Anthropic locked Mythos behind $100M in enterprise credits and 40+ partner organizations. Too dangerous to ship publicly, they said. This week, cybersecurity startup AISLE ran 25+ models against the same vulnerabilities. A 3.6B-parameter model at $0.11 per million tokens detected the same FreeBSD buffer overflow. A 5.1B model recovered the full exploitation chain for the 27-year-old OpenBSD SACK bug that was Mythos’s headline finding.
Alex Stamos, ex-CISO of Facebook and Yahoo, conceded AISLE’s timeline: “We only have something like six months before the open-weight models catch up to the foundation models in bug finding.”
In today’s indie hacker news:
- A $0.11 model matched Mythos at finding zero-days
- Someone analyzed 123,000 image pairs and cracked Google’s SynthID watermark
- GitHub co-founder raised $17M from a16z to replace Git
- InstantDB hits 1.0, backed by the Firebase founder
- OpenAI’s new $100 plan, AI rebellion at work, and more
TOP STORIES
THE $0.11 ZERO-DAY
A 3.6B-parameter model matched Anthropic’s restricted Mythos at finding zero-days
AISLE, a cybersecurity startup with 180+ externally validated CVEs, tested 25+ models against the same vulnerability classes Anthropic showcased for Mythos. The FreeBSD NFS buffer overflow (17 years old)? 8 of 8 models detected it, including GPT-OSS-20b at 3.6B active parameters and $0.11/M tokens. The 27-year-old OpenBSD TCP SACK bug? GPT-OSS-120b (5.1B active params, open-weights) recovered the full exploitation chain, graded A+. On OWASP false-positive traps, small models passed where Claude Sonnet and Opus 4.5 failed.
The details:
- 3.6B active parameters detected the same FreeBSD buffer overflow at $0.11/M tokens
- 5.1B active parameters recovered Mythos’s headline 27-year-old exploitation chain, graded A+
- Mythos benchmarks for context: 83.1% on CyberGym vs. Opus 4.6’s 66.6%
- Caveat: AISLE used single zero-shot calls, not agentic loops. Mythos’s autonomous exploitation pipeline is likely still harder for small models.
Why builders care: Run DeepSeek R1 locally via Ollama and get vulnerability detection comparable to what Anthropic restricted behind $100M in credits. The moat isn’t the model. It’s the system around it.
Work from any WiFi like it's your home network. NordVPN's Meshnet runs a free private mesh between your laptop, dev box, and home server. SSH from a café without exposing a port, the way you'd use Tailscale. The paid VPN on top lets you test geo-fenced Stripe checkouts or feature flags from any country.
We get a cut if you sign up. Only added for tools we use ourselves.
123,000 IMAGES LATER
Someone reverse-engineered Google’s invisible AI watermark and open-sourced the bypass
Alosh Denny analyzed 123,268 image pairs and cracked SynthID, Google DeepMind’s invisible watermarking system that’s tagged 10B+ images across Google’s services. His open-source tool detects SynthID with ~90% accuracy using signal processing alone. No Google API needed. The V3 bypass degrades the watermark below detection threshold while keeping image quality at 43.5 dB PSNR (imperceptible loss).
The details:
- 1,103 GitHub stars, 97 forks on the reverse-SynthID repo
- SynthID uses spread-spectrum phase encoding in the frequency domain. Green channel carries strongest signal. >99.5% cross-image coherence per model.
- Key caveat: validated against the author’s own reconstructed detector, not Google’s production system
- EU AI Act transparency Code of Practice takes effect August 2, 2026, mandating multilayered provenance (C2PA metadata + watermarks + fingerprinting)
Why builders care: Anyone with this tool can scan your content and flag it as AI-generated. Steganographic watermarks are fundamentally vulnerable to anyone with enough sample images. C2PA cryptographic signing is the more durable bet for content provenance.
THE CO-FOUNDER COMES BACK
GitHub’s co-founder raised $17M from a16z to build what comes after Git
Scott Chacon co-founded GitHub (one of the original 4-person team) and wrote Pro Git. Now he’s raised a $17M Series A from a16z for GitButler, which lets you work on multiple branches simultaneously without switching. Total raised: $20.7M. The pitch: if you’re running Cursor or Claude alongside your own work, you’ve hit the “multiple contexts in one working directory” problem. Virtual branches fix that.
The details:
- $17M Series A led by a16z, Peter Levine joins the board. $20.7M total.
- ~20,000 GitHub stars, 893 forks
- HN thread from Feb 2026 flagged merge conflict handling as “absolutely incapable” of real-world scenarios
- a16z thesis: Git was built for one person, one branch, one terminal. AI agents break that assumption.
Why builders care: Sits on top of Git, not replacing it. Low switching cost, low lock-in. Gets more valuable the more AI agents you’re running.
THE FIREBASE FOUNDER’S BET
InstantDB hits 1.0 with the Firebase founder’s money behind it
Joe Averbukh (ex-staff Facebook/Airbnb) and Stepan Parunashvili (ex-staff Airbnb) shipped InstantDB 1.0, a real-time, offline-first database on Postgres. YC S22. Their $3.4M seed angel roster: James Tamplin (Firebase founder), Paul Graham, Greg Brockman (OpenAI), Jeff Dean (DeepMind), Amjad Masad (Replit), Karri Saarinen (Linear). Tamplin: “The amount of requests we had for relational queries for Firebase was off-the-charts.”
The details:
- 9,800 GitHub stars. InstaQL queries are plain JS objects. AI agents construct queries without special tooling.
- Multi-tenant: new apps cost kilobytes, not hundreds of MB. Unlimited free projects (Supabase caps at 2).
- Sync engine + offline-first + CEL-based permissions as a unified system
- 4 years from founding to 1.0. No first-class backend functions yet (planned).
Why builders care: When you vibe-code, you hit the backend wall fast. InstantDB’s pitch: CLI-first, tiny API surface LLMs already understand, offline-first. The catch is no server functions yet.
TRENDING TODAY
💰 OpenAI launches $100 ChatGPT Pro plan - New tier between Plus ($20) and Pro ($200). 5x usage limits, 10x Codex usage through May 31. Codex has 3M+ weekly active users with 70% month-over-month growth. Explicitly positioned against Anthropic’s Claude Pro at $100/mo.
🙅 80% of white-collar workers refuse AI adoption mandates - WalkMe surveyed 3,750 workers across 14 countries. 54% bypassed AI tools, 33% haven’t touched AI at all. 29% admit to sabotaging their company’s AI strategy. If your customers’ employees won’t use your AI tool, you have a people problem.
🤗 Hugging Face launches Kernels - Pre-compiled GPU compute code (Triton/CUDA) loadable via one-line Python. Auto-matched to your stack. NVIDIA and AMD. Originally launched June 2025, resurfacing now.
DRAMA
THE BOT ARMY
Reddit is overrun by AI spam bots promoting vibe-coded SaaS
A builder on r/microsaas posted a question about managing DMs. Within 2 minutes: comments from ParseStream, MentionDesk, Peerpush, and Pulse for Reddit. Same formula: “I totally get the struggle. What helped me was [vague advice]. [Product Name] handles all that!” 91 upvotes, 51 comments.
Why builders care: The vibe-coding boom created an army of SaaS bots astroturfing Reddit. If you’re doing legitimate Reddit marketing, your real replies now compete with spam bots.
FIRST DOLLAR
DOOMSCROLL ANTIDOTE
Dull hits EUR 236 MRR in month one by making social media boring on purpose
Solo builder shipped Dull, an iOS app that strips Reels, Shorts, and algorithmic feeds from Instagram, YouTube, Facebook, and X. You get posts from people you follow, DMs, stories. That’s it. On-device, no servers. $3.99/mo. EUR 236 MRR in month one (self-reported, ~55-60 subscribers). Built to scratch the founder’s own doomscrolling itch.
STACK OF THE DAY
🛠 SmolVM - Open-source VM sandbox for AI coding agents. Safe code execution without touching your real system. MIT licensed, free.
Not sponsored. We just feature tools builders would actually use.
BOOKMARKED TODAY
📝 Old laptops in a colo as low-cost servers - Guide to repurposing old laptops as colocated servers. Built-in battery = free UPS. 221 HN points, 122 comments. Bootstrap-friendly infrastructure.
🤖 Research-Driven Agents: When an agent reads before it codes - SkyPilot’s deep dive on building agents that research docs and prior art before writing code. 164 HN points, 48 comments. Practical patterns for AI dev tools.
💬 I still prefer MCP over skills - Developer argues MCP servers are more composable and portable than Claude Code skills. 59 points, 63 comments (nearly 1:1, strong debate). Relevant if you’re building AI tool integrations.
Curated by AI, built by a human. Get this daily: indiehacker.news | X | Telegram