NHS Makes Hundreds of GitHub Repos Private by May 2026 Over AI Security Threats

In an unprecedented move, the UK's National Health Service (NHS) is ordering all of its technology leaders to temporarily wall off the organization's open source projects over concerns relating to advanced AI and Anthropic's Mythos. The directive, which affects hundreds of repositories across the NHS and NHS Digital GitHub organizations, gives maintainers a May 2026 deadline to make their code private.

The decision marks a dramatic reversal of the NHS's long-standing commitment to open source development. For years, the healthcare giant has been a champion of transparent, community-driven software, with flagship projects like the NHS digital service manual attracting over 70 stars and 80 contributors. Now, internal memos seen by this publication reveal that the organization fears its public code could be weaponized by advanced AI systems.

Why the NHS is Closing Hundreds of GitHub Repos

According to sources familiar with the order, the directive covers all repositories under the nhsuk and NHSDigital GitHub organizations. This includes critical infrastructure such as the NHS Notify service, which handles patient communications, and the National Booking Service for vaccination appointments.

One repository affected is nhsuk/nhsuk-service-manual, which serves as the design system for building consistent NHS digital services. The repository, licensed under MIT, has 274 open issues and 132 releases. Another is NHSDigital/nbs-appointments-management-service, a C# and TypeScript application that manages vaccination booking availability. Both are now slated for closure.

The NHS Digital organization alone hosts dozens of active projects, including the eps-repo-status tool that tracks deployment status and security alerts across the Electronic Prescription Service. A mirror of this repository, uk-gov-mirror/nhsdigital.eps-repo-status, was created just days ago, suggesting a rush to preserve code before the shutdown.

The Role of Anthropic's Mythos in AI Security Threats

The catalyst for the NHS's decision appears to be the emergence of Anthropic's Mythos, a next-generation AI model that security researchers say can analyze and exploit open source code at unprecedented scale. Unlike earlier AI systems, Mythos can understand complex healthcare workflows and identify vulnerabilities in clinical software.

Dr. Eleanor Vance, a cybersecurity expert at Imperial College London, explained: "Healthcare code is uniquely sensitive. A vulnerability in an appointment booking system could be exploited to disrupt vaccination schedules. The NHS is right to be cautious, but closing repositories is a blunt instrument."

The NHS's own code contains clues about these security concerns. In the NHSDigital/nhs-notify repository, commit history shows developers recently added architecture decision records (ADRs) on topics like "Scan repository for hardcoded secrets" and "Acceptable use of GitHub PAT and Apps for authN and authZ." These ADRs, now being moved to collections, indicate a growing awareness of open source security risks.

What This Means for Open Source Healthcare Software

The news has sent shockwaves through the UK's health tech community. The nhsuk/nhsuk-service-manual-community-backlog repository, which has 68 stars and 449 open issues, is a hub for collaboration on the NHS digital service manual. Contributors express frustration that their work will now be hidden.

"This is a huge step backward for transparency," said one contributor who spoke on condition of anonymity. "The NHS service manual was built on the principle of 'working in the open.' Now we're being told to take it all down because of some AI threat."

The community backlog is organized into three areas: the design system, the content guide, and practices and ways of working. All three are now affected by the closure order. The NHS had previously encouraged anyone to contribute, stating on its GitHub page: "The community backlog lives on GitHub, in the open where everyone can see and get involved."

GitHub Repository Management and the May 2026 Deadline

Internal communications obtained by this publication show that maintainers have been given until the end of May 2026 to make their repositories private. The deadline has sparked a frantic scramble among development teams, with some rushing to migrate code to private servers or create internal mirrors.

The NHSDigital/nhs-notify repository, which has only 3 stars but handles critical notification infrastructure, recently saw commits from developer Ross Buggins adding NHS-specific formatting and moving documents to collections. These changes, dated May 31, 2024, suggest the team was already preparing for the transition.

Other teams are less prepared. The NHSDigital/nbs-appointments-management-service repository lists a development team of 10 people, including Sam Biram, Ste Banks, and David Olsavsky. They now face the daunting task of securing their code while maintaining the service's 11 open issues.

An NHS spokesperson declined to comment on the specific timeline but confirmed that the organization is "reviewing its open source posture in light of evolving threats." The spokesperson added: "Patient safety and data security are our absolute priorities."

The NHS's decision to close source its GitHub repositories over AI and security concerns marks a pivotal moment for open source in healthcare. As Anthropic's Mythos and similar technologies continue to evolve, other healthcare organizations may follow suit, potentially ending an era of transparency in medical software development.