The Software Library in Billions of Devices That Most People Have Never Heard Of

Curl is everywhere — and a new era of AI-accelerated vulnerability discovery is changing what that means.

You've Never Heard of It. It's Running on Almost Everything You Own.

Here's a question worth sitting with: when was the last time you updated your home router's firmware? Not your phone, not your laptop — the router. The thing that's been blinking in the corner since you set it up years ago. That router almost certainly runs a piece of software called curl. So does your Android phone. So does macOS, Windows, and most Linux distributions. So do countless IoT devices — smart TVs, IP cameras, industrial sensors. Curl is a C library that does one thing extremely well: it transfers data over the internet. It's the invisible plumbing behind an enormous share of the world's software, and most of the people whose devices depend on it have absolutely no idea it exists. That invisibility is precisely what makes the current moment so worth paying attention to. When a foundational library like curl carries a vulnerability, the question isn't just 'who needs to patch their server?' It's 'how many of the billions of devices running this code will ever receive a fix at all?'

How Anthropic's Mythos Changed the Vulnerability Discovery Equation

For decades, the security world operated on a rough gentleman's agreement called coordinated disclosure. A researcher finds a flaw, quietly tells the affected vendor, waits for a patch, then goes public. The CVE number gets published, defenders scramble to patch, and the race begins. It wasn't perfect, but disclosure acted — as Darktrace's analysts put it — as 'a rough synchronization point' between attackers and defenders. Anthropics's Mythos model is accelerating the collapse of that model. According to Darktrace, AI systems are now capable of analyzing complex software environments and identifying weaknesses at a pace and scale that human researchers simply cannot match. The implication is direct: 'exploitation may be underway well before a CVE is published, if it is published at all.' This isn't a theoretical future state. The acceleration was already visible before Mythos. According to NIST data cited by Darktrace, publicly disclosed vulnerabilities grew by 32% in 2024. XBOW, an autonomous penetration testing system, topped the HackerOne bug bounty leaderboard — the first time an AI system had done so. The frontier, as Darktrace notes, is 'jagged' — Mythos is exceptional but not unique. What matters isn't which model is best. It's that vulnerability discovery is 'no longer a scarce or tightly bounded capability.' --- **JARGON-FREE EXPLAINER: What is a CVE?** CVE stands for Common Vulnerabilities and Exposures. Think of it like a tracking number for a known security flaw — the same way a parcel has a tracking code so everyone in the logistics chain knows what's being moved. When a CVE is published, it signals to defenders worldwide: 'this specific flaw exists, here's what it affects, go patch it.' The problem Mythos introduces is that attackers may already have found and exploited the flaw before that tracking number ever gets issued. ---

The Window Is Closing: From Disclosure to Exploitation in Hours

If the Mythos story feels abstract, two recent incidents make the timeline concrete and visceral. In April 2026, a critical remote code execution vulnerability in Marimo — an open-source Python notebook — was exploited within 9 hours and 41 minutes of public disclosure, according to Sysdig. The flaw, CVE-2026-39987 (CVSS score: 9.3), allowed an unauthenticated attacker to obtain a full interactive shell through a single WebSocket connection. There was no proof-of-concept code available at the time. The attacker built a working exploit directly from reading the advisory description. A month earlier, a critical flaw in Langflow (CVE-2026-33017, also CVSS 9.3) came under active exploitation within 20 hours of disclosure. One HTTP POST request with malicious Python code was enough to achieve remote code execution. These are not foundational libraries on the scale of curl — but they illustrate the operating environment defenders now face. When the gap between 'vulnerability disclosed' and 'vulnerability weaponized' is measured in single-digit hours, the traditional patch-and-wait model breaks down. For a library embedded in firmware that hasn't been updated in three years, the math is even grimmer.

The Supply Chain Problem: Efficiency and Fragility Are the Same Thing

Curl's ubiquity is, in one sense, a triumph. Open source at its best means that a single well-maintained, well-audited piece of code gets reused across millions of projects rather than each team writing their own fragile version from scratch. The efficiency gains are real and enormous. But that same concentration creates a systemic fragility that no patch cadence can fully address. When a vulnerability lands in a foundational library, it doesn't affect one product — it propagates through every downstream dependency simultaneously. The Axios npm supply chain compromise, attributed by Microsoft to North Korean state actor Sapphire Sleet, illustrates how this plays out in practice: malicious versions of a package with over 70 million weekly downloads were injected with a dependency to download payloads from attacker-controlled infrastructure, automatically deploying a remote access trojan across macOS, Windows, and Linux. The Shai-Hulud 2.0 campaign followed a similar pattern — attackers maliciously modified hundreds of publicly available packages, targeting developer environments and CI/CD pipelines to harvest credentials. Microsoft's analysis noted that 'traditional network defenses are insufficient against attacks embedded in trusted package workflows.' For a library like curl — which lives not just in package managers but burned into firmware on hardware that will never receive an over-the-air update — the exposure surface is effectively permanent for a significant portion of deployed devices.

What to Watch Next: Behavioral Detection Over Patch Cadence

The honest takeaway from the convergence of Mythos-class AI discovery and foundational library risk isn't 'patch faster.' It's that patching alone is no longer a sufficient defense posture. Darktrace's analysis points toward the direction the field is moving: behavioral detection — identifying and containing threats based on what they're doing in your environment, rather than waiting for a CVE to tell you what to look for. If exploitation is underway before disclosure, the only signal available is anomalous behavior, not a known signature. For the broader software ecosystem, the structural question is harder. The Snyk ToxicSkills audit of AI agent skill packages found that 13.4% of 3,984 scanned skills contained at least one critical-level security issue — and the researchers noted the ecosystem 'mirrors the early days of npm and PyPI.' Every new dependency layer added on top of foundational libraries like curl extends the blast radius of any flaw found within them. The thing to watch is whether AI-accelerated discovery tools get deployed defensively at the same scale they're being deployed offensively — and whether the open source community can build review and disclosure infrastructure fast enough to keep pace with a world where finding vulnerabilities is 'no longer a scarce or tightly bounded capability.'