Krypteia Sec
Back to AI Briefs
TLP:CLEARAI-2026-0525

Daily AI Builder Brief - May 25, 2026

May 25, 20263 min read
aiclaude-codeanthropicmcpbuilder-intel

Executive Summary

  • Claude Code 2.1.150 (May 23) is an internal infra release, no user-facing changes. The substantive drop is still 2.1.149 with per-category /usage cost breakdown.
  • Project Glasswing posted its first quantified results: 10,000+ high or critical vulns across ~50 partner orgs using Claude Mythos Preview.
  • Cloudflare alone reported 2,000 bugs (400 high/critical). Mozilla patched 271 in Firefox 150.
  • Claude Security entered public beta on Claude Opus 4.7, with a Cyber Verification Program for eligible security teams.
  • MCP 2026-07-28 release candidate published May 21: stateless core, Mcp-Method and Mcp-Name headers, ttlMs cache hints, OAuth/OIDC alignment, formal deprecation policy. Final ships July 28.
  • GitHub's official MCP server pushed updates May 22.
  • Claude Mythos itself is still withheld from general release pending stronger safeguards.

Claude Code

v2.1.150 released May 23

Internal infrastructure improvements, no user-facing features. Changelog

v2.1.149 still the substance

/usage now breaks costs down per skill, subagent, plugin, and MCP server. /diff is keyboard-scrollable. GFM task list checkboxes render. Enterprise gains allowAllClaudeAiMcps. Several security fixes including PowerShell permission bypass and worktree sandbox allowlist. Changelog

Anthropic

Project Glasswing: 10,000+ vulnerabilities found

First quantified results, one month in. ~50 partner orgs running Claude Mythos Preview in defensive workflows. Cloudflare: 2,000 bugs, 400 high/critical. Mozilla: 271 fixed in Firefox 150. Bottleneck has shifted from discovery to verification and patching. Anthropic blog

Claude Security in public beta

Runs on Claude Opus 4.7 across codebases. Triages vulns, generates fixes. Cyber Verification Program opens to eligible security teams. Claude blog

Claude Mythos: still withheld

Anthropic confirmed May 22 that Mythos stays restricted to defensive consortium members. General release conditioned on safeguards work that isn't done. Project Glasswing

MCP Ecosystem

2026-07-28 release candidate

Biggest spec revision since launch. The Mcp-Session-Id header is gone, so any request can land on any server instance. Mcp-Method and Mcp-Name headers let load balancers route without inspecting bodies. ttlMs and cacheScope tell clients how long tools/list is fresh. Auth aligns with OAuth and OpenID Connect. Final spec ships July 28. MCP blog

GitHub MCP server update

Official server pushed an update May 22. Releases

Broader AI

Nothing today.

What This Means For Builders

  • If you ship MCP servers, start porting now. Stateless deploys behind a plain round-robin LB are about to be the default. Sticky-session designs are dead weight.
  • Use /usage per-category to find which MCP server or plugin is burning your tokens. Cut what isn't earning.
  • If you're in security, apply to Claude Security or the Cyber Verification Program. The frontier capability is now gated behind verified-defender access.
  • Don't expect Mythos in your hands soon. Plan production against Opus 4.7.

Sources

  1. https://code.claude.com/docs/en/changelog
  2. https://www.anthropic.com/news
  3. https://www.anthropic.com/glasswing
  4. https://claude.com/blog/claude-security-public-beta
  5. https://blog.modelcontextprotocol.io/posts/2026-07-28-release-candidate/
  6. https://github.com/github/github-mcp-server/releases