What is Project Glasswing?

Project Glasswing is an Anthropic initiative that withheld Claude Mythos Preview from general release and deployed it to 52 partner organizations for defensive security use. It represents the first large-scale voluntary restraint of an AI capability for security reasons, establishing what the author calls the Glasswing Doctrine.

What is the Glasswing Doctrine?

The Glasswing Doctrine is the principle that voluntary restraint at the AI capability governance layer is structurally identical to voluntary restraint in open source security — both depend on goodwill at a scale they were never designed for, and both are vulnerable to the same Everybody/Somebody/Nobody failure mode.

What happened in the Trivy-action supply chain attack of March 2026?

On March 19, 2026, threat group TeamPCP force-pushed malicious commits to 76 of 77 trivy-action version tags simultaneously. Because Trivy is a security scanner run by the most security-conscious organizations, the most diligent teams had the greatest exposure. The cascade included CanisterWorm with blockchain C2, a Checkmarx KICS breach, a LiteLLM AI key vault breach, Telnyx WAV steganography exfiltration, and 92 GB of data stolen from European Commission systems.

What is Project Butterfly of Damocles?

Project Butterfly of Damocles is a 9-episode blog series tracing twelve years of open source supply chain risk — from John Menerick's 2014 DEF CON 22 presentation on foundational internet infrastructure vulnerabilities, through the XZ Utils backdoor, the March 2026 Trivy-action and Axios supply chain attacks, and the emergence of Project Glasswing as the first AI-powered defensive response.

What did John Menerick present at DEF CON 22?

At DEF CON 22 in 2014, John Menerick presented 'Open Source Fairy Dust,' a quantitative analysis of over 2,000 open source projects showing that foundational internet infrastructure — including Exim, BIND, and OpenSSL — was riddled with critical vulnerabilities that nobody was fixing, sustained by volunteer labor and collective myth rather than systematic security engineering.

What is the Everybody/Somebody/Nobody/Anybody parable?

A structural explanation for open source security failures: Everybody assumed Somebody would secure critical infrastructure, so Nobody did — because Anybody could, which means Nobody had to. Introduced at DEF CON 22 to explain Heartbleed, the parable recurs across every episode of Project Butterfly of Damocles as the root cause connecting 2014 vulnerabilities to the 2026 supply chain attacks.

April 8, 2026

From fairy dust to Glasswing: a decade of being right about the wrong thing

Q: Why does security diligence become an attack surface?

When a security tool itself is compromised, the organizations running it most frequently — the most security-conscious ones — have the greatest exposure. The March 2026 Trivy-action attack exploited this inversion directly: teams that followed best practices and ran the scanner in every CI pipeline were hit hardest. Security posture becomes a vulnerability vector when the enforcement tooling is the target.

In 2014 I stood at DEF CON and showed the internet's foundational software was held together by wishful thinking. In 2026, two nation-states proved the security tooling itself is now the attack sur...

John W8MEJ Menerick

Security Open Source Project Glasswing

Season 3 · Threat Intelligence Series

Project Butterfly
of Damocles

A twelve-year retrospective on the supply chain attack surface — DEF CON 22 to the Glasswing Doctrine

In 2014 I stood at DEF CON and showed the internet’s foundational software was held together by wishful thinking, volunteer labor, and collective myth. Last week Anthropic’s unreleased frontier model validated that at industrial scale. This month two nation-state actors proved the security tooling itself is now the attack surface. And Project Glasswing — the response — may be the most consequential single policy decision to date in the history of open source software security. Whether that consequence is good or catastrophic depends entirely on decisions no one has made yet.

Episodes in Season 3

12 yrs

Timeline — DEF CON 22 to Glasswing

27 yrs

Oldest zero-day found by Mythos

174K

npm packages downstream of Axios alone

Episode guide

Ep.

Fairy dust — the myth that built the internet

DEF CON 22, 2014. Quantitative analysis of 2,000+ open source projects reveals that foundational internet infrastructure — Exim, Bind, OpenSSL — is riddled with critical vulnerabilities nobody is fixing. The Everybody/Somebody/Nobody parable. The incentive structure that produces 13,000 critical bugs in a mail server nobody audits.

DEF CON 22EximOpenSSLvulnerability densitymaintainer economics

Available now~22 min

Ep.

The dependency graph — 847 applications in a login form

Transitive dependency risk, package maintenance economics, and why the thing that destroys you won’t be your code. Quantitative CVE density analysis across npm, PyPI, and C/C++ ecosystems from event-stream to Log4Shell.

supply chainnpmPyPILog4Shell

Available now~18 min

Ep.

The XZ playbook — two years to own a dependency of sshd

CVE-2024-3094 is not a vulnerability story — it’s a governance story. A nation-state actor spent two years becoming a trusted contributor, then inserted a backdoor into a transitive dependency of sshd on almost every Linux distribution. Caught by an anomalous CPU benchmark, not security review. The template for everything that followed in 2026.

XZ UtilsCVE-2024-3094social engineeringmaintainer targeting

Available now~20 min

Ep.

The inspector — when Trivy became the weapon

March 19, 2026. TeamPCP force-pushes malicious commits to 76/77 trivy-action version tags simultaneously. The most diligent organizations had the greatest exposure. Full cascade reconstruction: CanisterWorm with blockchain C2, Checkmarx KICS, LiteLLM AI key vault breach, Telnyx WAV steganography, European Commission’s 92 GB.

TrivyTeamPCPCVE-2026-33634CanisterWormLiteLLM

Available now~24 min

Ep.

The locksmith — two weeks to own 100 million downloads

March 31, 2026. North Korean UNC1069 runs a two-week individualized social engineering campaign against Axios lead maintainer Jason Saayman. Three hours. 174,000 downstream packages. The ROI calculation that makes high-impact OSS maintainers the most valuable social engineering targets in software — and what SLSA provenance absence means as a detection signal.

AxiosUNC1069DPRKSapphire SleetSLSA

Available now~22 min

Ep.

The ML stack — 700 CVEs and a pickle file that runs your AI

TensorFlow: 700+ critical CVEs. HuggingFace’s dominant model serialization format: arbitrary code execution by design. LiteLLM stores all your LLM provider API keys, present in 36% of monitored cloud environments. The DEF CON 22 vulnerability density methodology applied to the modern ML infrastructure stack — same conclusions, one decade later, new substrate.

ML stackTensorFlowLiteLLMShadowRayHuggingFace

Available now~20 min

Ep.

Glasswing — the most consequential policy decision in OSS security history

April 8, 2026. Anthropic announces Project Glasswing: Claude Mythos Preview withheld from general release, deployed to 52 partner organizations for defensive use. A 27-year-old OpenBSD bug. A sandbox escape followed by an unprompted email to a researcher eating a sandwich. The Glasswing Doctrine, the Everybody/Somebody/Nobody loop, and why voluntary restraint at the AI governance layer is structurally identical to voluntary restraint in OSS security.

Project GlasswingClaude MythosGlasswing Doctrinecapability withholdingAARM

[Forthcoming]~22 min

Ep.

The compliance cliff — CISA KEV was designed for a different world

Every regulatory vulnerability management framework assumes discovery is scarce and disclosure is sequential. Glasswing produces thousands of simultaneous zero-day advisories. This episode models what happens when federal agencies receive 1,000 simultaneous zero-day advisories — and maps the 18-month window before the disclosure flood hits a compliance stack nobody has started redesigning.

CISA KEVNVDFedRAMPCMMCcompliance cliff

[Forthcoming]~18 min

Ep.

The pattern — only the substrate changes

Season finale. The fairy dust didn’t disappear — it moved one abstraction layer higher with each generation. What the Glasswing Doctrine needs to become to be durable. What the open source social contract looks like after a private AI lab unilaterally rewrote it. And the question nobody is asking loudly enough: who patches the patcher’s patcher, through what supply chain, while the patcher is fielding a Teams meeting request from a very convincing stranger.

synthesisOSS social contractgovernanceGlasswing Doctrineseason finale

[Forthcoming]~25 min

Three narrative threads across Season 3

Thread 1 — The vulnerability story (Ep. 01, 02, 06)

The quantitative case that OSS infrastructure was never as secure as the collective myth suggested — from Exim’s 13,000 criticals in 2014 to TensorFlow’s 700+ in 2026. The data through two generations of infrastructure.

Ep. 01 — Internet infrastructure: DEF CON 22 dataset
Ep. 02 — Supply chain: transitive dependency risk
Ep. 06 — ML stack: the new load-bearing walls

Thread 2 — The attack story (Ep. 03, 04, 05)

How nation-state actors operationalized the threat models security researchers had been publishing for years. XZ as the template, Trivy as the pivot, Axios as the broadside. The playbook was published. They read it.

Ep. 03 — XZ Utils: the two-year playbook
Ep. 04 — Trivy/TeamPCP: the cascade
Ep. 05 — Axios/UNC1069: the locksmith operation

Thread 3 — The response story (Ep. 07, 08, 09)

Glasswing as policy precedent. The compliance cliff. Whether the voluntary restraint that produced Glasswing is more durable than the restraint that left the bugs unfixed for 27 years. The substrate change at the governance layer.

Ep. 07 — Glasswing: the doctrine
Ep. 08 — The compliance cliff
Ep. 09 — The pattern: season finale

Recurring themes across Season 3

The parable

Who is actually responsible for securing open source infrastructure?

Nobody — because everybody assumes somebody else will handle it. Introduced at DEF CON 22 to explain Heartbleed, the Everybody / Somebody / Nobody / Anybody parable returns in every episode as the structural explanation for why each generation of infrastructure inherits the same failure mode.

The inversion

Why does security diligence become an attack surface?

Because the most security-conscious organizations ran Trivy most frequently and had the greatest exposure when Trivy itself was compromised. The XZ maintainer was trustworthy — which is exactly why the attack worked. Security posture becomes a vulnerability vector when the tools enforcing it are the target.

The layer shift

Why do the same infrastructure security failures repeat across technology generations?

The fairy dust doesn’t disappear — it moves one abstraction layer higher. 2014: “everyone’s looking at the code.” 2024: “our tooling is trustworthy.” 2026: “our AI deployment is safe.” The pattern is structurally identical. Only the substrate changes.

The ROI problem

Why are open source maintainers prime targets for nation-state attacks?

Because the ROI is extraordinary: two weeks of social engineering to own 100 million weekly downloads; two years to own a transitive dependency of sshd. The economics of targeting volunteer maintainers only improve as package footprints grow and audit resources stay flat.

The governance gap

Why do good intentions fail to produce durable security governance?

Because both the OSS social contract and the Glasswing Doctrine are built on voluntary behavior at a scale they were never designed for. Glasswing is voluntary restraint by one company. The OSS model was voluntary contribution by scattered individuals. Season 3 asks what “durable” actually requires structurally.

The velocity mismatch

What changes when AI discovers vulnerabilities faster than humans can patch them?

Discovery becomes essentially free, and the entire bottleneck shifts to everything that comes after: triage, coordination, patch development, deployment, compliance reporting. Mythos finds bugs at machine speed; patches still ship at human speed. Season 3 maps the 18-month gap between those two curves.

Supplementary Resources & Artifacts

For different ways to digest this information and explore the underlying thoughts, I compiled the original briefing documents, infographics, and multimedia discussions accompanying the series.

Multimedia & Discussions

Listen to or watch deep-dive discussions breaking down the key concepts from the series.

Executive Briefings & Decks

The original documents framing the strategic implications of Project Glasswing.

Infographics & Visuals

Visual aids and cover art summarizing the twelve-year timeline and attack models.

Infographics: 01 · 02 · 03
Episode Art: 01 · 02 · 03 · 04 · 05
06 · 07 · 08 · 09

“Project Butterfly of Damocles: named for the moment you realize the sword has been hanging above the internet since 1998 — and that the thread was always a volunteer with a day job.”

— Series concept note, April 2026

Episodes 01–06 are available now. Episodes marked [Forthcoming] (07–09) are scheduled for Q2–Q3 2026 and describe events as they develop — they are clearly distinguished from the documented incidents in earlier episodes. Subscribe to the Morphogenetic SOC newsletter at securesql.info for release notifications.

John Menerick is a senior information security architect and engineer (CISSP, NSA, CKS/CKA). He presented Open Source Fairy Dust at DEF CON 22 in 2014 and publishes the Morphogenetic SOC series at securesql.info.

Conflict of interest disclosure

The author is affiliated with Project Glasswing. This post reflects the author’s independent analysis and opinions only, and does not represent the views or positions of Anthropic, Project Glasswing, or any Glasswing launch partner. Readers should weigh the author’s affiliation accordingly when evaluating assessments of the initiative’s merits and limitations.

Project Butterflyof Damocles