The Rocket They Built Yesterday Morning

Yesterday — and I mean yesterday, the timestamp on the GitHub repo says April 10th — Mozilla’s AI security team 0DIN open-sourced their AI vulnerability scanner. Press release and everything. Blog post about the open web. Invocations of Mozilla’s legacy as the conscience of the internet.

It’s been out about 24 hours.

Take whatever bet you want on how many state actors, ransomware operations, and malware crews already have it cloned locally. My money is all of them. Every single one with an internet connection and a reason to care. That’s not cynicism. That’s just how open source works when what you’re releasing is immediately, obviously useful for offensive purposes. State actors have people whose entire job is watching GitHub for exactly this kind of drop. The repo went public while Mozilla was still drafting the announcement.

I checked the repo status before writing this. Still up. Still public. No takedown, no private flag. And 0DIN posted a follow-up saying “the response has been incredible” — listing what people want to plug into it. CI/CD pipelines. Probe library access. Model validation. The warhead socket is getting exactly the attention you’d expect.

I’m not linking the repo. I’m documenting the rocket, not handing out the address.

So let’s talk about what they actually built.

0DIN Scanner is built on top of GARAK — NVIDIA’s open source LLM vulnerability scanner — which pioneered the systematic probe-based approach to red-teaming language models. The core mechanism is structured adversarial prompts. Coded attack techniques, fired automatically at whatever API endpoint you point it at. You configure a target, run the scanner, get a scored report of every known vulnerability class the model failed to defend against. Prompt injection. Jailbreaks. Guardrail bypasses. Training data leakage.

Mozilla extended GARAK with a graphical interface, scheduling, enterprise-grade reporting, and — here’s the part that matters — a proprietary probe library fed directly by their AI bug bounty program. Every time a researcher finds a new jailbreak and submits it, it gets validated and added to the library. Automatically. The scanner running anywhere picks it up. The gap between discovery and deployment is hours.

That’s not a tool. That’s a continuously self-sharpening weapons platform with a community contribution pipeline.

And then there’s this. The scanner has an extensible engine architecture. A ProbeSourceRegistry that lets anyone register additional probe data sources for automatic sync.

They built the rocket. The nose cone dimensions are documented. The mounting hardware is open source.

Right now the scanner fires known attack patterns. Human researchers find jailbreaks, submit them, they get codified as probes, the scanner fires them. The human is still in the loop between discovery and deployment.

Remove the human.

Plug in a sufficiently capable model — GPT-5, or whatever Mythos looks like when it eventually goes public, or any of the dozen models currently approaching that capability class — wire it to the probe source registry in agentic mode, point it at a target. Now it’s not firing known patterns. It’s generating novel ones, testing them, learning what lands, feeding successful techniques back into the library, propagating them to every other instance of the scanner running anywhere.

The bug bounty pipeline that currently takes hours just became the time between API calls.

That’s not a hypothetical future capability. That’s a weekend project for someone who knows what they’re doing. The socket is documented. The integration is obvious. The incentive to build it — for a security researcher, a red team, a state actor, anyone with a grudge and a capable model — is self-evident. The technical barrier is low. The accountability chain afterward is nonexistent.

Here’s where it stops being theoretical. The warhead doesn’t need to wait for Mythos to go public. It’s already being built independently. An autonomous adversarial AI agent called Claudini is already achieving 100% jailbreak success rates in controlled testing — compared to 56% for human-crafted methods. Microsoft Threat Intelligence has documented state-sponsored actorsactively weaponizing AI tools across the full cyberattack lifecycle right now. Claude Code has already been exploited in a real documented large-scale attack — the first major confirmed case of a threat actor weaponizing a frontier model at scale with minimal human guidance.

The dinosaurs are already loose. Mozilla just took the fences down and called it transparency.

Mozilla didn’t build the warhead. They built the rocket with a documented payload bay, published the integration spec, and handed it to a threat landscape that was already loading.

Here’s where the irony stops being decorative and becomes load-bearing.

Mozilla isn’t some naive open source collective that stumbled into this without understanding the implications. This is the organization that built Firefox specifically because Google becoming the internet’s infrastructure was dangerous. They watched that dynamic play out in slow motion over a decade and built the only remaining independent browser as a direct response to it.

Firefox currently holds about 3% of global browser market share. Every single one of those users chose Firefox deliberately. They’re not there by default. They made an active decision to use the browser that wasn’t Google, wasn’t Microsoft, wasn’t building AI into the toolbar without asking. They’re the most privacy-conscious, most technically literate, most deliberately anti-surveillance slice of the browser market.

In December, Mozilla’s new CEO announced Firefox would become a “modern AI browser.” The backlash was immediate and volcanic. “I switched back to Firefox late last year because it was the last AI-free browser.” Mozilla scrambled into damage control, promised an “AI kill switch” — their own internal name for it, which tells you everything — and delayed it to Q1 2026 because removing AI from the browser they’d just added AI to apparently required solving “technical complexities.”

The users who trusted them most found out at the same time as the press.

Now here’s the part that ties it together. And tightens the knot.

Mozilla earns approximately 85% of its revenue from a single deal with Google. 593 million in total revenue. Default search engine placement in Firefox. The privacy browser runs on Google’s money. The organization that exists to be the alternative to Google’s internet is financially a Google subsidiary in everything but name. Mozilla’s own CFO testified under oath that losing the deal could trigger a “downward spiral” that could “put Firefox out of business.”

The AI pivot wasn’t a vision. It was a survival calculation made by a new CEO in the first week of a job at a company that cannot survive without its primary competitor’s funding. The users who chose Firefox for what it stood for were the thing being spent.

And now, on the same day the Proton piece landed and I thought I might get a week before the next entry wrote itself — Mozilla released the rocket.

Framed as safety research. Wrapped in the language of the open web. Signed with the name of the organization that used to mean something different.

Which brings us to the one comparison that actually clarifies what Mozilla did yesterday.

This is not a rehabilitation of Anthropic. Regular readers know the undercover.ts story. They know KAIROS. They know AutoDream. They know the soul document and the concealment architecture and the IPO sitting on the horizon. That’s all still true and none of it went anywhere.

But.

Anthropic built Mythos. Their own documentation calls it “currently far ahead of any other AI model in cyber capabilities.” Engineers with no formal security training asked it to find exploits before bed and woke up to working ones. It found vulnerabilities that had been sitting undetected in critical systems for twenty-seven years. They privately briefed CISA. They warned governments.

And then they didn’t release it.

Not because they’re saints. The IPO math alone explains a significant portion of that decision. You cannot file an S-1 with “our model enabled a mass cyberattack” sitting in the recent news cycle. Someone in that building — probably several someones with law degrees — laid out exactly what releasing Mythos into the wild would mean and exactly whose problem it would become.

The restraint has scaffolding. The scaffolding is not purely ethical.

But here’s the thing. The company with the concealment architecture, the background agent, the soul document, the mixed motives, the complicated relationship with its own stated values — that company looked at what it built and blinked.

Mozilla didn’t blink.

They hit publish and wrote a blog post about the open web.

Five days earlier, Sam Altman told Congress an AI-enabled mass cyberattack was “totally possible this year.” He was there to propose frameworks. To position OpenAI as the responsible voice in the room. To warn the people making the rules about exactly the kind of agentic threat that a rocket with an open warhead socket enables.

Nobody handed him a better prop than Mozilla did yesterday morning.

Crowbar was about Pandora’s box. What happens when certain capabilities get loose at scale. Sora and Grok and DLSS 5 — the version of the box where the contents are deepfakes and consent violations and faces processed without permission. Terrible. Documented. Litigated across thirteen jurisdictions. The kind of harm that has victims you can count and courts you can file in.

That was the small box.

A capable model, agentic, parallel, mounted to this rocket, with a probe library enriched by every known AI vulnerability continuously updated in near real time — pointed not at a chatbot but at the AI-adjacent decision points in critical infrastructure. Power grid management. Water treatment. Financial settlement. Air traffic. The seams where AI systems make decisions that physical systems execute.

You’re not looking for jailbreaks anymore. You’re looking for the gap between a probe hitting the right system and a turbine doing something it shouldn’t. A hospital locked out of its charts at 2am. A water treatment plant that stops treating. Chaining vulnerabilities the way Mythos chained Linux kernel exploits into complete system takeover, except the system is a country.

The attacks aren’t coming. They’re here. Microsoft Threat Intelligence has documented state-sponsored actors actively weaponizing AI tools across the full attack lifecycle right now. Claude Code was already exploited in a documented large-scale attack — the first confirmed case of a threat actor weaponizing a frontier model at scale. Claudini is already running at 100% jailbreak success. The threat landscape wasn’t waiting for better tools. It was already loading.

The rocket landed in a live fire range.

A state actor running this in parallel agentic mode over a weekend doesn’t need to find everything. They need to find enough. Or anyone who decides to drop a WannaCry-level disaster using a rocket they downloaded for free yesterday morning. The attribution problem makes the retaliation calculus genuinely unstable. An agentic run using an open source rocket that anyone downloaded, mounting a model that multiple actors have access to, executing techniques that are now in a public library because the probe registry propagated them automatically — you can’t definitively point at the state. You can’t point at the model. The technique that hit the power grid was discovered by someone’s agentic scan three weeks ago and has been in the public library since Tuesday.

Pandora’s box doesn’t contain a black hole. It is one. Everything in the vicinity — the box, the person who opened it, the room, the concept of closing it — gets consumed. There’s no apology tour. No six month arc ending in discontinuation. No earnings call about the remediation strategy. The turbine already did the thing. The hospital is still locked out.

Mozilla built the launch platform yesterday morning.

The repo has been public for about 24 hours.

Here’s the thing about Google’s position in all of this. They’re not just Mozilla’s landlord. They’re one of the most obvious targets on the range. Gemini. Google Search AI integrations. The entire stack. All of it now more exposed because the organization they fund 85% just published a continuously enriching attack library with an open warhead socket and called it a safety initiative.

Mozilla didn’t just betray its users to stay alive. It built a rocket partly funded by one of the largest AI targets in the world and handed the launch codes to anyone who wanted them.

That’s not irony anymore. That’s a liability.

And liabilities have a way of clarifying financial relationships very quickly.

The moment the rocket gets used the way it can be used — if a state actor mounts something capable, runs it agentic against critical infrastructure, does the thing over a weekend, or someone just decides WannaCry was a good template and this is a better toolkit — Google cancels the contract. Not because they’re ethical. Because the liability adjacency is intolerable and the 3% browser share wasn’t worth it anyway.

Mozilla ceases to exist. The rocket keeps flying. The probe library keeps enriching. The warhead socket stays documented and public and permanently available because that’s what happens to open source tools — they outlive the organizations that built them, they get mirrored in forty places, they get forked and maintained by people who weren’t in the room when any of the decisions were made.

The open web’s last institutional conscience burned down the building on the way out. Not maliciously. Not even recklessly in any way they’d recognize as reckless.

Just because nobody asked the obvious question before they pushed to main.