Google identifies first AI-developed zero-day exploit

Google has confirmed the first known case of a zero-day exploit developed using artificial intelligence. The company's Threat Intelligence Group, GTIG, published its AI Threat Tracker report on May 11, 2026, detailing how a prominent cybercrime group used an AI model to identify and weaponize a security flaw in a popular open-source web administration tool. The vulnerability bypassed two-factor authentication. Google worked with the affected vendor to patch it and believes its intervention may have disrupted the group's planned mass exploitation campaign before it launched.

GTIG stated it has high confidence that an AI model, not a human researcher, wrote the Python exploit script. The code gave it away. It contained an abundance of educational docstrings, a hallucinated CVSS severity score, detailed help menus, and a clean, structured formatting style characteristic of large language model training data. These are not things a human writing an attack tool would include. The target flaw itself was a semantic logic error — a developer had hardcoded a trust assumption into the authentication flow, creating a contradiction with the 2FA enforcement logic that traditional security scanners missed, but that the AI apparently spotted by reading the developer's intent rather than just analyzing the code mechanically. Neither Google's own Gemini models nor Anthropic's Mythos were used by the attackers, according to the report.

Why it almost worked, and why it did not

The attackers planned a mass exploitation campaign, targeting the open-source tool at scale with the AI-generated exploit. GTIG's proactive counter-discovery appears to have cut across that plan before it gained traction. Errors in the exploit's implementation also likely interfered. "The awkward bit for everyone else is that this still appears to be the clumsy early phase," The Register noted in its coverage. Mistakes in execution saved a lot of potential victims this time. That may not hold. GTIG chief analyst John Hultquist put it plainly: "There's a misconception that the AI vulnerability race is imminent. The reality is that it's already begun. For every zero-day we can trace back to AI, there are probably many more out there."

The semantic logic flaw at the heart of the exploit points to something more concerning than a one-off incident. Traditional scanners are built to detect sinks, crashes, and memory corruption. They do not read code the way a developer writes it. LLMs do. They can correlate intent with implementation, spot contradictions between design and execution, and surface dormant logic errors that look functionally correct to every automated tool currently in use. GTIG described this as an increasing capability that traditional security tooling is structurally ill-equipped to counter.

The broader picture from the GTIG report

The zero-day case is one part of a larger pattern the report documents. North Korean group APT45 has been sending thousands of repetitive prompts to AI models to recursively analyze vulnerabilities and build an exploit arsenal at a scale that would be impractical to domanually. A China-linked actor identified as UNC2814 used expert-persona jailbreak prompts to push Gemini into researching pre-authentication remote code execution flaws in TP-Link router firmware. Russian groups have been using AI-generated audio spliced into legitimate news footage for influence operations. Separate from these, GTIG documented Android backdoors that use Gemini API calls to autonomously navigate infected devices, and malware families padded with AI-generated code specifically to confuse analysis.

In March 2026, criminal group TeamPCP compromised LiteLLM, a widely used AI gateway library, by embedding a credential stealer through poisoned PyPI packages and malicious pull requests. The stolen AWS keys and GitHub tokens were monetized through ransomware partnerships. The attack targeted the integration layer around AI systems rather than the models themselves, a pattern GTIG says is becoming standard. Frontier models are difficult to compromise directly. The connectors, wrappers, and API layers around them are not.

AI is not only being weaponized by attackers. It is also being used as a lure. Notebookcheck covered how a fake Claude AI website pushed the Beagle Windows backdoor through Google sponsored search results last week, using a trojanized installer to deploy a remote access tool targeting developers searching for Claude Code tools