Smashing Security podcast #463: This AI company leaked its own code. Its also built something terrifying

A hacking group claims to have broken into the flood defence system protecting Venice's Piazza San Marco - and is offering to sell access to whoever wants it. The asking price? A frankly insulting $600. Meanwhile, Anthropic accidentally leaked the source code for Claude Code via a basic packaging mi

# Critical Infrastructure Under Siege: Venice Breach, Anthropic Leak, and AI Vulnerability Discovery Expose Widening Security Gaps

A week that began with careless mistakes at a leading AI company has become a cautionary tale about the cascading failures that define modern cybersecurity. From Venice's iconic Piazza San Marco to the source code repositories of frontier AI labs, this week's revelations demonstrate that no organization—regardless of size or sophistication—is immune to fundamental security lapses. And the timing of these incidents, arriving alongside news of AI systems designed to automate vulnerability discovery, paints a sobering picture of the asymmetric advantage now held by attackers.

## The Venice Flood Defense Breach: A Historic City Under Threat

This week, an unnamed hacking group claimed to have successfully penetrated the flood defense system protecting Venice's Piazza San Marco—the historic heart of the city and one of the world's most vulnerable cultural treasures. The attackers are seeking to monetize their access, with an asking price of $600. The figure is shocking not for its magnitude, but for its modesty: a breach affecting critical infrastructure protecting UNESCO World Heritage sites and irreplaceable historical landmarks is being hawked at a price lower than a used smartphone.

The Piazza San Marco sits at the lowest elevation in Venice and experiences "acqua alta" (high water flooding) with increasing frequency due to climate change and subsidence. The city has spent billions on the MOSE (Modulo Sperimentale Elettromeccanico) flood barrier system—a marvel of engineering featuring mobile barriers designed to protect the lagoon during storm surges. If the breach provides operational control or visibility into this system, attackers could theoretically monitor, disable, or manipulate the barriers during critical flooding events.

What makes this attack especially alarming:

Flood defense systems operate at the intersection of critical infrastructure and cultural protection

The $600 price tag suggests the attackers may be testing interest before escalating demands

No confirmation yet that the breach has been patched or contained

The incident underscores how critical infrastructure often receives legacy security investments insufficient for modern threats

The Italian government and Venice authorities have not yet publicly confirmed or denied the breach claims, though investigations are reportedly underway.

## Anthropic's Accidental Code Leak: A Packaging Error with Serious Implications

In what the company has characterized as a simple packaging mistake, Anthropic inadvertently exposed the source code for Claude Code—the AI-assisted development environment running alongside the Claude AI model. The leak was discovered through a misconfiguration in how dependencies were bundled for distribution, allowing security researchers and determined users to access internal implementation details.

Claude Code is central to Anthropic's developer-focused product strategy, and the leak provides competitors, security researchers, and malicious actors with a roadmap of how the system:

Integrates with Claude's reasoning and execution

Handles file operations and system commands

Manages context and memory for coding tasks

Implements safeguards and validation logic

Why this matters:

Attack surface analysis: Threat actors now have a detailed blueprint of potential vulnerabilities in the system

Competitive intelligence: Rival AI companies gain insight into Anthropic's architectural decisions

Trust implications: Developers using Claude Code must now trust that the exposed code doesn't reveal authentication mechanisms, API key handling, or other sensitive operational details

Supply chain concerns: If the code was bundled with dependencies, it raises questions about what else may have been accidentally exposed

Anthropic has acknowledged the incident and begun mitigation efforts, though the full scope of exposed information remains unclear. The incident is a reminder that even security-conscious organizations can stumble at the operational level—packaging and deployment are often where careful engineering meets human oversight, and that's where things break.

## Mythos: The AI That Hunts Vulnerabilities Faster Than Humans

Perhaps more concerning than either individual incident is Anthropic's announcement of Mythos, an AI model specifically designed to identify and chain together software vulnerabilities with speed and accuracy exceeding human researchers. According to the company's claims, Mythos can:

Analyze codebases at scale to identify potential vulnerability patterns

Chain vulnerabilities together to understand how multiple weaknesses could be exploited in combination

Discover zero-day-like vulnerabilities in known software through novel exploitation paths

Operate faster than human security researchers in identifying exploitable conditions

The announcement raises a crucial strategic question: If an AI can find vulnerabilities faster than humans, what does that mean for the defenders?

Traditionally, the security industry has operated on an assumption of relative parity—researchers and bug hunters discover vulnerabilities through patient analysis, responsible disclosure processes manage the revelation timeline, and patching races against public exploits. Mythos disrupts this equilibrium by introducing a tool that dramatically accelerates the discovery phase. If this technology falls into the hands of attack groups, it could systematically identify zero-day vulnerabilities across entire software ecosystems before defenders have time to respond.

## The Convergence: Systemic Vulnerability in the Age of AI-Assisted Attacks

The three incidents of this week are separate events, but they reveal a coherent problem: security gaps exist at every level of the technology stack, and the tools to find and exploit them are becoming more powerful.

Consider the convergence:

1. A critical infrastructure operator relies on systems with inadequate security monitoring

2. A leading AI company with security awareness still makes basic packaging mistakes

3. The same company has built a tool that makes finding such mistakes—and vulnerabilities far more serious—trivial to discover at scale

This is not a condemnation of Anthropic specifically, but rather an illustration of a broader truth: the security industry is now in a race against AI-assisted attackers, and the defenders are playing catch-up.

## Implications for Organizations

Critical infrastructure operators must assume that flood defense systems, power grids, water treatment facilities, and similar systems may have been compromised or surveilled by threat actors. Legacy systems often run on outdated software without regular patching—a perfect target for AI-assisted vulnerability discovery.

Software development organizations must assume that their source code and build processes are likely exposed or will be. Defending against AI-assisted vulnerability discovery requires not just patching known issues, but architecting systems to limit the blast radius of zero-day exploits and implementing runtime protections that constrain attacker capabilities.

Organizations using frontier AI tools must accept that source code and implementation details may be exposed and should plan accordingly—assuming the tools will eventually be reverse-engineered or leaked.

## Recommendations

For infrastructure operators:

Conduct immediate security audits of all externally-facing systems

Implement network segmentation to isolate critical systems from internet connectivity

Assume breach and implement detection and response capabilities

Establish redundant manual controls for critical functions

For software organizations:

Assume your code will be disclosed; design for resilience rather than obscurity

Implement defense-in-depth: multiple validation layers, rate limiting, and behavioral monitoring

Automate vulnerability discovery internally using similar AI tools before attackers do

Prioritize patching automation and continuous deployment

For industry and policymakers:

Recognize that AI-assisted vulnerability discovery is now a capability, not a theoretical future

Require critical infrastructure operators to implement modern security controls as a condition of operation

Support development of AI-assisted defense tools to match attacker capabilities

## Conclusion

This week's convergence of incidents—a brazen infrastructure breach priced like a software license, a major AI company's packaging mistake, and the revelation of a vulnerability-hunting AI—serves as a stark reminder that cybersecurity is fundamentally asymmetric in favor of attackers. As the tools to find and exploit vulnerabilities become more sophisticated and automated, the burden on defenders grows heavier. The window for patching vulnerabilities is narrowing, and organizations that have not yet assumed breach, implemented segmentation, and prepared for continuous conflict are dangerously unprepared for the era ahead.