Google’s Threat Intelligence Group Documents First AI-Developed Zero-Day Exploit in the Wild

Google's Threat Intelligence Group (GTIG) published a report on May 12, 2026, documenting what it described as the first confirmed instance of a threat actor using an artificial intelligence model to discover and weaponize a zero-day vulnerability. For the first time, GTIG identified a threat actor using a zero-day exploit that it believes was developed with AI. One or more cybercrime groups leveraged AI to develop a zero-day exploit designed to bypass two-factor authentication (2FA) on an open-source, web-based system administration tool, with the exploit implemented in a Python script. Google declined to name either the threat actor or the targeted platform. The criminal threat actor planned to use the exploit in a mass exploitation event, but Google's proactive counter-discovery may have prevented its deployment.

The forensic basis for GTIG's attribution to AI is specific. Evidence included documentation strings in Python, highly annotated code, and a hallucinated but non-existent CVSS score, each inconsistent with typical human exploit development. GTIG assessed with high confidence that an AI model was weaponized to facilitate the discovery and weaponization of the flaw via a Python script featuring hallmarks typically associated with large language model-generated code. Google confirmed the AI model was not its own Gemini product nor Anthropic's Mythos model. The underlying flaw was not a conventional software defect. Google said the issue stemmed from developers hard-coding a trust exception into the authentication flow, creating an opening attackers could exploit to sidestep 2FA checks, the kind of higher-level logic mistake that modern AI models are becoming capable of identifying.

The broader threat picture documented in the report extends well beyond the single zero-day incident. APT45, a North Korean state-linked threat group, was observed sending thousands of prompts to Gemini with the goal of analyzing known flaws and validating proof-of-concept exploits, likely to build a more robust arsenal of exploits for known vulnerabilities. A Chinese cyberespionage group tracked as UNC2814 attempted to bypass Gemini guardrails to direct the model to act as a security expert specializing in embedded devices; UNC2814 has targeted telecommunications and government entities in more than 42 countries since 2017 and has a history of gaining initial access by exploiting vulnerabilities in edge systems and web applications. Attackers were also observed priming AI models with known vulnerability data drawn from a Claude Code skill plugin containing information distilled from 85,000 real-world vulnerability cases collected by the Chinese bug bounty platform WooYun between 2010 and 2016.

The policy and regulatory context amplifies the significance of GTIG's findings. The Trump administration, after repealing Biden-era executive order guardrails on AI oversight, has been sending mixed signals on whether the federal government should play a larger role in AI regulation. Anthropic restricted access to its Claude Mythos model earlier this year after tests showed it could identify thousands of previously unknown software flaws. OpenAI announced a specialized cybersecurity version of ChatGPT that would be available only to "defenders responsible for securing critical infrastructure" to help find and patch vulnerabilities. Those voluntary guardrails have no statutory enforcement mechanism under current U.S. law, and GTIG's findings indicate adversaries are already exploiting the gap between controlled-access frontier models and commercially available AI tools capable of replicating comparable offensive functions.

GTIG's John Hultquist, the group's chief analyst, framed the disclosure in direct terms. Hultquist said the misconception that the AI vulnerability race is imminent is wrong, that it has already begun, and that "for every zero-day we can trace back to AI, there are probably many more out there." GTIG has been anticipating AI-developed exploits in the wild, particularly after its Big Sleep AI agent identified a zero-day vulnerability in late 2024. On the defensive side, Google introduced Big Sleep, an AI agent developed by Google DeepMind and Google Project Zero, that searches for unknown security vulnerabilities in software and has since identified its first real-world vulnerability, also intercepting one that was imminently set to be exploited by threat actors. The parallel development of offensive and defensive AI-enabled vulnerability research compresses the window between flaw discovery and exploitation, placing increasing pressure on vendors to accelerate patch cycles and on government agencies, including the Cybersecurity and Infrastructure Security Agency, to update guidance on authentication architecture for critical systems.