IBM is committing $5 billion and 20,000 engineers from its Red Hat division to a new initiative called Project Lightwell, aimed at shoring up security in the open-source software supply chain. The effort follows a wave of findings from Anthropic's Mythos AI tool, which uncovered a series of critical bugs that have ignited debate across the cybersecurity community.
Project Lightwell represents one of the largest dedicated investments in software supply chain security to date. Anthropic's Mythos findings, while not detailed in full, reportedly revealed vulnerabilities that underscore the growing risk of tainted code propagating through widely used libraries. The bugs have raised alarms about the cascading impact of compromised open-source dependencies on enterprise systems.
IBM and Red Hat's massive engineering force will focus on automated patch development and vulnerability remediation. The service aims to provide rapid fixes for critical open-source projects, reducing the window between disclosure and protection. Exact attack vectors or indicators of compromise from the Mythos bugs have not been publicly released, but the severity has prompted this unprecedented resource allocation.
Project Lightwell will operate as a managed service, offering continuous scanning and patching for client software supply chains. IBM plans to release initial patches within weeks for the most critical vulnerabilities identified by Anthropic's AI tool. No workarounds have been detailed yet, as the focus remains on comprehensive fixes rather than stopgaps.
Anthropic has not commented on Mythos's methodology or which specific open-source projects were affected. IBM's heavy bet hinges on the assumption that AI-assisted security at scale can outpace the rapidly evolving threat landscape. However, some security experts question whether throwing engineers at the problem can fully address the systemic complexity of open-source dependencies.