The British National Health Service closes the open source code base and AI security threats become a key consideration

The UK’s National Health Service (NHS) is planning to shut down almost all public source code repositories due to concerns about security risks posed by artificial intelligence, according to British technology expert and open source advocate Terence Eden. Eden was responsible for open standards work at the UK Government Digital Service and participated in the release of the source code for the NHS COVID-19 tracking application. He said the news came from multiple independent sources within the NHS who were shocked by the decision.

A senior technical staff member at NHS England says the organization is "changing our strategy on open coding" in light of the emergence of artificial intelligence models such as Anthropic's Mythos. The person added that much of the code base will be removed "until we get this risk under control." Mythos is an artificial intelligence that can autonomously discover and weaponize software vulnerabilities, and the NHS is concerned that making the code public will provide attack blueprints for these new AI hacking tools.

NHS previously issued a guidance document called SDLC-8 on April 29, which clearly stated that "all source code repositories must be made private by default" and pointed out that "public repositories greatly increase the risk of accidental disclosure, especially given the rapid advancement of artificial intelligence models in large-scale code ingestion, inference and analysis." The memo sets a May 11, 2026 deadline for turning public repositories private.

Mythos, an artificial intelligence model extremely effective at offensive cybersecurity, released in April 2026 by Anthropic, was deemed by its creators to be too dangerous for public release. The model found thousands of unknown "zero-day" vulnerabilities in all major operating systems and web browsers, including a 27-year-old flaw in the notoriously secure OpenBSD operating system. Anthropic limited access to a small consortium of tech and financial giants including Apple, Microsoft, Google, Amazon Cloud Services, CrowdStrike and JPMorgan Chase, amid concerns that leaks of the technology could lead to major security breaches.

The NHS is not the only open source project to adopt a "security through hiding" strategy due to AI tools. Well-known open source project Cal.com announced on April 14 that it would no longer keep its core platform open source for exactly the same reason. The scheduling company maintains a "do-it-yourself" version of its open-source platform for enthusiasts, hosted on the cal.diy website.