The NHS is (according to UK-based technologist and open-source advocate, Terence Eden) working on shutting down nearly all of its public source code repositories over security fears related to AI.
Eden, who used to work for the UK Government on open standards at GDS and helped publish the source code for the NHS COVID-19 app, claimed that this information was leaked to him by multiple, separate sources inside the NHS who are aghast at the decision.
In light of AI models like Anthropic"s Mythos, an AI that can autonomously discover and weaponize software vulnerabilities, a senior technical person inside NHS England was quoted as saying the organization is "changing our tack on coding the open". The source added that most repositories will be removed "until we"re on top of that risk." The fear is that leaving the code public gives these new AI hacking tools a blueprint for attack.
The NHS had previously distributed a guidance note, SDLC-8, on April 29th stating, "All source code repositories must be private by default... Public repositories materially increase the risk of unintended disclosure... particularly given rapid advancements in Al models capable of large-scale code ingestion, inference, and reasoning". The memo set a deadline of May 11th, 2026, for public repositories to be switched to private.
Announced in April 2026, Anthropic"s Mythos is an AI model so effective at offensive cybersecurity that its own creators deemed it too dangerous for public release. It discovered thousands of unknown "zero-day" flaws across every major operating system and web browser, including finding a 27-year-old vulnerability in OpenBSD (an operating system famous for its tight security). Fearing a major security breach if this technology leaked, Anthropic restricted access to a small consortium of tech and finance giants, including Apple, Microsoft, Google, AWS, CrowdStrike, and JPMorgan Chase.
The NHS repositories are not the only open-source projects going the security by obscurity route, thanks to AI tools that can scan for exploits at an unprecedented speed and scale. Popular open-source project Cal.com, on April 14, announced it would no longer keep its core platform open source for the exact same reasons. The scheduling company did leave a "do-it-yourself" version of its platform open source for hobbyists (hosted at cal.diy).