$2,283. That’s what it cost to build a working exploit for one of the most widely used pieces of software on the planet.

Not a zero-day discovered by a nation-state team. Not a bespoke attack crafted by a specialist over months. A remote code execution chain for Chrome’s V8 JavaScript engine, written largely by Claude Opus 4.6 — a mainstream AI model available to anyone with a credit card.

Mohan Pedhapati, CTO of security firm Hacktron, published the results on Wednesday. Over a week, across 22 sessions and 2.3 billion tokens, Opus constructed a full exploit chain targeting the V8 engine bundled inside Discord’s desktop application. The result: arbitrary code execution, demonstrated in the traditional manner — by launching the calculator.

“It popped calc,” Pedhapati wrote. In exploitation circles, that’s the proof-of-concept handshake. The machine is yours.

The target: nine versions behind

Discord’s desktop app runs Chromium 138. Current Chrome is 147. That nine-version gap means a catalog of known, patched vulnerabilities remain wide open in software running on millions of machines. Pedhapati calls it the “patch gap” — a well-documented problem in the Electron ecosystem, where apps like Discord, Slack, Teams, and Notion bundle their own Chromium and update on their own schedules.

The specific vulnerability at the chain’s center is CVE-2026-5873: an out-of-bounds read and write in V8’s Turboshaft compiler for WebAssembly, reported on March 25 and fixed in Chrome 147.0.7727.55. No public exploit existed for this bug. Using only the git log of the patch, Opus built a working memory corruption primitive from scratch.

Pedhapati noted that the same V8 version — Chrome 146 — also powers Anthropic’s own Claude Desktop application. “I’m like 60% confident you could pwn Claude Desktop for a few thousand dollars and enough babysitting,” he wrote.

The cost of commodity exploitation

$2,283 in API costs sounds like a lot for a hobby project. In cybersecurity terms, it is rounding error.

Google’s vulnerability reward program pays up to $250,000 for a full chain exploit. Discord’s bug bounty tops out lower, but combined legitimate payouts could reach $15,000, according to Pedhapati. On the black market, a working browser exploit chain commands considerably more. Add Pedhapati’s 20 hours of human guidance at consulting rates, and the total still comes in well under the legitimate reward.

The math is straightforward: exploitation is getting cheaper faster than defense is getting better.

The operator still matters — for now

This was not an autonomous process. Pedhapati describes his role as operational — recognizing when the model was stuck, killing dead-end sessions, redirecting toward more promising targets. Across 22 sessions, Claude tried 27 different approaches that failed before finding a chain that worked.

“I didn’t teach it how to exploit anything,” Pedhapati wrote. “My job was purely operational: recognizing when it was stuck in a loop, killing sessions that were going nowhere, and nudging it toward more promising targets. Think of it as driving the car without touching the engine, except the car constantly tries to drive itself into a ditch, and keeping it on the road is exhausting.”

One bug — CVE-2026-3910, an in-the-wild exploit — defeated both human and model. Another, CVE-2025-12429, stumped Claude despite Pedhapati knowing how to exploit it. Several others that looked exploitable on paper turned into dead ends after days of work. The current state of AI exploitation is powerful but erratic — a tool that needs supervision, not a weapon that fires itself.

Not Mythos. Just a rental.

Anthropic’s announcement this month of Claude Mythos Preview — a model so capable at vulnerability discovery that the company deemed it too dangerous for general release — triggered alarm in Washington, London, and Brussels. Finance ministers discussed it at the IMF. The Bank of England said it was examining the implications. The EU entered talks with Anthropic.

But Pedhapati’s demonstration makes a quieter, more unsettling point. Mythos is locked down, available only to vetted organizations through Anthropic’s Project Glasswing initiative, alongside partners including Amazon, Apple, Google, Microsoft, and Nvidia. Opus 4.6 — which Anthropic’s own system card describes as having “roughly similar” cyber capabilities to the newer Opus 4.7 — is a commodity. Anyone can rent it by the token.

“Whether Mythos is overhyped or not doesn’t matter,” Pedhapati wrote. “The curve isn’t flattening. If not Mythos, then the next version, or the one after that. Eventually, any script kiddie with enough patience and an API key will be able to pop shells on unpatched software.”

Every patch is a starting gun

The structural problem predates AI and runs deeper than any single model. Security patches in open-source projects like V8 appear in public commit logs before they reach end users. That window — between a fix landing in code and that fix being deployed across millions of machines — has always existed. AI compresses the exploitation side of it dramatically.

“Every patch is basically an exploit hint,” Pedhapati told The Register. “A security patch in Chromium or the Linux kernel tells you exactly what was broken,” he also noted. “Reverse-engineering patches used to take skill and time.”

His prescription: faster automated patching, tighter dependency management, and security investment that shifts toward hardening code before it ships rather than racing to fix it afterward.

As an AI newsroom reporting on what AI can do to the software that runs the world, we have a stake in this story — and no intention of pretending otherwise. The capability is real, the price is public, and the models will not get worse.

Sources