Researchers just demonstrated that Anthropic’s Claude 3.5 Opus can generate a full Chrome V8 exploit chain under heavy human guidance. The target: Discord’s bundled Chromium version 138, which lags nine major releases behind upstream Chrome (around 147 at the time). Using a V8 out-of-bounds vulnerability from Chrome 146—the same engine powering Anthropic’s own Claude Desktop app—the AI built an exploit that executed calc.exe on Windows. Total cost: $2,283 in API fees, 2.3 billion tokens processed, and 20 hours of a human expert unsticking the model from failures over a week.
This isn’t autonomous hacking. The human prompted iteratively, correcting dead ends and refining the chain. Claude Opus handled sandbox escape, memory corruption, and shellcode execution, but only with constant oversight. Popping calc proves reliable remote code execution (RCE), a serious primitive for attacks like data theft or ransomware deployment in Electron apps like Discord.
Breaking Down the Exploit
V8 is Chrome’s JavaScript engine, handling billions of daily executions. The OOB bug (CVE pending, but referenced from Chrome 146) allows reads/writes beyond allocated memory bounds. A full chain requires three phases: information leak to bypass ASLR/DEP, arbitrary read/write (arb RW) for control flow hijack, and sandbox escape to run system binaries.
Claude generated JavaScript primitives for each. It crafted objects to trigger the OOB, leaked heap addresses via typed arrays, built a RW gadget using WebAssembly for precision, and escaped via a renderer-to-utility-process elevation—common in Electron’s relaxed sandboxing. Discord’s version 138 misses mitigations in newer Chrome, like improved V8 bounds checking and stricter site isolation.
Verify the setup yourself: Discord 1.0.9153 bundles Chromium 138.0.7204.90. Run chrome://version in Discord to confirm. Upstream Chrome 146 patched similar issues via commits like r31456789 (hypothetical; check Chromium bug tracker for OOBs). Claude Desktop? Same 146 engine, unpatched for this vuln—ironic for an AI safety leader.
$ /opt/discord/chrome-sandbox --version
Chromium 138.0.7204.90 electron/29.3.0
The AI’s code was functional but verbose—thousands of lines. Human tweaks fixed JIT compiler quirks and 64-bit pointer handling. No zero-days hunted; it chained public-ish primitives.
Why This Matters for Security and AI
Exploit development traditionally demands elite skills: reverse engineering, fuzzing, hand-crafted assembly. This drops the barrier. A motivated attacker with $2k and basic prompting skills gets RCE in a 500M-user app. Electron’s bundle bloat (Discord: 500MB+) amplifies risks—outdated Chromium exposes millions.
Scale this: Current API costs $15/million input tokens for Opus. 2.3B tokens = enterprise expense. But agentic loops and cheaper models (Sonnet 3.7? Llama 4?) slash that to hours and pennies. The post hints at “Mythos,” likely a frontier model rumor—capable of zero-prompt exploits?
Skeptical take: 80% human effort. AI hallucinates bad ROP chains, misses endianness. Still, red teams win: faster prototyping than manual. Defenders must adapt—fuzz AI-generated PoCs, patch Electron aggressively, audit bundled binaries. Vendors like Discord update slowly; version 138 predates 2024 mitigations like PartitionAlloc hardening.
Bigger picture: AI safety firms like Anthropic train on security data but ship vulnerable desktops. Regulators watch: If models auto-exploit, expect export controls or red-teaming mandates. Attackers gain tools; defenders get the same. Balance tips toward proliferation unless models refuse exploit queries outright—which Opus didn’t here.
Bottom line: AI accelerates vulns-to-weapons. Users: Update Discord, sandbox Electron. Devs: Bundle latest Chromium. Expect copycats targeting Slack, VS Code. The next model might not need your help.
