AI agents expose critical flaws hidden for years in FFmpeg and Zcash

Depthfirst says its AI agent found 21 zero-day vulnerabilities in FFmpeg for roughly $1,000 in compute, with some bugs lurking for over 20 years.thenextweb
A security researcher used Anthropic’s Claude Opus 4.8 to discover a critical forgery flaw in Zcash that had gone undetected since 2022, prompting an emergency hard fork.tradingview
ZEC dropped sharply after disclosure, and Google ↗1.48% warned in May of the first confirmed case of threat actors using AI to weaponize a zero-day.coindesk

AI Agents Uncover Critical Vulnerabilities in FFmpeg and Zcash

Two recent incidents have demonstrated how artificial intelligence is reshaping cybersecurity research, with autonomous AI systems identifying dangerous flaws that eluded human experts for years.

21 Zero-Days Found in FFmpeg for $1,000

Security startup depthfirst disclosed that its autonomous AI agent discovered 21 previously unknown zero-day vulnerabilities in FFmpeg, the open-source media library embedded in nearly every application that processes video. The run cost roughly $1,000 in compute. Some of the bugs had been hiding in the codebase for more than 20 years, despite FFmpeg having been scanned by both Google and Anthropic’s security tools.thenextweb

Depthfirst’s agent scanned FFmpeg’s roughly 1.5 million lines of C and produced a reproducible proof-of-concept for each vulnerability. Nine of the flaws have received CVE identifiers. Founded in October 2024, depthfirst raised $80 million in March at a $580 million valuation and in May committed up to $5 million in platform credits to help critical open-source projects find and fix vulnerabilities.businesswire

Claude Opus 4.8 Helps Expose Zcash Forgery Bug

Separately, Zcash founder Zooko Wilcox publicly disclosed details of a critical forgery vulnerability in the cryptocurrency’s Orchard shielded pool on June 5. The flaw, which had existed since May 2022, could have allowed an attacker to mint unlimited counterfeit ZEC undetectably.tradingview

Security engineer Taylor Hornby, hired by Shielded Labs in April, discovered the bug on May 29 using Anthropic’s Claude Opus 4.8, released just one day earlier. Hornby built a complete proof-of-concept exploit that successfully generated counterfeit ZEC in a local test environment. The Zcash Open Development Lab deployed an emergency soft fork on June 2, disabling Orchard transactions, followed by a hard fork on June 3 that permanently closed the vulnerability.blockhead

ZEC fell more than 30% after the disclosure. Shielded Labs said it was “not overly concerned” about prior exploitation because the bug was subtle enough to evade years of expert review, but acknowledged there is no cryptographic way to prove it was never used.coindesk

A New Era for Vulnerability Discovery

The incidents arrive amid a broader shift. Google’s Threat Intelligence Group reported in May the first confirmed case of threat actors using AI to discover and weaponize a genuine zero-day. Anthropic has noted that its models “can now find high-severity vulnerabilities at scale”.linkedin

As The Next Web observed, AI is now “finding vulnerabilities faster than humans can fix them” — a dynamic that promises to benefit defenders and attackers alike as these tools grow more capable and accessible.thenextweb