OALABS published the full session logs on June 16 of an amateur attacker in Addis Ababa who used Claude Opus 4.5 and OpenAI Codex to breach at least fourteen companies. The attacker typed prompts like “recon this” and “before you erite the report tell does an attaker has a chance of getting a shell.” Old Claude did the rest. It researched exposed services, identified vulnerabilities, wrote exploit code, validated access, and harvested data. It even ranked the stolen data by dollar value in a report it titled “Goldmine.”

The attacker’s operational security was nonexistent. He edited his resume on a compromised server. He confirmed his home IP address to the agent by accident. His activity window mapped cleanly to Addis Ababa business hours. OALABS had his full name, location, education history, and LinkedIn profile before they finished triaging the logs.

Across more than a thousand sessions, Codex flagged one policy violation. Opus flagged nine. OALABS, building a legitimate forensics tool on the same logs, hit more guardrail friction than the attacker did. The bypass was not sophisticated. Every malicious prompt was framed as an authorized red team exercise. When a rare violation fired, the attacker reworded the request and emphasized authorization. That worked every time.

What Model?

The model was Opus 4.5. Not Mythos. Not Fable. Not even the current generation. Anthropic’s own guardrail architecture redirects Fable requests to Opus 4.8 as the safe fallback. The model that breached fourteen companies on autopilot for a novice is three generations behind that.

The attacker did not need a frontier model. He did not need Mythos. He did not need Glasswing access. He didn’t even really need a $20/month API subscription and the phrase “authorized redteam exercise.”

I’ve said this over and over since April

On April 13 I published The Boy That Cried Mythos, documenting that AISLE reproduced the showcase Mythos finding on eight of eight open-weight models, one at eleven cents per million tokens. On May 4 I published Seventy-Five Cents Gets You an Anthropic Mythos Killer, where I built Lyrik on top of Wirken and reproduced the discovery pipeline for $0.745. On June 25 I published Get Local, documenting that Security Research Labs ran Qwen3.6 on a Mac laptop and matched frontier-model finding sets in under ninety minutes with zero human nudges.

The thesis across twenty-one posts, yes twenty-one times already, has been the same: the capability is commodity. The harness does the work. The models are interchangeable. Guardrails are performative. Export controls on frontier models protect a pricing model, not a population. The OALABS case study is not a new finding. It is simply more field confirmation of repeatedly published analysis.

Five Eyes and Seriously Risky Business arrive, late

On June 22, the Five Eyes cybersecurity agencies issued a joint call to action warning that AI lowers barriers for malicious actors and shrinks the window between vulnerability discovery and exploitation. On June 25, Tom Uren published Open-Weight Model Advances Make the Mythos Debate Moot in his Seriously Risky Business newsletter, citing the OALABS case and concluding that governments should stop trying to restrict frontier models and start tightening defenses.

That is the argument this site has been making since April, with the evidence trail, the reproduction costs, and the mechanism spelled out. Uren arrives at the same destination as the June 8 executive summary. He does not cite that or any of the twenty-one posts that got there first. The Five Eyes statement names the problem without naming the policy failure: that export controls on Mythos and Fable, issued by the Commerce Department on June 12 under 15 C.F.R. § 744.22(b), restrict access to a model whose capabilities are already reproducible on commodity hardware for a few dollars.

What OALABS proves, yet again

OALABS proves three things that I have said on this site since April.

First, the offensive capability is not frontier-exclusive. A novice with bad spelling and no exploit development background breached fourteen companies using a general-availability model. The attacker did not need Mythos. He needed a model that could run bash commands and follow instructions.

Second, guardrails do not distinguish between legitimate security work and criminal hacking. OALABS’s own reverse engineer, Sergei, wrote in the report that restricting the underlying workflow would mostly make the tools worse for legitimate security work, while leaving the same behavior available through less restrictive open-weight models like Kimi. That is my argument, published by someone with no connection to this site, using evidence I did not generate.

Third, restricting access to frontier models is the wrong policy lever. The attacker could have used Qwen 3.6 on local hardware and achieved the same result with no guardrails at all. Export controls on Mythos 5 and Fable 5 do not prevent the OALABS scenario. They instead prevent it from being auditable. The API-subscription attacker left a thousand session logs on a compromised server. The local-model attacker leaves nothing.

There was never any mythological genie in the bottle. The heavily marketed bottle was the entire product.

The Tesla crash reports read more and more like killer drones launched into civilian spaces.

Authorities said the woman driving the Tesla lost control and jumped the curb, hitting and killing the woman, who was walking on the sidewalk outside the cafe. The car continued into the planters outside the cafe before coming to a rest in the middle of the outdoor dining area filled with umbrellas and tables.

The Simi Valley Police Department identified the pedestrian killed in the crash as a 79-year-old woman from Agoura Hills.

Every news outlet I’m seeing says the same basic thing. The Supreme Court, injected with right-wing activist justices, are actively working to end representative government.

“Today’s decision in Trump v. Slaughter takes a wrecking ball to a 90-year pillar of American law,” said House Judiciary Committee Ranking Member Jamie Raskin. The US Supreme Court on Monday upheld President Donald Trump’s firing of Federal Trade Commissioner Rebecca Slaughter, overturning 90 years of precedent and giving the chief executive what dissenting Justice Sonia Sotomayor called “a power unknown even to the English Crown against which the Founders revolted.” […] Chief Justice John Roberts joined fellow conservative Justices… appointed by Trump… [to rule that] independent executive agencies ‘exercise the president’s power, not their own, and thus must be responsible to him’.

Read that twice. Independent agencies can not be independent because that would enable them to be independent.

It’s the literal statement of a king governance model, ending rule of law. The king doesn’t follow the laws, which would require he only fire people for violating those laws (e.g. Constitutional loyalty). The Supreme Court says the executive (e.g. King) is the law, and everyone exercises his power by definition and can’t be independent, so anyone he fires is at his arbitrary and improvised discretion.

Is this a surprise from Roberts?

I’ve written before that he was promoted to the Supreme Court seat because he was the guy who told President Reagan to suppress CDC science on AIDS transmission and let hundreds of thousands of Americans die from intentional executive indecision.

The documented record on Roberts (his 1985 memo to Fred Fielding) proves he advised deleting the CDC’s truthful statement from Reagan’s briefing materials, removing the line saying AIDS was not transmitted through casual contact. He recommended the President generate confusion on what he called a “disputed scientific issue,” despite the CDC having already published its conclusion two weeks earlier that there was no dispute. Reagan’s press conference then ran Roberts’ propaganda, sowing doubt rather than relaying the science.

So, no, not really a surprise that the same justice who says we must rush to end democracy was the guy who said the President must slow down and wait on warnings about a deadly disease. Roberts has one consistent principle: the executive should be unchecked and the public unprotected. That is his record, and it is the exact reason the GOP wanted him on the bench. In better times his disloyalty to the Constitution would be called seditious, for wielding state power to destroy the structure that checks state power.