world has been recalibrating ever since. In testing before the announcement, Mythos identified thousands of previously unknown flaws across every major operating system and web browser, one of which had sat undetected in a security-focused system for 27 years. What it does best is connect weaknesses that look harmless on their own into chains that open real doors. Where that work once required rare human talent and weeks of patience, it now requires a prompt.Two consequences follow. First, the software industry is entering what the U.K.’s National Cyber Security Centre has called a “patch wave”: a sustained surge of security fixes as vendors work through everything these models are finding. By late May, Anthropic’s disclosures alone spanned roughly 1,000 open-source projects, and some maintainers asked the company to slow down because they could not keep up. Second, the time between a fix being published and that fix being weaponized has collapsed. In one Anthropic test, the model read a newly published fix for Firefox and produced a working attack within the hour. The browser release carrying that fix was still 18 days away. Every published patch is now also a map.
Nor is the capability confined to a lab any longer. On June 9, Anthropic released the same underlying model to the general public, but with its most dangerous capabilities held back. It was rolled back only three days later due to national security concerns, but it won’t stay gone foever. The unrestricted version remains available to a limited number of vetted partners. But capabilities of this kind have not, historically, stayed in one company’s hands for long.
The tax we already pay
Any presence on the internet has always carried costs that have nothing to do with scholarship, and these days nearly every system a publisher runs has an internet presence, whether it hosts the journals or sits quietly behind them. There is accessibility compliance, security certificates and software patches, passwords needing rotation, adaptation to ever-evolving privacy laws, the migration to each new COUNTER release, and search engines that change their rules without asking. All of it is the price of operating on the open internet, and none of it publishes a single article, advances a single field, or serves a single member. Call it the internet tax, and every publisher pays it one way or another.Anyone who manages technology for a publisher knows what has happened to that tax over the past decade. It has only ever moved in one direction. Each year the baseline grows, and every dollar of it is drawn from the same technology budget, whether it is advancing the mission or keeping the wolves at bay. The arithmetic is unforgiving, because critical maintenance takes its share first and innovation gets what is left.
The rate hike
Mythos and the models that follow it raise that tax in a specific, measurable way, shrinking the amount of time it is safe to wait. The Ghost story shows what the old timetable forgave, when a fix could sit unapplied for weeks and usually nothing came of it. The new timetable assumes the attack is ready within hours.The working week changes shape accordingly. The day now starts with the overnight vulnerability bulletins, because a fix released at midnight can be turned into an attack by morning. When a serious one lands, it goes to the front of the queue, and the planned work it displaces backs up behind it: the database upgrade booked for the weekend, the system migration that finally had a date, the access cleanup that has been pending since the last audit. The supply chain needs watching too, since a modern platform is assembled from hundreds of borrowed components, and attackers have learned to tamper with the warehouses those components ship from. None of this work ever finishes, and it is paid for in the scarcest currency a technology team has, the attention of its most skilled people.
What preparation looks like
Across the industry, security teams are already adjusting, and the work splits into the obvious and the unglamorous. The obvious: moving from monthly patch cycles to daily monitoring, with an emergency lane for fixes that cannot wait. The unglamorous: hunting down the shared logins, the colleagues whose system access outlived their job descriptions, and listening harder for someone rattling the doorknobs. Two newer habits are forming alongside. Some teams now point the same class of AI at their own systems, probing for the weaknesses an adversary would find first. It is a way of hiring the attacker’s toolkit for defense before someone else rents it for offense. And nearly all are training their people, because employees are traditionally security’s weakest link.None of it is exotic, and all of it, on current evidence, is necessary. Every item is recurring work.
The arithmetic ahead
While a disruption of malicious LLMs increases the volume of vulnerabilities, the deeper change is in the tempo. Security work used to arrive on a schedule: the monthly patch cycle, the annual audit, the maintenance window booked weeks in advance. The schedule is now set by the attacker’s clock. By June, Anthropic was demonstrating working attacks within an hour of a fix appearing, and the direction only runs one way.The tax is larger, and it is collected more often. And a tax collected continuously has a staffing consequence. Work that arrives on a schedule can be handled by the team already in place, when the schedule allows. Work that can arrive at any hour needs someone ready at any hour. That applies well beyond the publishing platform, since the same bulletins govern the membership system, the finance software, and the everyday office tools. Coverage of that kind comes down to headcount, and the choice is more people or less of everything else those people were hired to do.
Of course, the impacts of an event like this differ depending on the surface area that the publisher covers themselves. Those who have outsourced systems of various kinds will have the support of vendors who are anticipating and addressing the patch wave at scale, whereas those who have chosen to manage everything in-house or even build custom software will need to take this cost on directly. As security risks like those stemming from Mythos raise the stakes, publishers are spending more time separating the mission-supporting activities from those that benefit from being outsourced.
There is one piece of relief in the arithmetic, in that the same patch, the same audit, and the same overnight watch cost roughly the same whether they protect one publication or several hundred. The work, at least, is well understood, and the industry has absorbed rising baselines before. This one is rather steeper, it is moving faster and the next round will not be so patient. The hours it takes to stay ahead will come from somewhere, and where they come from is better decided ahead of time rather than discovered in real time.