The volume of CVEs landing against widely used open source libraries has jumped sharply in the last several months, and the cause isn’t a sudden drop in code quality — it’s that AI tools have gotten very good at finding vulnerabilities that have been sitting in plain sight for years. That shift is colliding with an open source ecosystem whose patching, disclosure and maintainer support models were designed for a much slower pace of discovery.

Aaron Mitchell, CEO of HeroDevs, joins Mike Vizard to dig into what Claude Mythos Preview and other AI-assisted scanners are actually surfacing, and why that matters for defenders. Mitchell argues the surge isn’t a temporary anomaly — it’s the new baseline. Once an AI model can sweep through a codebase in minutes and flag plausible vulnerability patterns, every popular library becomes a candidate for ongoing, automated re-examination.

They get into the harder part: what happens after the CVE is filed. Maintainers, many of them volunteers, are now expected to triage, validate and fix issues at a rate they were never resourced for. Security teams downstream are buried in advisories, struggling to separate exploitable bugs from theoretical findings, and trying to pin down which versions of which transitive dependencies are actually in their environment.

Mitchell makes the case that enterprises depending on critical open source components need to stop treating support as optional. That means commercial backing for end-of-life and high-risk libraries, clearer ownership of patching responsibilities, and faster ways to ship verified fixes downstream. The takeaway for security teams is that the CVE surge is going to keep accelerating, and the organizations that pre-wire their patching and support model now will spend a lot less time firefighting later.