UK's National Health Service to Close Open Source Code Repositories Amid AI Security Threats
According to British tech expert and open source advocate Terence Eden, the UK's National Health Service (NHS) is planning to close almost all of its public source code repositories due to concerns about security risks posed by artificial intelligence. Eden, who previously worked on open standards for the UK government's digital service and was involved in the release of the NHS Covid-19 tracing app's source code, says the information comes from multiple independent sources within the NHS who are shocked by the decision.
A senior technician at NHS England stated that the organization is "changing our strategy on open coding" given the emergence of AI models like Mythos from Anthropic. The person added that most code repositories will be removed "until we get a handle on this risk." Mythos is an AI capable of autonomously discovering and weaponizing software vulnerabilities, and the NHS fears that public code will provide attack blueprints for these new AI hacking tools.
The NHS previously issued guidance document SDLC-8 on April 29th, explicitly stating that "all source code repositories must be private by default," and noting that "public repositories significantly increase the risk of accidental disclosure, particularly given the rapid advances in AI models for large-scale code ingestion, reasoning and analysis." The memo set a deadline of May 11, 2026, for transitioning public repositories to private.
Mythos, released by Anthropic in April 2026, is an AI model extremely effective in offensive cybersecurity, considered too dangerous by its creators to be released publicly. The model discovered thousands of previously unknown "zero-day" vulnerabilities in all major operating systems and web browsers, including a 27-year-old vulnerability in the security-focused OpenBSD operating system. Concerned about the security implications of the technology leaking, Anthropic limited access to a consortium of a handful of tech and financial giants including Apple, Microsoft, Google, Amazon Web Services, CrowdStrike, and JPMorgan Chase.
The NHS is not the only open source project taking a "security through obscurity" approach due to AI tools. Prominent open source project Cal.com announced on April 14th that it would no longer maintain its core platform as open source for the exact same reasons. The scheduling company has retained a "do-it-yourself" version of its open source platform for enthusiasts, hosted at cal.diy.