Claude Opus 4.6 Generated Chrome Exploit for $2,283 in API Costs

Anthropic's Claude Opus 4.6 model successfully generated a functional exploit chain targeting Chrome's V8 JavaScript engine for $2,283 in API costs, according to research published by Hacktron CTO Mohan Pedhapati.

The demonstration, which cost 2.3 billion tokens and required approximately 20 hours of human guidance, targeted Chrome 138 bundled in Discord. The exploit chain successfully achieved code execution—demonstrated by opening the calculator app, a standard proof-of-concept indicator.

Cost Analysis and Implications

At $2,283, the exploit development cost represents a fraction of what comparable manual work would require. Pedhapati notes this amount is significantly less than the theoretical $15,000 reward available through Google's and Discord's vulnerability reward programs, even before accounting for the weeks of manual work saved.

The research used publicly known vulnerabilities from Chrome 146—the same version running in Anthropic's own Claude Desktop application—to demonstrate the exploit development capabilities.

Model Capabilities and Safeguards

According to Anthropic's Opus 4.7 System Card, the newer Opus 4.7 model released Thursday shows "roughly similar" cyber capabilities to Opus 4.6. However, Opus 4.7 includes safeguards that "automatically detect and block requests that indicate prohibited or high-risk cybersecurity uses."

Anthropic has withheld its Mythos bug-finding model from public release specifically due to concerns about enabling attackers to find and exploit vulnerabilities before patches are available. Despite this, Pedhapati's work demonstrates that publicly available models already possess significant exploit development capabilities.

Security Implications

The research highlights a critical security challenge: Discord was running Chrome 138, nine major versions behind the current Chrome 147.0.7727.101/102. Electron 41.2.1, released April 15, bundles Chrome 146.0.7680.188—just one version behind current—but Electron-based applications don't necessarily update their dependencies immediately.

"Whether Mythos is overhyped or not doesn't matter," Pedhapati said. "The curve isn't flattening. If not Mythos, then the next version, or the one after that. Eventually, any script kiddie with enough patience and an API key will be able to pop shells on unpatched software."

Recommendations

Pedhapati argues that as AI models become more capable of exploit development, the vulnerability window narrows significantly. His recommendations include:

• Implementing automatic security patches to eliminate user dependency on manual updates
• Focusing on security before code deployment
• Faster dependency updates, particularly for Electron-based applications
• More cautious disclosure timing for open source projects, as "every public commit is a starting gun for anyone with an API key"

What This Means

This demonstration confirms that publicly available frontier AI models have reached the capability threshold for practical exploit development, even if they require human guidance to overcome obstacles. The $2,283 price point makes this accessible to a wide range of actors, not just nation-states or well-funded groups. The security industry's traditional patch-and-update cycle may be insufficient when AI can accelerate exploit development from weeks to days. Organizations running software with known vulnerabilities—particularly Electron-based applications lagging behind Chrome releases—face materially increased risk.